Sometimes Firefox Dislikes Self-signed Certs

Bill Malchisky  September 26 2013 06:00:00 PM

Apparently, Firefox (FF) can and for no obvious reason just suddenly decide that it dislikes your self-signed certificate. When it does, it can make remote access challenging. If you are short for time, using another browser or another machine/vm may provide the access you need, but, does not resolve the underlying issue. Let me describe the situation and steps I took to resolve.

I have a client where each autumn I have to renew their edge server's SSL certificate to ensure proper access to sensitive information. The past seven years, I performed pretty much the same procedure to remove the old browser stored certificate authority exception and allow FF to store permanently said exception update. Sounds simple, right? It is. This year though, I received the following error:

Secure Connection Failed
An error occurred during a connection to {IP_Address}. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)

Symptoms
The error's root cause (underlined) and error code do make sense, but took a little research. Upon removing the old server certificate and certificate authorities' entry from within FF, the browser did not commit the changes. Thus, when you opened the View Certificates window again, the same certificate entries were there. This can provide the perception that the targeted server has the incorrect certificate installed. Accessing from another desktop that never routed to the target server previously worked perfectly and stored the correct certificate. Thus, it is a browser issue. What the underlined prose above stated is that you are storing cert {x} which has an associated ID, but is expired; however, you are going to a server with a new cert with the same associated ID and it can not purge the existing one, so you need to remove it first. Except the browser will not allow you to remove it. Hence the problem.

Resolution
What worked for me was to purge the cert8.db file and restart the browser. The customer's desktop OS was Ubuntu 12.04 LTS, as was mine. This same scenario is probable on Windows and included below; Mac was not tried at this time.

0. Close FF
1. Open a terminal window
2. Go to this directory:
Linux -- $ cd ~/.mozilla/firefox/{profile-name}.default
Windows -- C:\Documents and Settings\{userID}\Application Data\Mozilla\Firefox\Profiles\{profile-name}.default
3. Remove or rename this file:
Linux -- $ rm cert8.db    --OR-- $ mv cert8.db cert8.db.bak
Windows -- del cert8.db  --OR-- ren cert8.db cert8.db.bak
4. Restart Firefox

Note: In rare cases, you may need to also remove the cert_override.txt file as well -- located in the same directory.

• Comments [0]