FF3RC1: An error occurred while trying to find updates

27 views
Skip to first unread message

legaev...@gmail.com

unread,
May 19, 2008, 9:27:21 AM5/19/08
to
Hello Everyone!

To support FF3 I changed protocol of updateUrl in my extension to
HTTPS. Extension installs and works fine, but I see "An error occurred
while trying to find updates" error after trying of update.
I set extensions.logging.enabled to true and see following message in
Error Console:

Datasource: Update Started
Datasource: Addon Update Started: {a0a23159-1418-4a08-
bc4d-72045629c4b1}
RDFItemUpdater:checkForUpdates sending a request to server for:
https://local.site.com/extension/update.rdf, item =
({id:"{a0a23159-1418-4a08-bc4d-72045629c4b1}", version:"0.2.4.1",
installLocationKey:"app-profile", minAppVersion:"1.5",
maxAppVersion:"3.1", name:"myExtension", xpiURL:"", xpiHash:"",
iconURL:"chrome://myextension/skin/myext-32x32.png",
updateRDF:"https://local.site.com/extension/update.rdf", updateKey:"",
type:2, targetAppID:"{a0a23159-1418-4a08-bc4d-72045629c4b1}"})
RDFItemUpdater::onXMLLoad: cert issuer is not built-in
Datasource: Addon Update Ended: {a0a23159-1418-4a08-
bc4d-72045629c4b1}, status: 4
Datasource: Update Ended

P.S. local.site.com - is a local site (Apache 2.0) with self-signed
certificate.
P.S.S. In FF2.0 updates work fine.

John J. Barton

unread,
May 19, 2008, 10:52:43 AM5/19/08
to
legaev...@gmail.com wrote:
> Hello Everyone!
>
> To support FF3 I changed protocol of updateUrl in my extension to
> HTTPS. Extension installs and works fine, but I see "An error occurred
> while trying to find updates" error after trying of update.
> I set extensions.logging.enabled to true...

My advice is to ignore the error messages. In my experience they are not
helpful. You're better off reading your install.rdf and update.rdf
carefully and comparing them to ones that work.

John.

Eric H. Jung

unread,
May 19, 2008, 12:58:30 PM5/19/08
to dev-ext...@lists.mozilla.org

----- Original Message ----
> From: "legaev...@gmail.com" <legaev...@gmail.com>

> P.S. local.site.com - is a local site (Apache 2.0) with self-signed
> certificate.

AFAIK, you cannot use self-signed certificates. You need a cert that has a valid chain to a root CA.

Eric



Dave Townsend

unread,
May 19, 2008, 1:08:25 PM5/19/08
to
legaev...@gmail.com wrote:
> Hello Everyone!
>
> To support FF3 I changed protocol of updateUrl in my extension to
> HTTPS. Extension installs and works fine, but I see "An error occurred
> while trying to find updates" error after trying of update.
> I set extensions.logging.enabled to true and see following message in
> Error Console:
>
> Datasource: Update Started
> Datasource: Addon Update Started: {a0a23159-1418-4a08-
> bc4d-72045629c4b1}
> RDFItemUpdater:checkForUpdates sending a request to server for:
> https://local.site.com/extension/update.rdf, item =
> ({id:"{a0a23159-1418-4a08-bc4d-72045629c4b1}", version:"0.2.4.1",
> installLocationKey:"app-profile", minAppVersion:"1.5",
> maxAppVersion:"3.1", name:"myExtension", xpiURL:"", xpiHash:"",
> iconURL:"chrome://myextension/skin/myext-32x32.png",
> updateRDF:"https://local.site.com/extension/update.rdf", updateKey:"",
> type:2, targetAppID:"{a0a23159-1418-4a08-bc4d-72045629c4b1}"})

> RDFItemUpdater::onXMLLoad: cert issuer is not built-in

That is the appropriate error, your ssl certificate must be signed by
one of the built in CAs

legaev...@gmail.com

unread,
May 20, 2008, 1:44:04 AM5/20/08
to

May be I can solve this problem by moving my extension to
addons.mozilla.org?

Mook

unread,
May 20, 2008, 1:55:45 AM5/20/08
to
Dave Townsend wrote:

> legaev...@gmail.com wrote:
>> RDFItemUpdater::onXMLLoad: cert issuer is not built-in
>
> That is the appropriate error, your ssl certificate must be signed by
> one of the built in CAs

Huh, not even for a properly user-installed CA? How would third-party
distributors (think CCK-using large organizations deploying internally)
be able to provide updates? Get a "real cert"?

(Not that getting one is necessarily such a hard thing... but still,
this gives me a gut feel of Doing It Wrong)

--
Mook

John J. Barton

unread,
May 20, 2008, 10:23:08 AM5/20/08
to

Another alternative is to use signed updates rather than https. The
extension is shipped with a public key. When the update.rdf is
downloaded by Firefox, its signature is checked by Firefox. If that
check succeeds, then Firefox downloads the update and computes its hash
to prevent attacks during download.

Here are the steps as I remember them:
1. Use mccoy http://developer.mozilla.org/en/docs/McCoy to put a
public key string into your install.rdf.
2. build your XPI zip file, including the install.rdf from #1.
3. Compute the SHA256 hash of the XPI file (a string), put this
updateHash in your update.rdf
4. Use mccoy to sign the update.rdf with the key from #1.

This is more complex than using addons.mozilla.org, but also more flexible.

John.

Mike Shaver

unread,
May 20, 2008, 12:12:31 PM5/20/08
to Mook, dev-ext...@lists.mozilla.org
On Tue, May 20, 2008 at 1:55 AM, Mook
<mook.moz+nntp.n...@gmail.com> wrote:
> Dave Townsend wrote:
> > legaev...@gmail.com wrote:
>
> >> RDFItemUpdater::onXMLLoad: cert issuer is not built-in
> >
> > That is the appropriate error, your ssl certificate must be signed by
> > one of the built in CAs
>
> Huh, not even for a properly user-installed CA? How would third-party
> distributors (think CCK-using large organizations deploying internally)
> be able to provide updates? Get a "real cert"?

Any known-to-the-browser CA should work; if you find that it doesn't,
please file!

Mike

Eric H. Jung

unread,
May 20, 2008, 12:14:46 PM5/20/08
to dev-ext...@lists.mozilla.org

A third option is to host your download at mozdev.org, where you don't have to go through the strict review process required by AMO. Mozdev provides secure updates and installs. For more info, see http://www.mozdev.org/drupal/wiki/MozdevDownloadReleases



Nils Maier

unread,
May 20, 2008, 2:21:20 PM5/20/08
to

That's not the case, as Dave already mentioned.
Only those from the built-in token (i.e. only directly compiled into the
NSS db) will be accepted.[1]
Same goes for Application AUS btw.

So even if your organization runs a proper local CA and the ca cert was
installed into the certdb, even then you're out of luck.

Nils

http://mxr.mozilla.org/seamonkey/source/toolkit/mozapps/shared/src/badCertHandler.js#59

Mook

unread,
May 23, 2008, 12:50:06 AM5/23/08
to Mike Shaver
Hmm, I don't have a test case, but both code inspection (see the message
from Nils) and Mossop on IRC say it doesn't. Should I still file?
(the token name "Builtin Object Token" doesn't get localized, right?)

Mossop also says (or I misinterpreted him to mean) that, at the time,
NSS had no way of reporting that a trust was temporary, and that it
might be able to do so now. Better ask him directly :)

--
Mook

Mike Shaver

unread,
May 23, 2008, 10:52:44 AM5/23/08
to Mook, dev-ext...@lists.mozilla.org
On Fri, May 23, 2008 at 12:50 AM, Mook
<mook.moz+nntp.n...@gmail.com> wrote:
> Hmm, I don't have a test case, but both code inspection (see the message
> from Nils) and Mossop on IRC say it doesn't. Should I still file?

With a test case, I think you should file -- I don't know of any
reason that all installed CA roots shouldn't be permitted for
extension update checks.

Mike

Mook

unread,
May 26, 2008, 7:36:11 AM5/26/08
to Mike Shaver

Filed as bug 435743 ; the built-in-CA-only was due to bug 340198. The
test didn't exist in the first place because, umm, no tests that
actually used https existed as xpcshell tests...

--
Mook

Demiao Lin

unread,
May 27, 2008, 4:47:59 AM5/27/08
to

I encountered the same problem~

Eric H. Jung

unread,
May 27, 2008, 11:38:04 AM5/27/08
to Demiao Lin, dev-ext...@lists.mozilla.org

----- Original Message ----
> From: Demiao Lin <ldm...@gmail.com>

> > P.S. local.site.com - is a local site (Apache 2.0) with self-signed
> > certificate.
> > P.S.S. In FF2.0 updates work fine.
>
> I encountered the same problem~

It's not a problem. It's working as designed. Self-signed certs aren't supported.

Eric



Reply all
Reply to author
Forward
0 new messages