You are not logged in.
Hi,
since the update from firefox-developer-edition-68.0b8-1 to firefox-developer-edition-68.0b9-1 I can't access certain websites, like reddit.com for example.
I get a "Software is Preventing Firefox Developer Edition From Safely Connecting to This Site" (DigiCert Global Root CA) (MOZILLA_PKIX_ERROR_MITM_DETECTED) error and there is no way to add an exception.
It works again when I downgrade firefox but doing that I cannot use my normal firefox profile anymore, cause the "firefox version I am trying to use is too old, please create a new profile" which I don't want to do.
Is anyone else having this problem or any idea how to fix it?
Thanks in advance.
Cheers
Last edited by sxe (2019-06-16 15:08:29)
Offline
Are you behind some kind of https proxy ?
If not, is security.enterprise_roots.enabled set to true in nightly about:config ?
https://wiki.mozilla.org/CA:AddRootToFirefox
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Hi Lone_Wolf, thx for the reply.
I am not behind a proxy, just a boring German home internet connection.
ecurity.enterprise_roots.enabled is not set to true. Did mozilla change anything with firefox with the last update so that would be necessary? As I said, the downgraded firefox version works as usual. I would try it but I am not exactly sure what the implications are exactly.
Cheers
Last edited by sxe (2019-06-13 10:14:17)
Offline
Well, not sure what exactly happened but without me doing anything it just works now.
Sorry if I have wasted your time mate.
Cheers
Offline
Not a waste, reading about that option refreshed my knowledge about the certificate system.
Please prepend [Solved] to the thread title.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
I get this error from time to time. Not sure what makes them appear. Fastmail.com and https://wiki.mozilla.org/CA:AddRootToFirefox are two afflicted sites, both with "DigiCert Global Root CA", is listed in /etc/ssl/certs/ca-certificates.crt
Offline
Yeah, it's still not gone for me either. Happens from time to time but resolve itself after a while. No idea what is happening.
Offline
I too am seeing this on a regular basis. Chrome, OpenSSL and curl all accept the cert, and I've validated it's the same one Chrome is getting via SSLabs, so I know I'm not being MITMed. Always DigiCert, happening on two different computers.
It seems like if I restart Firefox half the time I get a session where it accepts the cert, half the time it won't, so the only solution is to keep restarting Firefox until it accepts the cert then don't close it for any reason.
If anyone has thoughts on how to troubleshoot that'd be great, because I'm stumped and it's annoying the hell out of me.
Offline
Volunder there is one change arch makes to p11-kit / nss that I believe is distribution unique and appears to no longer be need.
Please try rebuilding the package with the following changes:
p11-kit PKGBUILD.diff
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index a6aef56..ed60c6e 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -11,23 +11,11 @@ license=(BSD)
depends=(glibc libtasn1 libffi systemd)
makedepends=(gtk-doc git meson)
install=p11-kit.install
-source=("git+https://github.com/p11-glue/p11-kit?signed#tag=$pkgver"
- 0001-Build-and-install-libnssckbi-p11-kit.so.patch)
-sha256sums=('SKIP'
- 'e832eece10587ac50ae42ca4515786b51e67fea0647716061e51cd94f5e058cd')
+source=("git+https://github.com/p11-glue/p11-kit?signed#tag=$pkgver")
+sha256sums=('SKIP')
validpgpkeys=('C0F67099B808FB063E2C81117BFB1108D92765AF' # Stef Walter
'462225C3B46F34879FC8496CD605848ED7E69871') # Daiki Ueno
-prepare() {
- cd p11-kit
-
- # Build and install an additional library (libnssckbi-p11-kit.so) which
- # is a copy of p11-kit-trust.so but uses the same label for root certs as
- # libnssckbi.so ("Builtin Object Token" instead of "Default Trust")
- # https://bugs.freedesktop.org/show_bug.cgi?id=66161
- patch -Np1 -i ../0001-Build-and-install-libnssckbi-p11-kit.so.patch
-}
-
build() {
arch-meson p11-kit build \
-D gtk_doc=true \
nss PKGBUILD.diff
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index 58fd592..3e77b8c 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -76,9 +76,6 @@ package_nss() {
cd ../lib
install -Dt "$pkgdir/usr/lib" *.so
install -Dt "$pkgdir/usr/lib" -m644 *.chk
-
- # Replace built-in trust with p11-kit connection
- ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so"
}
Offline
This is constant problem since firefox 70.0-1 update couple of days ago. Duckduckgo doesn't work at all, reddit works on and off, I have run into several other sites that don't work or work every n-th load... Please fix this guys.
Offline
dpx did you try my suggestion?
Offline
dpx did you try my suggestion?
Not yet, I will if there is nothing more official in form of update that brings everything back to normal. I am trying to figure out if this is something few of us experience or everybody? I mean all of use have ff + those stock packages, right?
Edit: probably obvious, but where are arch stock package pkgbuilds located? Where do I get original p11-kit and nss pkgbuilds to be able to patch them?
Last edited by dpx (2019-10-25 18:09:52)
Offline
This is constant problem since firefox 70.0-1 update couple of days ago. Duckduckgo doesn't work at all, reddit works on and off, I have run into several other sites that don't work or work every n-th load... Please fix this guys.
I'm having the exact same problem.
"DigiCert Global Root CA" is tripping firefox. Several websites stop working. If I reconnect and restart firefox, it seems to work fine. But it will inevitably break again.
Offline
I have temporarily installed firefox-developer-edition (currently it is 71.0b3-1) and everything is back to normal. Which means there is problem with current ff 70.0-1, not with any other package.
Offline
probably obvious, but where are arch stock package pkgbuilds located? Where do I get original p11-kit and nss pkgbuilds to be able to patch them?
Offline
Faced this issue today on regular firefox. duckduckgo.com and even mozilla.org both signed by DigiCert SHA2 Secure Server CA refused to open. Inconsistent things that helped:
about:config -> changing default security.enterprise_roots.enabled false to security.enterprise_roots.enabled true, loading the page and then setting it back to false.
creating new firefox profile
Also, running firefox in a seperate network namespace which has a tunnel device (vpn) also helped which raises even more questions.
More info:
$ pacman -Qi ca-certificates ca-certificates-mozilla firefox p11-kit nss
Name : ca-certificates
Version : 20181109-1
Name : ca-certificates-mozilla
Version : 3.47-1
Name : firefox
Version : 70.0-1
Name : p11-kit
Version : 0.23.18.1-1
Name : nss
Version : 3.47-1
Offline
The following assumes base-devel devtools and git are installed
git clone git://git.archlinux.org/svntogit/packages.git --single-branch --branch "packages/p11-kit"
mv packages p11-kit
cd p11-kit/trunk
curl -o p11-kit.patch http://ix.io/201I
git apply p11-kit.patch
extra-x86_64-build
cd ../..
git clone git://git.archlinux.org/svntogit/packages.git --single-branch --branch "packages/nss"
mv packages nss
curl -o nss.patch http://ix.io/201K
git apply nss.patch
extra-x86_64-build -- -I ../../p11-kit/trunk/p11-kit-0.23.18.1-1-x86_64.pkg.tar.xz
cd ../..
# pacman -U p11-kit/trunk/p11-kit-0.23.18.1-1-x86_64.pkg.tar.xz nss/trunk/nss-3.47-1-x86_64.pkg.tar.xz
Offline
Update: couple of updates of firefox-developer-edition later it now happens on both regular firefox and in developer edition. What is the proper way to raise this to maintainers attention, it makes any flavor of firefox pretty impossible to use? Is it possible to be localized problem so maintainers don't see it?
Offline
https://wiki.archlinux.org/index.php/Bu … guidelines although I suggest rebuilding p11-kit / nss using post #17 to see if that is the cause first.
Offline
Thanks, it seems I will have to try building those two.
Offline
extra-x86_64-build
@logs: where does extra-x86_64-build come from? I have base-devel installed but can't find this command?
Offline
The devtools package.
Offline
slithery@red:~$ pacman -Fs extra-x86_64-build
extra/devtools 20171108-1
usr/bin/extra-x86_64-build
Offline
There are three possible configurations for nss / p11-kit
- Symlink libnssckbi.so to libnssckbi-p11-kit.so (chosen by arch, patched version of p11-kit-trust.so)
- Symlink libnssckbi.so to pkcs11/p11-kit-trust.so (unpatched upstream)
- Use libnssckbi.so from nss. You lose the advantages of the system-wide trust store provided by p11-kit and can only rely on those compiled into the library.
https://p11-glue.github.io/p11-glue/p11 … odule.html
Firefox doesn't need the patched version anymore, though: https://bugzilla.mozilla.org/show_bug.cgi?id=880269
Last edited by progandy (2019-10-31 19:16:01)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Online
Applying the changes that @loqs recommended works for me. I also tried not applying the change to nss, because @progandy suggested that would have downsides, but it caused issues for me.
I can't confirm if there are any side effects of these changes or whether it's the right solution, but it does get Firefox working again.
Offline