Adding SSL-Certificate Exception in Firefox 4
I recently installed Firefox 4 beta 11 and now cannot access certain webpages provided by my university which are using an SSL-encryption.
The error message I receive (in a popup box) is:
'''evasys.urz.uni-halle.de uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)'''
It has been a known problem that somehow Firefox does not handle the issuer chain of the certificate correctly (thats what the IT department says) and the solution up to now was to add an exception for this website in Firefox 3.x.x
This would be fine by me for Firefox 4, too, but I cannot find a way to add this exception. As soon as I dismiss the error message box by clicking "OK" nothing happens, no "This connection is untrusted"-page (http://support.mozilla.com/en-US/kb/This%20connection%20is%20untrusted#w_certificates-and-identification) is opened or anything equivalent.
Thank you in advance for any help.
Hello.
Yes, there is a problem with adding an exception button, but I found a temporary solution until Mozilla solves the problem.
First, copy a link from website you want to enter.
Then, go to: Options > Advanced > Encryption tab > View Certificates > Servers tab > Add Exception..
Now paste the link at "Location:" then click "Get Certificate" and Confirm Security Exception.
That's all.
Similar Messages
-
File Adapter FTP SSL SSL Certificate Exception
After reviewing the results of searching on this error, I do not find anything that fits my situation:
SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
I am not using X.509 certificate for client authentication.
My connection is using a non-public certificate.
I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
I am getting the following error:
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
Any recommendations?Hi,
The main reasons for this error are:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other people have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
Hope it solves your querie.
Regards,
Caio Cagnani -
How to script the add certificate exception in Firefox 32.0.2 ?
Hi,
I meet some issues with the Firefox certificates management. Here is my context:
- Firefox v32.0.2 on Windows 7 32 bits
- a self-signed certificate created with OpenSSL 32 bits
- Firefox and self-signed certificate have been deployed on 11000 workstations with some automated process (scripts).
The self-signed certificate is used to securize data flows with https protocol between two WebServices and different applications. There is no security problem with Internet Explorer, Safari, Chrome.
I have already deployed and installed the self-signed certificate with an Microsoft Active Directory GPO (there is an addon GPO for FireFox) and it is OK
Issue:
When the application WebService calls Firefox, a message indicates to the users that the connection can't be certified and ask them to add an exception.
the WS URL is appeared and the users must click on "Confirm security exception" (the checkbox "Conserv this exception permanently" must be checked)
It is a bit "dangerous" to let the users with these different choices and this is not very friendly.
So, I want to create a script which automates all these manipulations and deploy this script with a GPO.
Is it possible ? How can I script this certificate exception and the different choices?
Thanks a lot by advance for your help
Best regards
YanolezardThis is not the GPO approach but an alternative: [https://support.mozilla.org/en-US/questions/984237]
Other resources:
*[http://mbrownnyc.wordpress.com/2013/06/04/leverage-group-policy-to-manage-certificates-in-users-firefox-certificate-store/]
*There are also a number of admins that answer questions on their mailing list for the ESR (enterprise) version of Firefox. [https://www.mozilla.org/en-US/firefox/organizations/] -
SSL Certificate Exception everytime a connection is established
Hello guys!
I am trying to authenticate a website running SharePoint 2010. But everytime a connection is established, an SSL/TLS exception is thrown. The following is the code I am using. Any idea??
The exception is: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices.WindowsRuntime;
using Windows.Foundation;
using Windows.Foundation.Collections;
using Windows.UI.Xaml;
using Windows.UI.Xaml.Controls;
using Windows.UI.Xaml.Controls.Primitives;
using Windows.UI.Xaml.Data;
using Windows.UI.Xaml.Input;
using Windows.UI.Xaml.Media;
using Windows.UI.Xaml.Navigation;
using System.Net;
using System.Net.NetworkInformation;
using Windows.Networking.Connectivity;
using System.Net.Http;
using System.Xml.Linq;
using System.Text;
using Windows.Web.Http.Filters;
using Windows.Security.Cryptography.Certificates;
// The Blank Page item template is documented at http://go.microsoft.com/fwlink/?LinkId=234238
namespace TestApp
/// <summary>
/// An empty page that can be used on its own or navigated to within a Frame.
/// </summary>
public sealed partial class MainPage : Page
public MainPage()
this.InitializeComponent();
private static HttpWebRequest CreateWebRequest(string url, NetworkCredential credentials)
//Initialize new instance of HttpBaseProtocolFilter, which implements IHttpFilter.
string action = "http://schemas.microsoft.com/sharepoint/soap/GetWebCollection";
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Credentials = credentials;
req.Headers["SOAPAction"] = action;
req.ContentType = "text/xml;charset=\"utf-8\"";
req.Accept = "text/xml";
req.Method = "POST";
return req;
static string soapEnvelope = @"<soap:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body></soap:Body></soap:Envelope>";
//static string soapEnvelope =
// @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <Login xmlns=""http://schemas.microsoft.com/sharepoint/soap/""> <username>{0}</username> <password>{1}</password>
</Login> </soap:Body> </soap:Envelope>";
private static XDocument CreateSoapEnvelope(string content)
StringBuilder sb = new StringBuilder(soapEnvelope);
sb.Insert(sb.ToString().IndexOf("</soap:Body>"), content);
XDocument soapEnvelopeXml = XDocument.Parse(sb.ToString());
return soapEnvelopeXml;
private static void InsertSoapEnvelopeIntoWebRequest(XDocument soapEnvelopeXml, HttpWebRequest webRequest)
webRequest.BeginGetRequestStream((IAsyncResult asynchronousResult) =>
HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
Stream postStream = request.EndGetRequestStream(asynchronousResult);
soapEnvelopeXml.Save(postStream);
//postStream.Close();
request.BeginGetResponse(new AsyncCallback(GetResponseCallback), request);
}, webRequest);
private static void GetResponseCallback(IAsyncResult asynchronousResult)
HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
HttpWebResponse response = (HttpWebResponse)request.EndGetResponse(asynchronousResult);
Stream streamResponse = response.GetResponseStream();
StreamReader streamRead = new StreamReader(streamResponse);
string responseString = streamRead.ReadToEnd();
//do whatever with the response
//streamResponse.Close();
//streamRead.Close();
//response.Close();
private void Button_Click(object sender, RoutedEventArgs e)
NetworkCredential credentials = new NetworkCredential("<user>", "<password>", "<domain>");
HttpWebRequest request = CreateWebRequest("https://the_website_I_am_trying_to_connect_to", credentials);
XDocument soapEnvelope = CreateSoapEnvelope("<GetWebCollection xmlns=\"http://schemas.microsoft.com/sharepoint/soap/\" />");
InsertSoapEnvelopeIntoWebRequest(soapEnvelope, request);
Hi,
According to your description, my understanding is that when you access a https web service, it occurs the “The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channe” error.
To overcome this error, you need to install the certificate that is used by the web service provider in the server that will be calling the web service.
Open Microsoft Management Console (Start --> Run --> mmc.exe);
Choose File --> Add/Remove Snap-in;
In the Standalone tab, choose Add;
Choose the Certificates snap-in, and click Add;
In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard;
Close the Add/Remove Snap-in dialog;
Navigate to Certificates (Local Computer)
Choose a store to import:
If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities;
If you have the certificate for the server itself, choose Other People
Right-click the store and choose All Tasks --> Import
Follow the wizard and provide the certificate file you have;
Here are some detailed articles for your reference:
http://www.c-sharpcorner.com/uploadfile/anavijai/could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap
Thanks
Best Regards
Jerry Guo
TechNet Community Support
Hello Jerry,
Thank you very much for your reply.
But what about Windows Phone? I am running the same code on´WP 8.1 as a store app, and returns an exception at the same place: the GetResponseCallBack.
Any workaround? Can I run a code from the app that uses the certificate or at least installs it?
Thanks a lot. -
Can't add a certificate exception in Firefox 4.0, relevant buttons are disabled
I try to access a web site from a local network via HTTPS. The web server uses self-signed certificates, and Firefox presents a common "This connection is untrusted" window.
In version 3.x I simply clicked "Add Exception", and then "Confirm Security Exception". In Firefox 4.0, when I click "Add Exception", I see:
# "This site provides valid, verified verification. There's no need to add an exception".
# The "Permanently store this exception" checkbox and the "Confirm Security Exception" button are disabled.
I cannot access this protected site anymore. Any suggestions?There seems to be a work around to add exception.
You have to manually go to Tools -> Options -> Advanced -> View Certificates -> Servers -> Add Exception
Then the "Add Certificate Exception" window comes up. Just enter the URL at location https:// and click "Get certificate". Then "Add Security Exception".
This will allow you to access the site thereafter.
I'm not sure though why "Add Exception" button under the "I understand the rsiks" page does not work. May be a bug. -
Can't add a certificate exception in Firefox 4.0 - "add exception" button do nothing
I am opening web site with untrusted certificate. I would like to accept this certficate, so I click "Add exception" button. Unfortunately, confirmation dialog do not show up. In fact nothings happends. This problem is relevant to all websites with untrusted certificates.
Going through the preferences to add a certificate is a workaround and not intuitive to users. The Add Exceptions button used to bring up a popup in Firefox version 3.5.9 that allowed you to add an exception for the server:port in my case. Is there a way to get the Add Exception button to work in Firefox version 3.6.12, it currently does nothing which is totally confusing to the user.
-
Messaging Server: Problem Adding SSL Certificate
We have a problem importing a CA certificate into Messaging Server 7 on Solaris 10 x86.
Platform
uname -a
SunOS mail1 5.10 Generic_138889-03 i86pc i386 i86pcMessaging Server Version
imsimta version
Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)
libimta.so 7.0-3.01 64bit (built 09:24:13, Dec 9 2008)We have created a certificate database and generated a certificate request, as follows:
msgcert generate-certDB
msgcert request-cert --name mail.domain.xxx --org "University of XXX" --org-unit ITS --city XXX --state "XXX" --country GB -F ascii -o /tmp/ssl.csrHowever, when we come to import the CA-supplied certificate we get the following error.
msgcert add-cert Server-Cert /tmp/mail1.crt
Enter the certificate database password:
Unable to find private key for this certificate.
Failed to add the certificate.I'm confused. What does the msgcert request-cert command use as a private key when generating the certificate request? Should I have used openssl to generate the certificate request with a known private key?
Thanks
AlanI solved the problem by converting certificate to pkcs#12 format and importing it.
openssl pkcs12 -export -in cert.pem -inkey private.key -out cert.pkcs12 -name Server-Cert
/opt/sun/comms/messaging64/bin/msgcert add-cert Server-Cert cert.pkcs12Alan -
How can I change an SSL Certificate display name on Firefox?
I have 6 SSL Certificate to install in order for an application to open in 6 ways. Each certificate represent a way. The problem is that the pop up window i am receiving to choose one of these 6 SSL displays the Issuer CN while i need it to display the friendly name / or the description since i can modify them.
Any way this is possible?
Thanks,This article may help you
https://support.mozilla.org/en-US/kb/enable-ssl-fix-cannot-connect-securely-error?esab=a&s=SSL+certificate+display+on+Firefox&r=7&as=s
regards,
Gautam sharma. -
OPEN SSL certificate generation issue--bpel email activity
Hi all,
I need to send a mail from bpel using email activity.
I made all settings changes.I downloaded OPENSSL software and I need to generate smtp ssl certificates?
But while generation of ssl certificates I am getting some issue
OpenSSL> openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:465>
gmail.cert
openssl:Error: 'openssl' is an invalid command.
Standard commands
asn1parse ca ciphers crl crl2pkcs7
dgst dh dhparam dsa dsaparam
ec ecparam enc engine errstr
gendh gendsa genrsa nseq ocsp
passwd pkcs12 pkcs7 pkcs8 prime
rand req rsa rsautl s_client
s_server s_time sess_id smime speed
spkac verify version x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160 sha
sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea idea-cbc
idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40
Can any one suggest me ,What I entered is correct or not?how to generate smtp certificates?
Thanks in advance
KrishnaFabian,
Are you familiar with Firefox OS? The reason I say this is because the email client cannot create a certificate excaption. This is actually by design. This is by design: https://wiki.mozilla.org/Gaia/Email/Features#Security
This support request at Mozilla was placed specifically for the Firefox OS product, for which only a single email client exists.
That being said the good folks on the Mozilla Bugzilla, were able to show me how to look up another alias for these servers which does in fact work and does in fact match the SSL certificates. Though Dreamhost support could not provide me with said information, and said information does not in fact exist in the DreamHost wiki.
I find repeated insistance from Dreamhost represenatives that I should just live with SSL certificate exceptions, when there are actual valid server names in existence to match the certificates in question, rediculous.
The fact that you are posting this non solution for a product it isn't even applicable for is beyond unhelpful. It actually serves to muddy the waters. -
BingMaps not showing with SSL certificate
I have recently added SSL certificate to the server for the website I am developing.
I changed my applications to use https from http.
<script type="text/javascript" src="https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0">
After changing it from http to https, it is showing a blank page in place of map. The error it says is
This page is trying to load scripts from unauthenticated sources
I had to click on the right top corner shield and allow the browser to run unsafe scripts to get the bingmaps to show up.
Any ideas on how I can resolve it. I am using ASP.NEt, C#, Javascript and jQuery.
Thanks in advance.
NateI had to add &s=1 to run the BingMaps in secure mode
so, we should use following link to run the bing maps with SSL.
https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0&s=1
Thanks
Nate -
We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cachecookies.squite answer is Today at 5:15 PM .
New profile, same problem.
We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
(3) different virus scanners, no hard core problems.
Suspect how I have something in Windows setup that no one else is using? -
Firefox will not save Site Certificate Exceptions even when checked to do so.
I have a publicly free Wifi Access point near by that I use daily. When logging on to this site I get a Warning about the Sites Certificate and do I want to proceed, I choose YES and then are asked if I want to make this exception permanent and I put a check mark in the box for yes and press accept. This is suppose to permanently accept this websites certificate in the future. It does not.. It will not save the exception from one session to the next.
IN SHORT: Firefox failure to permanently store website Certificate exceptions.Make sure that you do not run Firefox in (permanent) Private Browsing mode.
*https://support.mozilla.org/kb/Private+Browsing
Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
*Do not click the Reset button on the Safe mode start window or otherwise make changes.
*https://support.mozilla.org/kb/Safe+Mode
*https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes
See also:
*https://support.mozilla.org/kb/Username+and+password+not+remembered
*Tools > Options > Security: Passwords: "Remember passwords for sites" -
We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.Did you verify that all intermediate certificates are installed on the server?
You can inspect the certificate chain via a site like this:
*http://www.networking4all.com/en/support/tools/site+check/
*https://www.ssllabs.com/ssltest/ -
Firefox 27 in new profile will not store security certificate exception
I created a new profile in order to transfer settings to a new PC. Under the new profile I cannot permanently store Security Certificate exceptions although I can do so in the default profile. I can create a one off exception in the new profile. Is there a fix?
What I meant is which websites require you 990you to add an exception.
Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
Check out why the site is untrusted (click "Technical Details to expand that section) and if this is caused by a missing intermediate certificate then see if you can install this intermediate certificate from another source.
You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
*Click the link at the bottom of the error page: "I Understand the Risks"
Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
*Click the "View..." button and inspect the certificate and check who is the issuer of the certificate.
You can see more Details like intermediate certificates that are used in the Details pane.
If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate. -
Can I install ssl certificates in Firefox for android 4.0 tablets?
I need to Know if I can install ssl certificates in Firefox for android 4.0 tablets?
I did it with the laptop Firefox for windows 7 and I am using al time but I need to travel with my samsung tablet and use my ssl certificate to acces my bank account. I dont know if the android version of firefox have advance options to configure my certificate.Visit a website that provides the cert and then you should be prompted to install it. As of right now the feature is in Firefox Beta from the Play Store if you want a more polished version.
Maybe you are looking for
-
Host command in forms/reports
Is there a host command in reports 6i? I used this in forms 6i. When I tried to use in Reports 6i, I received a compile error. basically all I need to do is to get directory information. This can be easily done in forms using the host command. Is the
-
Hyperion Workspace issue - Scrollbar Missing on Workspace 11.1.2.0.00
Hi EPM Experts, I am having problems with the Workspaces scrollbars. They are vanishing without no reason. Only temporary resolution is to restart the services, but it is recurring issue. Any hints to FIX this issue will be highly appreciated. Thanks
-
Hi All, Please let me know user exit for Pick Quantity. We are doing picking without ware house management. while creating the delivery, pick quantity should be same as delivery quantity. while creating the delivery on the first screen it self pickin
-
Inkscape crash when open files.
Hi! Inkscape crash when I try open files. When I try File - Open File or Save File Inkscape is closed. In terminal show follow message: Emergency save completed. Inkscape will close now. If you can reproduce this crash, please file a bug at www.inksc
-
Unable to open ant file using JDeveloper
I am using JDeveloper 10.1.3 production (version 10.1.3.0.4 build 3673) and I am having difficulty understanding the way ant build files are handled by this version. I would like to open ant files (build.xml) just like any other XML file so that I ca