You are not logged in.

#51 2019-11-21 23:01:46

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: [Solved] firefox-developer-edition blocks certain webseites

Please try firefox 70.0.1-2.

Offline

#52 2019-11-22 09:03:02

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [Solved] firefox-developer-edition blocks certain webseites

I can no longer produce the issue.

Offline

#53 2019-11-22 10:05:29

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: [Solved] firefox-developer-edition blocks certain webseites

Unfortunately I'll have to revert the patch; Firefox connects fine but all sites are now "insecure" and missing cert information.

Offline

#54 2019-11-22 10:12:24

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [Solved] firefox-developer-edition blocks certain webseites

Offline

#55 2019-11-22 10:12:34

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: [Solved] firefox-developer-edition blocks certain webseites

Yes.

Offline

#56 2019-11-22 19:09:19

Diaz
Member
From: Portugal
Registered: 2008-04-16
Posts: 366

Re: [Solved] firefox-developer-edition blocks certain webseites

V1del wrote:

Well you should setup time synchronisation regardless of whether you have this issue or not, and yes certificates can definitely be sensitive to wrong/skewed clocks here.

Of course. Just so we are clear, I had NTP working and is kept working since the beginning. The problem is that the error gets fixed when I restart that service even if the time is correctly and perfectly in sync. At least seems to be the most stable way to make the error go away. Just restart firefox does not make it work most of the time.

Offline

#57 2019-11-23 03:54:17

nuunuu
Member
Registered: 2019-11-23
Posts: 2

Re: [Solved] firefox-developer-edition blocks certain webseites

I've had mixed success so far by modifying the security.pki.mitm_canary_issuer value in the about:config.

Whenever I have this issue, this value shows a status of modified with a value "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"

Resetting the value and restarting firefox has worked for me, but I haven't been able to do it enough times to know if it's a reliable fix.

Interestingly, when I reset the value and refreshed duckduckgo without resetting firefox, the value was automatically modified back to the digicert value. When I restarted firefox though, I got an additional start up page regarding a firefox account and then duckduckgo worked again. I don't know if this value is an issue or a symptom but I believe it's related to a the problem in some way. I also reset my system clock somewhere in the middle of all of this testing, so it wasn't a perfect test and someone else will have to see if they can recreate this fix because adding the value back to the setting did not re-trigger the issue...

Last edited by nuunuu (2019-11-23 03:55:43)

Offline

#58 2019-11-23 09:40:18

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

After today's update to firefox 70.0.1-3 problem remains. I can't properly use firefox for over a month, it is very disturbing experience that breaks any workflow -- sites mostly fail while in approximately 20% of tries they work well, most notable sites remain to be duckduckgo and reddit.

Offline

#59 2019-11-23 09:43:17

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

Funny that I have to watch it but not using firefox. When I go there I get:

Software is Preventing Firefox From Safely Connecting to This Site

bugzilla.mozilla.org is most likely a safe site, but a secure connection could not be established. This issue is caused by DigiCert Global Root CA, which is either software on your computer or your network.

What can you do about it?

bugzilla.mozilla.org has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

    If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software.
    If you are on a corporate network, you can contact your IT department.
    If you are not familiar with DigiCert Global Root CA, then this could be an attack, and there is nothing you can do to access the site.

Offline

#60 2019-11-23 14:03:59

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [Solved] firefox-developer-edition blocks certain webseites

Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?

I have it enabled since forever and never encountered this issue.
If you people have it de-activated, does activating it help ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#61 2019-11-23 14:48:41

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

Lone_Wolf wrote:

Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?

I have it enabled since forever and never encountered this issue.
If you people have it de-activated, does activating it help ?

It is activated on my ff and never deactivated, doesn't help.

Offline

#62 2019-11-23 15:42:56

nuunuu
Member
Registered: 2019-11-23
Posts: 2

Re: [Solved] firefox-developer-edition blocks certain webseites

Lone_Wolf wrote:

Check Preferences > Privacy & Secuirty > Certficates
Is the option "Query OCSP responder servers to confirm the current validity of certificates" activated ?

This was activated on mine as well.

I discovered this morning that the problem happened again and found that security.pki.mitm_canary_issuer had again been marked as modified and set to the digicert value. I reset that key and restarted firefox and the issue stopped again. I wonder if this is an issue related to some of the new browser syncing functionality added to firefox. If the value was supposed to be digicert, it should marked as a default value in the settings, not as modified.

Offline

#63 2019-11-23 21:41:38

Physicist1616
Member
Registered: 2015-02-16
Posts: 32

Re: [Solved] firefox-developer-edition blocks certain webseites

I get this intermittently for Duckduckgo and Imgur (probably many others).  To summarize the thread so far, nothing works except accepting a new CA, right?  Was there a standardized Arch way to do that?

Offline

#64 2019-11-27 11:21:30

Lancero
Member
Registered: 2019-11-27
Posts: 1

Re: [Solved] firefox-developer-edition blocks certain webseites

This answer on the Mozilla Support Forum solved the issue for me:
https://support.mozilla.org/en-US/questions/1136120

Offline

#65 2019-11-28 07:39:46

4k1
Member
Registered: 2018-06-06
Posts: 6

Re: [Solved] firefox-developer-edition blocks certain webseites

Firefox Preferences -> Security -> Certificate Manager -> DigiCert SHA2 Secure Server CA -> Edit Trust -> Enabled 'This certificate can identify websites.'

The above fixed the problem for me in FF 70.0.1-3. This problem started for me November 8th. Duckduckgo, Reddit and Slack sometimes didn't work, but they do now.

Offline

#66 2019-11-29 09:11:55

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: [Solved] firefox-developer-edition blocks certain webseites

Please try nss 3.47.1-2 from [testing].

Offline

#67 2019-11-29 21:34:43

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [Solved] firefox-developer-edition blocks certain webseites

heftig wrote:

Please try nss 3.47.1-2 from [testing].

I can not reproduce the issue using nss 3.47.1-2.
Edit:
@heftig if you have time could you please look at https://bugs.archlinux.org/task/64625 thanks

Last edited by loqs (2019-11-30 04:33:38)

Offline

#68 2019-11-30 09:07:47

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

When I enable testing and community-testing repos, can I only update nss and keep other regular packages around? My firefox would be golden standard test for this issue (it happens regularly for last couple of months) but since it is my work machine I can't afford any breakage. I am able to test this weekend in detail just worried about other packages. Suggestions?

Offline

#69 2019-12-03 14:19:10

heftig
Developer
From: Germany
Registered: 2010-04-19
Posts: 159

Re: [Solved] firefox-developer-edition blocks certain webseites

Please retest nss 3.47.1-3, which contains the (hopefully) final revision of the bugfix, a much simpler patch.



dpx wrote:

When I enable testing and community-testing repos, can I only update nss and keep other regular packages around? My firefox would be golden standard test for this issue (it happens regularly for last couple of months) but since it is my work machine I can't afford any breakage. I am able to test this weekend in detail just worried about other packages. Suggestions?

You can do something like this:

[testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync

[community-testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync

[multilib-testing]
Include = /etc/pacman.d/mirrorlist
Usage = Sync

This will download the databases but not use them for -S unless explicitly specified: pacman -S testing/nss

Of course, installing a package this way is considered a "partial upgrade" so the usual warning about "if you do this, don't come and complain if things break" applies.

Last edited by heftig (2019-12-03 14:19:54)

Offline

#70 2019-12-03 17:53:51

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [Solved] firefox-developer-edition blocks certain webseites

nss 3.47.1-4 same result as nss 3.47.1-2 so the simpler patch also resolves the issue.

Offline

#71 2019-12-03 18:03:27

dpx
Member
Registered: 2017-01-09
Posts: 48

Re: [Solved] firefox-developer-edition blocks certain webseites

Thanks heftig, it seems to work. I can't be 100% sure since sometimes it takes time to misfire but it seems good for now.

Offline

Board footer

Powered by FluxBB