Skip to main content
Topic: SSL_ERROR_BAD_CERT_ALERT  (Read 1852 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

SSL_ERROR_BAD_CERT_ALERT

When opening:
https://hydrogenaud.io
I am unable to use latest Firefox (62.0) and Chrome (69.0.3497.81) browsers getting this error:
SSL_ERROR_BAD_CERT_ALERT
 
Waterfox (56.2.2) works OK though, strange...

Regards

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #1
Problems here too, with Firefox Quantum 62.0 (64bit), error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #2
The issue was reproduced on Firefox Quantum 62.0 64bit, Windows 10, ipv4-only internet connection on today 2018/09/07 20:00 JST.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #3
I am getting this error below since 2018/09/07 20:00 on Firefox Quantum.

The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #4
Quote
The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Also occurs on Firefox for Android v 60.0.1 since ca 5-6 hours.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #5
The issue should affect all (modern) browsers that have visited the site before and have had the certificate pinning setting cached. For example I have the error on Firefox, Chrome and Vivaldi. I fear the pinned certificate has expired and people who don't know how to remove the cached entry won't be able to visit the site before the pin duration expires.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #6
Is this somehow connected with  global KSK rollover or what?

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #7
When opening:
https://hydrogenaud.io
I am unable to use latest Firefox (62.0) and Chrome (69.0.3497.81) browsers getting this error:
SSL_ERROR_BAD_CERT_ALERT
 
Waterfox (56.2.2) works OK though, strange...

Regards
I am getting this on Chrome too. I switched to IE11 and it works fine. Using Chrome, am I going to have to wait for the issue to resolve? Or, does anyone here have some detailed instructions on clearing this up on Chrome?

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #8
According to https://stackoverflow.com/questions/50021339/getting-neterr-ssl-pinned-key-not-in-cert-chain-error-after-certificate-replac

Quote
You don't have to clean whole browser cache. but you can specifically clean the HPKP header. In chrome go to: chrome://net-internals/#hsts and clean specific header belong to your domain name

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #9
According to https://stackoverflow.com/questions/50021339/getting-neterr-ssl-pinned-key-not-in-cert-chain-error-after-certificate-replac

Quote
You don't have to clean whole browser cache. but you can specifically clean the HPKP header. In chrome go to: chrome://net-internals/#hsts and clean specific header belong to your domain name
Thx. I tried to duplicate what was in the image for GC. I did right-click everywhere and could not find "Normal Reload", "Hard Reload", etc. ? Any further information?

EDIT: In GC, I copied and pasted: "http://chrome//net-internals/#hsts". Under "Add HSTS/PKP domain", In the Domain field, I added "hydrogenaud.io" and clicked on "Add". It seems to work now. [I am posting this in GC] Would love some feedback on this unnecessarily obtuse process.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #10
We have switched to Let's Encrypt, and thus, the old pinning no longer matches.

This is because the Comodo certificate we were using before expired today at midnight, GMT. I neglected to keep an eye on the certificate expiration, as did Peter, who is likely way more busy than I am. If I'd known two or three weeks in advance, I could have rolled back the HPKP, which had a duration of just over 14 days. I could send out a mass mailing to all the non-banned users, but that would probably be overstepping bounds, and hit a threshold on our mailer service.

For now, Firefox and Mozilla browsers can be cleared out by locating the SiteSecurityServiceState.txt file in your random named profile directory, under AppData\Roaming\Mozilla Firefox, or something like that. It should only be edited while the browser is closed.

As for Chrome, this Linux-related article should also work outside of Linux, since it just involves using chrome:// resources to input and delete a domain.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #11
I can browse to SiteSecurityServiceState.txt in Firefox for android but can't edit it without root. file:///data/data/org.mozilla.firefox/files/mozilla/
Is troll-adiposity coming from feederism?
With 24bit music you can listen to silence much louder!

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #12
I had the problem to but here is what I did given the info already reported in here to fix it on Firefox v62.0 (on Windows 10)...

close Firefox and then navigate to... C:\Users\*user name*\AppData\Roaming\Mozilla\Firefox\Profiles\*RandomNumbersLetters*.default\ and then find the "SiteSecurityServiceState.txt" file, open it, and remove the entire line you see tied to hydrogenaud.io and then save and exit and reload Firefox and this site works as expected again.

p.s. I had to use Edge browser to come to this site as I was looking for a area to report this and stumbled into this topic.
For music (especially on-the-go)...
-I suggest Opus @ 96kbps (or... 64kbps minimum, 128kbps maximum). *preferred choice*
-I suggest AAC(Apple) @ 96kbps (q45 TVBR) or 128kbps (q64 TVBR). *secondary choice*
-I use Foobar2000 (/w Encoders Pack etc) to convert FLAC to Opus/AAC(Apple).

 

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #13
Quickest solution to this for chrome users:
1. Navigate to hydrogenaud.io
2. Open Devtools (Settings > More Tools > Developer Tools)
3. Now while devtools are open,  click and hold the reload button next to the  address bar.
4. Choose: Empty cache and hard reload.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #14
Quickest solution to this for chrome users:
1. Navigate to hydrogenaud.io
2. Open Devtools (Settings > More Tools > Developer Tools)
3. Now while devtools are open,  click and hold the reload button next to the  address bar.
4. Choose: Empty cache and hard reload.
Thx for the specific instructions! I did this, but what I also did above "seemed" to work. Is there any issue having done both of these?

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #15
I can't access the site from my desktop browser, getting MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Looks to me like site certificate needs to be refreshed, plz do it.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #16
kode54 confirmed the old pinned certificate has expired. Anyone who doesn't want to wait for the rule to expire has to remove the invalid entry from their browser caches. This thread has instructions for all major browsers.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #17
Windows 7 (x64)
Firefox = SSL_ERROR_BAD_CERT_ALERT
Chrome = ERR_BAD_SSL_CLIENT_AUTH_CERT
IE11 = SSL_ERROR_BAD_CERT_ALERT
Waterfox = OK! :D

I don't have anything tied to hydrogenaud.io in SiteSecurityServiceState.txt
So that solution won't work...
In Chrome using devtools won't work...
I hate IE11 so I won't even bother to try any solution...
So, conclusion;
I'll just stay with Waterfox when visiting this great forum until the certificate issue is solved.

Best regards

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #18
The only way for Firefox android without root to edit the txt file i found is to set delete website settings when firefox closes under settings, delete data on exit. It may be called different as i only have a german version.
Is troll-adiposity coming from feederism?
With 24bit music you can listen to silence much louder!

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #19
Yes, solution is pretty easy.

Ctrl+Shift+Del : Clear all history (except e-mail and other logins) and you're done.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #20
The only way for Firefox android without root to edit the txt file i found is to set delete website settings when firefox closes under settings, delete data on exit. It may be called different as i only have a german version.

You can set option security.cert_pinning.enforcement_level to value 0 in about:config page.
This would disable checking of pinned certificates completely which is not as bad as it sounds.
For example Chrome is going to drop that feature due to issues like with this site.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #21
I don't have anything tied to hydrogenaud.io in SiteSecurityServiceState.txt

I just checked that file again and I also don't see hydrogenaud.io in there either as doing a search it lists nothing. but it was there when I had the problem and removing it fixed it for me.

so I guess what I initially said might only work if someone happens to have that text in there(?). until then I guess people will have to try the other stuff others have already mentioned in here.
For music (especially on-the-go)...
-I suggest Opus @ 96kbps (or... 64kbps minimum, 128kbps maximum). *preferred choice*
-I suggest AAC(Apple) @ 96kbps (q45 TVBR) or 128kbps (q64 TVBR). *secondary choice*
-I use Foobar2000 (/w Encoders Pack etc) to convert FLAC to Opus/AAC(Apple).

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #22
You can set option security.cert_pinning.enforcement_level to value 0 in about:config page.
This would disable checking of pinned certificates completely which is not as bad as it sounds.
For example Chrome is going to drop that feature due to issues like with this site.
If this problem keeps repeating and it becomes annoying it is good to know, thanks.
Is troll-adiposity coming from feederism?
With 24bit music you can listen to silence much louder!

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #23
The problem will expire in less than two weeks, the duration that was originally configured in the TLS settings. HTTPS Public Key Pinning will not be utilized again, no matter the "coveted" "A+" rating on some TLS checker page.

Re: SSL_ERROR_BAD_CERT_ALERT

Reply #24
The problem will expire in less than two weeks, the duration that was originally configured in the TLS settings. HTTPS Public Key Pinning will not be utilized again, no matter the "coveted" "A+" rating on some TLS checker page.
Amen to that!

 
SimplePortal 1.0.0 RC1 © 2008-2018