info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Terrible Day for OS/2!
15 views
Skip to first unread message
baden.ku...@gmail.com
Sep 30, 2021, 8:51:20 PM9/30/21
to
I guess just like your own demise, the end is always a surprise. Today, both en.wikipedia.org and www.openstreetmap.org failed to load on SeaMonkey and Firefox, both sites citing expired SSL certificates. All is well on my other systems.
"This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
"This site uses HTTP Strict Transport Security (HSTS) to specify that SeaMonkey only connect to it securely. As a result, it is not possible to add an exception for this certificate."
I feel fortunate that I am still able to use Google groups and post to the rarely used fora, however the walls are closing.
Baden
"This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
"This site uses HTTP Strict Transport Security (HSTS) to specify that SeaMonkey only connect to it securely. As a result, it is not possible to add an exception for this certificate."
I feel fortunate that I am still able to use Google groups and post to the rarely used fora, however the walls are closing.
Baden
Steve Wendt
Sep 30, 2021, 9:46:02 PM9/30/21
to
On 9/30/2021 5:51 PM, baden.ku...@gmail.com wrote:
> Today, both en.wikipedia.org and www.openstreetmap.org failed to load
> on SeaMonkey and Firefox, both sites citing expired SSL certificates.
They are both using Let's Encrypt certificates. If the problem is with
> Today, both en.wikipedia.org and www.openstreetmap.org failed to load
> on SeaMonkey and Firefox, both sites citing expired SSL certificates.
recognizing the certificate authority for them, it should be possible to
update the certificate database:
a) back up your existing cert*.db in your profile(s)
b) copy cert*.db from a profile on a Linux/Windows machine
c) Let us know if that works!
baden.ku...@gmail.com
Oct 1, 2021, 6:12:06 PM10/1/21
to
Hi Steve:
Thanks for your prompt response! I later discovered several other sites with the same issue.
After some minor investigation, I discovered the following:
- I was reading about SSL certificates, notably for Mozilla. The one interesting suggestion, was that HTTP Strict Transport Security (HSTS) initially uses http, and then stores the setting in the Mozilla user profile for one year. The system is supposed to work to prevent spoofing, and allow only connections to the original source. There were some suggestions about changing about:config to address problems and duration, but that didn't work.
- I then thought if I made a new profile, that might circumvent the HSTS, and it worked. Instead of receiving the HSTS message preventing me from connecting, I got the page with:
This Connection is Untrusted
I Understand the Risks
Add Exception...
- From there, I experimented with cert*.db, but that was not successful. The actual files which determined the successful outcome were:
cert_override.txt
SiteSecurityServiceState.tx
- The two files can be deleted, and the browser will work on previously blocked sites after "Add Exception...", as the files are regenerated. Other successful options were to delete all the lines with the affected sites in the above two files, or to replace the original lines with new ones from newly made files. (using a new profile or deleting the two *.txt files). For example, OSM had 10 lines in SiteSecurityServiceState.txt which were replaced with one line.
I am pleased that wikipedia now functions, and other sites load. Remaining issues are that OSM is now partially crippled, and overpass-turbo.eu/ is non-functional.
thanks,
Baden
Thanks for your prompt response! I later discovered several other sites with the same issue.
After some minor investigation, I discovered the following:
- I was reading about SSL certificates, notably for Mozilla. The one interesting suggestion, was that HTTP Strict Transport Security (HSTS) initially uses http, and then stores the setting in the Mozilla user profile for one year. The system is supposed to work to prevent spoofing, and allow only connections to the original source. There were some suggestions about changing about:config to address problems and duration, but that didn't work.
- I then thought if I made a new profile, that might circumvent the HSTS, and it worked. Instead of receiving the HSTS message preventing me from connecting, I got the page with:
This Connection is Untrusted
I Understand the Risks
Add Exception...
- From there, I experimented with cert*.db, but that was not successful. The actual files which determined the successful outcome were:
cert_override.txt
SiteSecurityServiceState.tx
- The two files can be deleted, and the browser will work on previously blocked sites after "Add Exception...", as the files are regenerated. Other successful options were to delete all the lines with the affected sites in the above two files, or to replace the original lines with new ones from newly made files. (using a new profile or deleting the two *.txt files). For example, OSM had 10 lines in SiteSecurityServiceState.txt which were replaced with one line.
I am pleased that wikipedia now functions, and other sites load. Remaining issues are that OSM is now partially crippled, and overpass-turbo.eu/ is non-functional.
thanks,
Baden
baden.ku...@gmail.com
Oct 2, 2021, 12:35:25 AM10/2/21
to
I was just sent this:
Arca Noae has posted a new item, 'Adding Let's Encrypt's new root and intermediate certificates to Mozilla applications'
On September 30, 2021, Let's Encrypt's DST Root CA X3 cross-sign expired, leaving many web browsers to report that sites using Let's Encrypt SSL certificates were "untrusted" or "unknown."
Let's Encrypt did, in fact, implement a new root and intermediate certificates some time ago, but after the built-in certificate stores in the Mozilla applications shipped with [...]
You may view the latest post here:
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/
Arca Noae has posted a new item, 'Adding Let's Encrypt's new root and intermediate certificates to Mozilla applications'
On September 30, 2021, Let's Encrypt's DST Root CA X3 cross-sign expired, leaving many web browsers to report that sites using Let's Encrypt SSL certificates were "untrusted" or "unknown."
Let's Encrypt did, in fact, implement a new root and intermediate certificates some time ago, but after the built-in certificate stores in the Mozilla applications shipped with [...]
You may view the latest post here:
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/
Steve Wendt
Oct 2, 2021, 12:36:21 AM10/2/21
to
On 10/1/21 3:12 PM, baden.ku...@gmail.com wrote:
> - From there, I experimented with cert*.db, but that was not successful.
Not sure why that didn't work, but it seems I was correct that you can
> - From there, I experimented with cert*.db, but that was not successful.
fix it properly:
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/
Steve Wendt
Oct 2, 2021, 12:37:53 AM10/2/21
to
On 10/1/21 9:35 PM, baden.ku...@gmail.com wrote:
> Arca Noae has posted a new item, 'Adding Let's Encrypt's new root and
> intermediate certificates to Mozilla applications'
Hah, you saw it right before I did!
> Arca Noae has posted a new item, 'Adding Let's Encrypt's new root and
> intermediate certificates to Mozilla applications'
baden.ku...@gmail.com
Oct 2, 2021, 1:52:55 AM10/2/21
to
I never tried importing the cert*.db from another OS, but it might have worked. The AcraNoae solution seems to have fully restored all previous functionality, and I have to thank them for their prompt response.
Baden
Frank-Rainer Grahl
Oct 4, 2021, 7:10:16 AM10/4/21
to
cert9.db. They are not compatible so you need to import the new certs as
discussed.
https://bugzilla.mozilla.org/show_bug.cgi?id=783994
FRG
0 new messages