[Firefox 36]Cannot add exception of untrust connection with netscreen firewall
Hi,
When i upgrade to Firefox 36, i am having problem of "Add exception of untrust connection" with netscreen firewall.
The problem is that it will show the normal "this connection is nor trusted" screen with the button "Added exception of this website", but if i clicked on the button, nothing happened.
But this problem seems at the moment only with netscreen firewall web console (link is https://IP/nswebui.html), other website doesn't have this problem.
I tried to reinstall Firefox but this cannot solve the problem.
Would you please kindly help?
Thanks
Daniel
Athraithe ag advadv ar
Réiteach roghnaithe
Hi i can confirm the following facts, and i want to be helpful.
1. Even i tried to clear install Firefox 36 in a fresh computer, i still cannot add exception to our firewall web consoles (https://[IP]/nswebui.html )
2. Because of point 1 , i immediately download Firefox 35 and downgrade my PC firefox back , IT IMMEDIATELY WORKS AND CAN ADD THOSE EXCEPTION BACK, and i can now manage my firewall back.
Now, i can consider my problem being solved by myself, but if there is anything i can do/help to debug this, i am happy to help.
Thanks!
Daniel
Read this answer in context 👍 7All Replies (19)
Hi Daniel,
Please see "This Connection is Untrusted" error message appears - What to do for more information about the problem. By the way, may i know the website you are visiting when this problem occur? and is this problem happens on multiple website or in a particular website only?
Thank you.
Hi Adriel,
Thanks for your response, i have read the article, and even deleted the cert8.db , but the problem still exist!
The website is netscreen console login website(example can refer http://miniminiadmin.jugem.jp/?eid=282), the link is in format https://[IP]/nswebui.html,
I don't have this problem with other website, it means that, i clicked "Add exception" on other websites will have popup dialog, but only no response on this netscreen console login websites, no response means, no error message, no error dialog,nothing happened, i can click on it XXX times immediately without anything happened or response
I think i should say it happened on particular website[s] with netscreen console login websites, i used Firefox to manage my servers , firewall.....
Hello,
Sorry, i don't get what you mean by netscreen console log-in. I have opened the link you have given to me "http://miniminiadmin.jugem.jp/?eid=282)" See attachment. Please Let me know if this is what you see when you click the link.
In order to better assist you with your issue please provide us with a screenshot. If you need help to create a screenshot, please see How do I create a screenshot of my problem?
Once you've done this, attach the saved screenshot file to your forum post by clicking the Browse... button below the Post your reply box. This will help us to visualize the problem.
Thank you!
No worries, here comes the screen shot.
Hello,
Please try these solution that might address your problem.
Certain Firefox problems can be solved by performing a Clean reinstall. This means you remove Firefox program files and then reinstall Firefox. Please follow these steps:
Note: You might want to print these steps or view them in another browser.
- Download the latest Desktop version of Firefox from mozilla.org (or choose the download for your operating system and language from this page) and save the setup file to your computer.
- After the download finishes, close all Firefox windows (or open the Firefox menu and click the close button ).
- Delete the Firefox installation folder, which is located in one of these locations, by default:
- Windows:
- C:\Program Files\Mozilla Firefox
- C:\Program Files (x86)\Mozilla Firefox
- Mac: Delete Firefox from the Applications folder.
- Linux: If you installed Firefox with the distro-based package manager, you should use the same way to uninstall it - see Install Firefox on Linux. If you downloaded and installed the binary package from the Firefox download page, simply remove the folder firefox in your home directory.
- Windows:
- Now, go ahead and reinstall Firefox:
- Double-click the downloaded installation file and go through the steps of the installation wizard.
- Once the wizard is finished, choose to directly open Firefox after clicking the Finish button.
More information about reinstalling Firefox can be found here.
WARNING: Do not use a third party uninstaller as part of this process. Doing so could permanently delete your Firefox profile data, including but not limited to, extensions, cache, cookies, bookmarks, personal settings and saved passwords. These cannot be easily recovered unless they have been backed up to an external device! See Back up and restore information in Firefox profiles.
Please report back to say if this helped you!
Thank you.
Réiteach Roghnaithe
Hi i can confirm the following facts, and i want to be helpful.
1. Even i tried to clear install Firefox 36 in a fresh computer, i still cannot add exception to our firewall web consoles (https://[IP]/nswebui.html )
2. Because of point 1 , i immediately download Firefox 35 and downgrade my PC firefox back , IT IMMEDIATELY WORKS AND CAN ADD THOSE EXCEPTION BACK, and i can now manage my firewall back.
Now, i can consider my problem being solved by myself, but if there is anything i can do/help to debug this, i am happy to help.
Thanks!
Daniel
Hello,
I am glad to hear that your problem has been resolved. If you haven't already, please select the answer that solves the problem. This will help other users with similar problems find the solution more easily.
The people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected at http://input.mozilla.org/, where a team of people read it and gather data about the most common issues.
Thank you for contacting Mozilla Support.
Hi,
I can confirm the same problem as the owner. I manage multiple Juniper Netscreen firewalls and, ever since upgrading to firefox 36 (any build) I cannot add an exception for the untrusted site.
I have tried a clean re-install. I have tried using Aurora (Very latest & BETA) versions all with the same result i.e. cannot add exception. The add exception dialog comes up elsewhere and works as expected just not on Juniper Netscreen Web management pages.
I noticed that the self-signed certificate used by the Juniper netscreen firewalls has expired, a long time ago in fact, so I've forced the device to create a new self-signed certificate with a new valid expiry date but this makes no difference to the issue i.e. I still cannot add an exception. I have tried manually adding the exception through the "Options > Advanced > Certificates > View Certificates > Servers > Add Exception" windows but this also doesn't work. If I click on the "Add Exception button" the button depresses but nothing happens.
As the owner mentioned, as soon as I downgrade to Firefox 35 or earlier, without clearing cache or certdb file, it works perfectly and I can manage my firewalls again. I have now downgraded to Firefox 35 and removed the Maintenance service so it doesn't auto-update until the issue has been resolved.
Thanks
Nic
This issue is NOT resolved. Downgrading is not a valid solution. I too am having this problem with 36.0.4. When will a solution be released to actually fix this issue?
I Agree with "smcgirk"
There is NO solution to this issue and it cannot be considered Solved. Downgrading is a workaround being used by those of us who are committed to Firefox - as opposed to using a different browser. I should not have to downgrade to get this to work, nor disable the maintenance service.
Thanks Nic
nicmagic said
Hi, I can confirm the same problem as the owner. I manage multiple Juniper Netscreen firewalls and, ever since upgrading to firefox 36 (any build) I cannot add an exception for the untrusted site. I have tried a clean re-install. I have tried using Aurora (Very latest & BETA) versions all with the same result i.e. cannot add exception. The add exception dialog comes up elsewhere and works as expected just not on Juniper Netscreen Web management pages. I noticed that the self-signed certificate used by the Juniper netscreen firewalls has expired, a long time ago in fact, so I've forced the device to create a new self-signed certificate with a new valid expiry date but this makes no difference to the issue i.e. I still cannot add an exception. I have tried manually adding the exception through the "Options > Advanced > Certificates > View Certificates > Servers > Add Exception" windows but this also doesn't work. If I click on the "Add Exception button" the button depresses but nothing happens. As the owner mentioned, as soon as I downgrade to Firefox 35 or earlier, without clearing cache or certdb file, it works perfectly and I can manage my firewalls again. I have now downgraded to Firefox 35 and removed the Maintenance service so it doesn't auto-update until the issue has been resolved. Thanks Nic
Hi Nic,
Thanks for making it clear that it is not my own problem! You know, it was so frustrated that you suddently cannot do anything with your favorite browser.
It seems that you are the second person that have this problem, before i posted this question i google this problem and i couldn't find somebody facing this problem. I even reported this to the development team of Firefox but they seems haven't response yet.
What you have tried i have also tried but of crouse it couldn't solve the problem. As i need to do my work, i just downgrade and move on.
Thanks for making this problem more clear than before, i hope the development team can do something about this.
Thanks
Daniel
Hi, I'm getting the exact same thing happen in Firefox 36 whenever I try to manage Juniper Netscreen firewalls, the Add Exception button does nothing.
According to a little background reading, there are a few different error codes you might see in this situation. Which one are you seeing with the Netscreen product?
(Error code: sec_error_untrusted_issuer)
- Firefox does not allow an exception but shows a useless Add Exception button -- the UI needs to be improved.
(Error code: sec_error_unknown_issuer)
- Usually you can add an exception
- Firefox 36-37 do not allow an exception of the Subject Alt Name field is blank and this is supposed to be fixed in Firefox 38 (currently available as the Developer Edition)
- If you imported a CA certificate in an earlier version of Firefox: a possible workaround is to remove all previously saved exceptions for the site's certificates ("Servers" tab) and previously manually imported signing certificates for the site's certificates ("Authorities" tab) and try Add Exception again (or you could rename the cert8.db file to hide all previously saved exceptions)
(Error code: sec_error_bad_der)
- May be due to blank Subject Alt Name field
- If you imported a CA certificate in an earlier version of Firefox: please see above possible workaround
(Error code: sec_error_ca_cert_invalid)
- Different set of issues
And there are other possibilities...
Hi, i have the same problem with ScreenOS 6.3.0r18.0. It says unknown issuer.
Der Zertifikat-Aussteller der Gegenstelle wurde nicht erkannt. (Fehlercode: sec_error_unknown_issuer)
The used certificate is self-signed by this device. There is no CA which we could add.
BR, Benjamin
Hi
I solved this problem by adding a new self signed cert in the juniper router. The "out of the box" cert expired some time 2010 and it seems that FF does not like that. Chrome allowed me to open the webUI, but was not very happy with the expire date of the cert.
I got the "sec_error_unknown_issuer" error in FF and the button to add exception was present but "unclickable".
I followed the: "Setting an Admin-Defined Self-Signed Certificate" in the Juniper "Concepts & Examples ScreenOS Reference Guide". I later chose that cert under the management, "configuration -> Admin -> Management".
When i did that FF allowed me to add an exception and it works in FF.
/T
Athraithe ag kongekrabben ar
I can confirm that generating a new self signed RSA cert on the device fixes this issue.
Here's what I did. You'll obviously need to break down and do this in another browser. In my version of ScreenOS Certificates are located under Objects.. Certificates.. (my device initially had no Local certs listed) Choose "Local" from the drop-down list and click "New". Fill out most of what you can then choose the RSA and 2048 length then Generate. and generate the cert request, you will be taken to a screen and below the cert request there's a button "Generate Self Signed Cert" that will generate it and store it on the device then you can navigate away from that page safely. Next, go to Configuration.. Admin.. Management and select the newly generated cert and "Apply". I didn't need to do anything else. Side note, I changed my cipher to 3DES-SHA1 but I'm not sure if that has a bearing on any of this.
I have to add the exception every time I restart Firefox as the option to store the exception is greyed out. Not sure if that's because of my browser settings or what.
I'll assume that this problem will eventually apply to many other devices with out of the box ssl certs so keep it on your radar.
Hope this saves someone some time.
Athraithe ag mikeb121 ar
mikeb121 said
I can confirm that generating a new self signed RSA cert on the device fixes this issue. Here's what I did. You'll obviously need to break down and do this in another browser. In my version of ScreenOS Certificates are located under Objects.. Certificates.. (my device initially had no Local certs listed) Choose "Local" from the drop-down list and click "New". Fill out most of what you can then choose the RSA and 2048 length then Generate. and generate the cert request, you will be taken to a screen and below the cert request there's a button "Generate Self Signed Cert" that will generate it and store it on the device then you can navigate away from that page safely. Next, go to Configuration.. Admin.. Management and select the newly generated cert and "Apply". I didn't need to do anything else. Side note, I changed my cipher to 3DES-SHA1 but I'm not sure if that has a bearing on any of this. I have to add the exception every time I restart Firefox as the option to store the exception is greyed out. Not sure if that's because of my browser settings or what. I'll assume that this problem will eventually apply to many other devices with out of the box ssl certs so keep it on your radar. Hope this saves someone some time.
I thought i'd done the same by generating a new self-signed cert but I clearly hadn't done it properly. I can confirm that now after following "mikeb121"'s procedure I was able to create a new self-signed certificate for the Juniper Firewall and can now successfully add an exception in Firefox to allow me to manage my firewall. Job well done. Thanks mikeb121
Nic
This definitely solves the problem connecting to a firewall where the certificate is replaced by a new one which is self-signed and valid. Thanks kongekrabben and mikeb121.
IMO Mozilla should fix this to add exceptions for certificates that are not valid anymore. We have many ScreenOS devices where we don't want to update the now invalid certificates.
advadv said
When i upgrade to Firefox 36, i am having problem of "Add exception of untrust connection" with netscreen firewall. The problem is that it will show the normal "this connection is nor trusted" screen with the button "Added exception of this website", but if i clicked on the button, nothing happened.
Try using the IP address of the host in question. I know that's not a great answer, but until Mozilla/Firefox developers stop being f**ktards, and allow ALL of us to add exceptions *REGARDLESS* of the cause of the cert failure, the only thing we can do is find a workaround for these issues.
At the same time, sending feedback to Mozilla/Firefox Devs telling them you want the option to add exceptions *REGARDLESS* of the cause of the cert error, may eventually make them stop being so stupid and putting the control into the users hands where it belongs.
Yes, warn us ... yes even STRONGLY warn us, but in the end let *US* be the stupid ones if that's what it takes, just stop thinking "mozilla knows best" because you f**king don't.
Lets see YOU moz dev team go through 10000 servers with ILO or IDRAC cards and re-create SSL certs unnecessarily for them, when the only physical and logical networking way to access them is through your trusted private network ... Users should not have to be required to do things like that just because you think the cert isn't trustable.