You are not logged in.
Please try firefox 70.0.1-2.
Offline
I can no longer produce the issue.
Offline
Unfortunately I'll have to revert the patch; Firefox connects fine but all sites are now "insecure" and missing cert information.
Offline
So keep watching https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 ?
Offline
Yes.
Offline
Well you should setup time synchronisation regardless of whether you have this issue or not, and yes certificates can definitely be sensitive to wrong/skewed clocks here.
Of course. Just so we are clear, I had NTP working and is kept working since the beginning. The problem is that the error gets fixed when I restart that service even if the time is correctly and perfectly in sync. At least seems to be the most stable way to make the error go away. Just restart firefox does not make it work most of the time.
Offline
I've had mixed success so far by modifying the security.pki.mitm_canary_issuer value in the about:config.
Whenever I have this issue, this value shows a status of modified with a value "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
Resetting the value and restarting firefox has worked for me, but I haven't been able to do it enough times to know if it's a reliable fix.
Interestingly, when I reset the value and refreshed duckduckgo without resetting firefox, the value was automatically modified back to the digicert value. When I restarted firefox though, I got an additional start up page regarding a firefox account and then duckduckgo worked again. I don't know if this value is an issue or a symptom but I believe it's related to a the problem in some way. I also reset my system clock somewhere in the middle of all of this testing, so it wasn't a perfect test and someone else will have to see if they can recreate this fix because adding the value back to the setting did not re-trigger the issue...
Last edited by nuunuu (2019-11-23 03:55:43)
Offline
After today's update to firefox 70.0.1-3 problem remains. I can't properly use firefox for over a month, it is very disturbing experience that breaks any workflow -- sites mostly fail while in approximately 20% of tries they work well, most notable sites remain to be duckduckgo and reddit.
Offline
So keep watching https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 ?
Funny that I have to watch it but not using firefox. When I go there I get:
Software is Preventing Firefox From Safely Connecting to This Site
bugzilla.mozilla.org is most likely a safe site, but a secure connection could not be established. This issue is caused by DigiCert Global Root CA, which is either software on your computer or your network.
What can you do about it?
bugzilla.mozilla.org has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software.
If you are on a corporate network, you can contact your IT department.
If you are not familiar with DigiCert Global Root CA, then this could be an attack, and there is nothing you can do to access the site.
Offline
Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?
I have it enabled since forever and never encountered this issue.
If you people have it de-activated, does activating it help ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?I have it enabled since forever and never encountered this issue.
If you people have it de-activated, does activating it help ?
It is activated on my ff and never deactivated, doesn't help.
Offline
Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?
This was activated on mine as well.
I discovered this morning that the problem happened again and found that security.pki.mitm_canary_issuer had again been marked as modified and set to the digicert value. I reset that key and restarted firefox and the issue stopped again. I wonder if this is an issue related to some of the new browser syncing functionality added to firefox. If the value was supposed to be digicert, it should marked as a default value in the settings, not as modified.
Offline
I get this intermittently for Duckduckgo and Imgur (probably many others). To summarize the thread so far, nothing works except accepting a new CA, right? Was there a standardized Arch way to do that?
Offline
This answer on the Mozilla Support Forum solved the issue for me:
https://support.mozilla.org/en-US/questions/1136120
Offline
Firefox Preferences -> Security -> Certificate Manager -> DigiCert SHA2 Secure Server CA -> Edit Trust -> Enabled 'This certificate can identify websites.'
The above fixed the problem for me in FF 70.0.1-3. This problem started for me November 8th. Duckduckgo, Reddit and Slack sometimes didn't work, but they do now.
Offline
Please try nss 3.47.1-2 from [testing].
Offline
Please try nss 3.47.1-2 from [testing].
I can not reproduce the issue using nss 3.47.1-2.
Edit:
@heftig if you have time could you please look at https://bugs.archlinux.org/task/64625 thanks
Last edited by loqs (2019-11-30 04:33:38)
Offline
When I enable testing and community-testing repos, can I only update nss and keep other regular packages around? My firefox would be golden standard test for this issue (it happens regularly for last couple of months) but since it is my work machine I can't afford any breakage. I am able to test this weekend in detail just worried about other packages. Suggestions?
Offline
Please retest nss 3.47.1-3, which contains the (hopefully) final revision of the bugfix, a much simpler patch.
When I enable testing and community-testing repos, can I only update nss and keep other regular packages around? My firefox would be golden standard test for this issue (it happens regularly for last couple of months) but since it is my work machine I can't afford any breakage. I am able to test this weekend in detail just worried about other packages. Suggestions?
You can do something like this:
[testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync
[community-testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync
[multilib-testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync
This will download the databases but not use them for -S unless explicitly specified: pacman -S testing/nss
Of course, installing a package this way is considered a "partial upgrade" so the usual warning about "if you do this, don't come and complain if things break" applies.
Last edited by heftig (2019-12-03 14:19:54)
Offline
nss 3.47.1-4 same result as nss 3.47.1-2 so the simpler patch also resolves the issue.
Offline
Thanks heftig, it seems to work. I can't be 100% sure since sometimes it takes time to misfire but it seems good for now.
Offline