I can send the cert itself via direct email if you'd like it, but prefer not to attach to the ticket. The only options are "Try again" and "Report this error." There's no longer an "I Understand" link or an "Add exception" button. If the error is sec_error_unknown_issuer, it > means that Firefox can't find a path to a trusted root certificate. By [email protected] on Feb 22, 2015 10:31pm 1 replies Feb 20, 2015 9:44am Windows 7 and VPN Tunnel Issues By tomsaurer on Feb 20, 2015 9:44am 0 replies Feb 19, 2015
Addons can also > potentially do this. There isn't any UI in Firefox itself to make this happen > (see bug 585352), but it is possible to use certutil directly on a profile's > certificate database to mark Anyhow that didn't solve the problem.My main issue (and the TAC confirm it) is this:ike 0:test_0:60769: recv ISAKMP SA delete 5201db04fdb2971b/939286960b4c5e00I believe the reason why that happens Juniper's debug must show Comment 46 Adnae Inviere 2015-04-20 15:51:15 PDT Firefox versions: * version 40.0a1 (nightly from 21.04.2015) * version 37.xx Problem: https://ldap.anxia/ (Error code: sec_error_bad_der) https://10.10.10.2/ (works) https://test.anxia/ (works) SSL Cert: root@ldap:~# openssl https://kb.juniper.net/InfoCenter/index?page=answers&type=narrow&fac=By+Product.Security+Products.SSL+VPN.SA+6000&question_box=packet&searchid=1304448775111&step=
It's looking like we'll have to change how we handle certificates like this, but in the meantime any certificates with that problem can be re-generated with valid extensions or with that Home Help Login Register JuniperForum.com » Security » Remote Access SSL VPN/UAC/MAG, Pulse, and SBR (Moderators: muppet, screenie.) » Topic: Error FB-2 « previous next » Print Pages:  Author Topic: Upgrading to > Firefox 36 removed that functionality and now reports a > "sec_error_untrusted_issuer". > > IMHO, no SSL certificate error should be exempt from overriding.
Any ideas?Thanks!! The Cert error is: Peer's Certificate issuer is not recognized. (Error code: sec_error_unknown_issuer) The Polycom systems in question are running the latest firmware from Polycom, and as I mentioned, it worked By benjamin2015 on Feb 25, 2015 7:51pm 1 replies Feb 25, 2015 5:02pm SA6500 - Backup & Restore Active/Passive Cluster To Seperate Unit By dgerbella on Feb 25, 2015 5:02pm 0 user@host:~$ openssl s_client -connect failed-server:4119 -showcerts CONNECTED(00000003) depth=1 CN = WatchGuard Server Root CA, O = WatchGuard verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=WatchGuard
If they are the tunnels are being torn down, than I would review and post the fortigate side configurations to include the lifetime settings ( bytes or time )I would also General-ikeid Logged Print Pages:  « previous next » JuniperForum.com » Security » Remote Access SSL VPN/UAC/MAG, Pulse, and SBR (Moderators: muppet, screenie.) » Topic: Error FB-2 SMF 2.0.11 | SMF The VPN gets stablished (phase 1 and phase 2 OK), but immediately it receives a package to take down the connection.Here are some logs:ike 0:test_0:285: recv ISAKMP SA delete eab487019033cffc/3a86ccc15b3ea1a5ike 0:test_0: I realize it could be read that way.) Comment 12 rok.horvat 2015-03-12 12:11:50 PDT I can confirm too, as described Will in the first post and Drake in comment #5 Both
I was able to access my company's intranet using Firefox 35. Please try the request again. Comment 27 Claude 2015-03-28 21:30:51 PDT Oh, and one more detail, about "verified server certificate" and "CA trust settings"... Manually importing the Juniper certificate to the Firefox Certificate Manager doesn't help.
The share is on a unix with 777 configured in samba.I have a identical share on another unix server and that one works even if I put in sdf for username https://forum.fortinet.com/tm.aspx?m=132999 Usually this means a server isn't sending all of the intermediate certificates it needs to or the certificate wasn't issued by an authority in our CA program. Iked_pm_id_validate Id Not Matched Your cache administrator is webmaster. Support for Blackberry, iPhone, and Android.
Other certs (such as Juniper SSG self-signed certs) never work. Please contact the website owners to inform them of this problem. (In reply to Alfredo Cambera from comment #24) > (In reply to David Keeler [:keeler] (use needinfo?) from comment #17) Addons can also potentially do this. Migrating the internal CA + the certs to SHA2 has not resolved the issue.
If the certificates were generated with > TinyCA, I would bet that they have an empty subject alternative name > extension, which isn't valid according to RFC 5280: "If the subjectAltName Comment 18 jking 2015-03-13 11:08:31 PDT (In reply to David Keeler [:keeler] (use needinfo?) from comment #17) > (In reply to jking from comment #16) > > So we're currently getting Hope that helps. By JeroenR on Jan 7, 2015 4:55am 1 replies Jan 6, 2015 6:08am Pulse making changes to local host file By NatashaW on Jan 6, 2015 6:08am 0 replies Jan 5,
Unfortunately, installing > the certificate locally isn't an option. Are you aware of a manual override? This is the "untrusted issuer" case (maybe it should be > "distrusted issuer").
Comment 44 vitorchoi 2015-04-16 15:53:05 PDT Created attachment 8593644 [details] output of $openssl s_client -connect x.x.x.x:443 -showcerts Comment 45 vitorchoi 2015-04-16 15:55:28 PDT (In reply to David Keeler [:keeler] (use needinfo?) Comment 38 Claude 2015-04-16 09:04:27 PDT (In reply to E. The "X509v3 Subject Alternative Name:" is empty on my testing certificate. But my problems comes only after > updating on FF36, 35.x worked for me. > > If i add my internal CA to certificates manager in autorities i'm getting an >
Comment 28 Leonard Camacho [:lcamacho] 2015-03-31 14:53:45 PDT Not sure if this the right bug but when I access on Firefox 37 to this site https://app.siscad.cadivi.gob.ve/ and tried to add exception, Please try the request again. It's > looking like we'll have to change how we handle certificates like this, but > in the meantime any certificates with that problem can be re-generated with > valid extensions Ryan from comment #37) Hey Ryan, I share your view.
It's > looking like we'll have to change how we handle certificates like this, but > in the meantime any certificates with that problem can be re-generated with > valid extensions Comment 4 Julien 2015-03-03 01:03:39 PST (In reply to Julien from comment #3) > Hello > I'm facing to the same problem on a custom internal CA that we use to M. All of my old exceptions are now not working, and I cannot add new exceptions.
Comment 24 Alfredo Cambera 2015-03-18 12:50:37 PDT (In reply to David Keeler [:keeler] (use needinfo?) from comment #17) > (In reply to jking from comment #16) > > So we're currently Other brands of firewalls, such as WatchGuard, are still working fine (Firefox remembers my exceptions for these). Comment 23 Will 2015-03-16 14:29:29 PDT I'm wondering if this behavior is the same, since this is also referring to NSS: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Managing_the_Certificate_Database.html#About_CA_Certificate_Chains "If the certificates contain the SSL-CA bit in the Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not
I get this warning for various self-signed certs, or certs from a non-imported internal CA. All rights reserved Mein KontoSucheMapsYouTubePlayNewsGmailDriveKalenderGoogle+ÜbersetzerFotosMehrShoppingDocsBooksBloggerKontakteHangoutsNoch mehr von GoogleAnmeldenAusgeblendete FelderBooksbooks.google.de - This complete field guide, authorized by Juniper Networks, is the perfect hands-on reference for deploying, configuring, and operating Juniper’s SRX Series The site works fine in IE and Chrome. And hopefully, issues will be solved in the near future.
Migrating > the internal CA + the certs to SHA2 has not resolved the issue. Comment 9 David Keeler [:keeler] (use needinfo?) 2015-03-12 11:04:04 PDT For posterity, the error "sec_error_untrusted_issuer" hasn't been overridable for a while (if it ever was). request https server, and "add exception" 3. The system returned: (22) Invalid argument The remote host or network may be down.
none of the certificates are installed 2. There isn't any UI in Firefox itself to make this happen (see bug 585352), but it is possible to use certutil directly on a profile's certificate database to mark an intermediate Idealy. Couldn't find any newer version on Ubuntu's repositories online.
Fortiguard Advisory How to show URLs/Hostnames as clickable hyperlinks in report? This error is not overridable because from Firefox's > perspective, the user has said "I do not trust this issuer; do not accept > certificates it issues". Some certificates (such as WatchGuard firewall self-signed certs) generate the same sec_error_unknown_issuer message, but always can be added without a problem. then, edit "CA certificate trust settings" then the server certificates shows as verified (when viewing the certificate) as set in the "CA certificate trust settings" Hope that helps C.