Reset messed up certificate data in Firefox and Thunderbird?

24
2014-04
  • hpy

    I am running Firefox 7.0.1 and Thunderbird 7.0.1 on Mac OS X 10.6.8.

    I was exploring/nosing around their Preferences, and deleted many Authorities in the Certificate Manager.

    Afterwards I started to get lots of messages from Firefox and Thunderbird that looks like this:

    [domain ...:443] uses and invalid security certificate.

    The certificate is not trusted because the issuer certificate is not trusted.

    (Error code: sec_error_untrusted_issuer)

    There are only two buttons I could click on: "View Certificate" and "Cancel". Regardless of which one I choose, the messages repeatedly pop up whenever I load a webpage.

    Interestingly, I even have trouble logging onto websites (Gmail, superuser, etc.) even on other browsers on other computers. For instance, when browse to superuser.com, I am logged in. But when I ask a question, I am asked to log in, yet I can't log in with my Google Account (which I always use for stackexchange sites).

    I don't even know how to troubleshoot this problem, or if there is some way to reset my system's certificate information?

    This is really weird, and impedes my normal web browsing.

  • Answers
  • Simon Sheehan

    I looked up your error in regards to Firefox, and found this solution:

    1. Type the phrase about:support as a URL in the Firefox address bar.
    2. Click the button next to Profile Directory labeled "Open Containing Folder". That will launch Windows Explorer.
    3. Close Firefox.
    4. Locate the file cert8.db in the Windows Explorer pane you opened in step 2 and move the file to a different location (like your desktop) or rename it.
    5. Start Firefox again.

    This will clear the file out and should resolve the errors you are getting.


  • Related Question

    security - Firefox Certificate Error
  • Mikle

    I have this annoying problem - every time I get into a site with a security certificate I always see a warning page that the certificate is invalid. I've grown accustomed to just setting an exception and never seeing this again (for sites I trust of course).

    Today I tried browsing godaddy to buy a domain, and it started acting weird - it only shows me a text version of the site, where most of the images and the style page are missing. A screenshot of the top of the page:

    enter image description here

    Only at the end of the page does some kind of unstyled plain text dump appears. I can only come to the conclusion that the CSS file in unsigned and that Firefox doesn't show it.

    My questions:

    1. How come the Firefox thinks that all the certificated it sees are invalid (including it's own, like addons.mozilla.com)?

    2. Why doesn't go daddy work right, and how do I fix it?

    Edit: IE7 shows me a page about the certificate not being valid but than shows me the page nicely formatted.

    I should maybe add that I'm a pretty security aware guy, and that I don't beleive it's a problem caused by malicious software on my computer. I tried installing a fresh copy of windows on a virtual machine and Firefox showed me the same error.

    Further details: The exception text is:

    www.godaddy.com uses an invalid security certificate.
    
    The certificate is not trusted because it is self signed.
    The certificate expired on 1/25/2009 7:35 PM.
    
    (Error code: sec_error_expired_issuer_certificate)
    

    I'm pretty sure my computer time is right (21 august 2009, unless I'm insane too, but that's a different question :))


  • Related Answers
  • Konrad

    No No No No. Do not set exceptions, they are ment to be exceptions not the norm. If you are constantly seeing it then you are likely the victim of a man in the middle (http://en.wikipedia.org/wiki/Man-in-the-middle%5Fattack) attack.

    By allowing exceptions you are completely forfeiting one of the protections afforded by the certificate - trust. Companies (ecommerce, banks etc) pay a lot of money to people like Verisign to get a certificate that they counter sign. This allows you to trust the certificate is :

    a) Valid
    b) Not tampered with
    c) Trustable
    

    The only time you should ever trust an unsigned certificate is a self signed one you have created yourself. ANY other kind should be treated with the greatest suspicion.

    I would strongly suggest you reinstall your operating system, something is not right and if you have been infected with spyware / malware or rootkitted then the only way to reverse it is to start from a clean slate.

  • bethlakshmi

    It would help to know what kind of invalid error is occuring. For example:

    • Is it expired/not yet valid - then your computer may not be set to the correct time
    • Is is not signed properly - then you're being offered a bad certificate -- quite possibly a man in the middle attack
    • Is it from an untrusted CA or self-signed? Then it might be OK to add it to your trusted certificate list, if you recognize and trust the CA signing the certificate. I find self-signed certificates a little dodgy, and don't add them to my cert store, unless i know I'm looking at a known test website.
    • Does the domain of the certificate match the domain presented - if not, don't trust it. If you need to use the site, call the site provider and get their help figuring out what's wrong.

    I'm assuming you don't have any add-ons that do validity checks to OSCP or CRLs... that's a heavy duty security thing that most normal people don't use. If you do have a client for OCSP checking, let me know which one and what it's results say.

    When I hit GoDaddy with my own firefox, I don't get an error, I do get to GoDaddy's certificate, which is signed by their CD (Go Daddy Secure Certification Authority) which my browser trusts.

    If you throw up the SHA1 or MD5 hash of the certificate, I will gladly cross check with what I see here:

    • click "GoDaddy.com, Inc (US)" next to the URL.
    • click "More Information"
    • click "View Certificate"
    • take a picture of the window (On Windows this is alt-print screen) and post somewhere public and reference URL.
  • William Hilsum

    It would help to know the specific failure of the ssl certificate, however in my experience, the most likely cause is your system time/date, as you said you had the same problem in a VM.

    FYI - The reason about formatting is because if you have a certificate error in IE and accept, it renders the whole page from all sources where as in Firefox, as many sites have content from different domains, you need to accept the ssl from those sites as well.

    You can do view source then look for https://whatever and type that in to the address bar and then allow it through - however do not permanently store exceptions unless you really trust the site.

  • 8088

    Is there some sort of proxy you're going through on your network? It sounds like you could be seeing cached data. My first thought was a virus/rootkit as well, but the VM test rules that out (unless the VM was running on the same machine)

    The GoDaddy thing is especially odd, since I can verify that the cert is neither self signed nor expired.

    alt text