HydrogenAudio

Hydrogenaudio Forum => Site Related Discussion => Topic started by: redorb on 2018-09-07 10:52:26

Title: SSL_ERROR_BAD_CERT_ALERT
Post by: redorb on 2018-09-07 10:52:26
When opening:
https://hydrogenaud.io
I am unable to use latest Firefox (62.0) and Chrome (69.0.3497.81) browsers getting this error:
SSL_ERROR_BAD_CERT_ALERT
 
Waterfox (56.2.2) works OK though, strange...

Regards
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: harto69 on 2018-09-07 12:12:24
Problems here too, with Firefox Quantum 62.0 (64bit), error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Kamedo2 on 2018-09-07 12:19:09
The issue was reproduced on Firefox Quantum 62.0 64bit, Windows 10, ipv4-only internet connection on today 2018/09/07 20:00 JST.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Kamedo2 on 2018-09-07 12:22:14
I am getting this error below since 2018/09/07 20:00 on Firefox Quantum.

The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: EpicForever on 2018-09-07 12:39:23
Quote
The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Also occurs on Firefox for Android v 60.0.1 since ca 5-6 hours.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Case on 2018-09-07 12:44:50
The issue should affect all (modern) browsers that have visited the site before and have had the certificate pinning setting cached. For example I have the error on Firefox, Chrome and Vivaldi. I fear the pinned certificate has expired and people who don't know how to remove the cached entry won't be able to visit the site before the pin duration expires.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Rollin on 2018-09-07 15:16:15
Is this somehow connected with  global KSK rollover (https://www.icann.org/resources/pages/ksk-rollover) or what?
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: TheEmpathicEar on 2018-09-07 17:51:12
When opening:
https://hydrogenaud.io
I am unable to use latest Firefox (62.0) and Chrome (69.0.3497.81) browsers getting this error:
SSL_ERROR_BAD_CERT_ALERT
 
Waterfox (56.2.2) works OK though, strange...

Regards
I am getting this on Chrome too. I switched to IE11 and it works fine. Using Chrome, am I going to have to wait for the issue to resolve? Or, does anyone here have some detailed instructions on clearing this up on Chrome?
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: lvqcl on 2018-09-07 18:20:53
According to https://stackoverflow.com/questions/50021339/getting-neterr-ssl-pinned-key-not-in-cert-chain-error-after-certificate-replac

Quote
You don't have to clean whole browser cache. but you can specifically clean the HPKP header. In chrome go to: chrome://net-internals/#hsts and clean specific header belong to your domain name
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: TheEmpathicEar on 2018-09-07 18:58:21
According to https://stackoverflow.com/questions/50021339/getting-neterr-ssl-pinned-key-not-in-cert-chain-error-after-certificate-replac

Quote
You don't have to clean whole browser cache. but you can specifically clean the HPKP header. In chrome go to: chrome://net-internals/#hsts (http://chrome://net-internals/#hsts) and clean specific header belong to your domain name
Thx. I tried to duplicate what was in the image for GC. I did right-click everywhere and could not find "Normal Reload", "Hard Reload", etc. ? Any further information?

EDIT: In GC, I copied and pasted: "http://chrome//net-internals/#hsts". Under "Add HSTS/PKP domain", In the Domain field, I added "hydrogenaud.io" and clicked on "Add". It seems to work now. [I am posting this in GC] Would love some feedback on this unnecessarily obtuse process.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: kode54 on 2018-09-07 23:15:27
We have switched to Let's Encrypt, and thus, the old pinning no longer matches.

This is because the Comodo certificate we were using before expired today at midnight, GMT. I neglected to keep an eye on the certificate expiration, as did Peter, who is likely way more busy than I am. If I'd known two or three weeks in advance, I could have rolled back the HPKP, which had a duration of just over 14 days. I could send out a mass mailing to all the non-banned users, but that would probably be overstepping bounds, and hit a threshold on our mailer service.

For now, Firefox and Mozilla browsers can be cleared out by locating the SiteSecurityServiceState.txt file in your random named profile directory, under AppData\Roaming\Mozilla Firefox, or something like that. It should only be edited while the browser is closed.

As for Chrome, this Linux-related article (https://linux-audit.com/delete-a-hsts-key-pin-in-chrome/) should also work outside of Linux, since it just involves using chrome:// resources to input and delete a domain.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Wombat on 2018-09-07 23:48:43
I can browse to SiteSecurityServiceState.txt in Firefox for android but can't edit it without root. file:///data/data/org.mozilla.firefox/files/mozilla/
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: ThaCrip on 2018-09-08 00:26:38
I had the problem to but here is what I did given the info already reported in here to fix it on Firefox v62.0 (on Windows 10)...

close Firefox and then navigate to... C:\Users\*user name*\AppData\Roaming\Mozilla\Firefox\Profiles\*RandomNumbersLetters*.default\ and then find the "SiteSecurityServiceState.txt" file, open it, and remove the entire line you see tied to hydrogenaud.io and then save and exit and reload Firefox and this site works as expected again.

p.s. I had to use Edge browser to come to this site as I was looking for a area to report this and stumbled into this topic.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: thecircusfreak on 2018-09-08 00:47:07
Quickest solution to this for chrome users:
1. Navigate to hydrogenaud.io
2. Open Devtools (Settings > More Tools > Developer Tools)
3. Now while devtools are open,  click and hold the reload button next to the  address bar.
4. Choose: Empty cache and hard reload.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: TheEmpathicEar on 2018-09-08 03:59:24
Quickest solution to this for chrome users:
1. Navigate to hydrogenaud.io
2. Open Devtools (Settings > More Tools > Developer Tools)
3. Now while devtools are open,  click and hold the reload button next to the  address bar.
4. Choose: Empty cache and hard reload.
Thx for the specific instructions! I did this, but what I also did above "seemed" to work. Is there any issue having done both of these?
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Anakunda on 2018-09-08 07:46:13
I can't access the site from my desktop browser, getting MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Looks to me like site certificate needs to be refreshed, plz do it.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Case on 2018-09-08 08:12:39
kode54 confirmed the old pinned certificate has expired. Anyone who doesn't want to wait for the rule to expire has to remove the invalid entry from their browser caches. This thread has instructions for all major browsers.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: redorb on 2018-09-08 10:42:11
Windows 7 (x64)
Firefox = SSL_ERROR_BAD_CERT_ALERT
Chrome = ERR_BAD_SSL_CLIENT_AUTH_CERT
IE11 = SSL_ERROR_BAD_CERT_ALERT
Waterfox = OK! :D

I don't have anything tied to hydrogenaud.io in SiteSecurityServiceState.txt
So that solution won't work...
In Chrome using devtools won't work...
I hate IE11 so I won't even bother to try any solution...
So, conclusion;
I'll just stay with Waterfox when visiting this great forum until the certificate issue is solved.

Best regards
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Wombat on 2018-09-08 15:43:08
The only way for Firefox android without root to edit the txt file i found is to set delete website settings when firefox closes under settings, delete data on exit. It may be called different as i only have a german version.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: IgorC on 2018-09-08 16:33:07
Yes, solution is pretty easy.

Ctrl+Shift+Del : Clear all history (except e-mail and other logins) and you're done.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: hyperblast on 2018-09-08 17:20:02
The only way for Firefox android without root to edit the txt file i found is to set delete website settings when firefox closes under settings, delete data on exit. It may be called different as i only have a german version.

You can set option security.cert_pinning.enforcement_level to value 0 in about:config page.
This would disable checking of pinned certificates completely which is not as bad as it sounds.
For example Chrome is going to drop that feature (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ) due to issues like with this site.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: ThaCrip on 2018-09-08 17:36:45
I don't have anything tied to hydrogenaud.io in SiteSecurityServiceState.txt

I just checked that file again and I also don't see hydrogenaud.io in there either as doing a search it lists nothing. but it was there when I had the problem and removing it fixed it for me.

so I guess what I initially said might only work if someone happens to have that text in there(?). until then I guess people will have to try the other stuff others have already mentioned in here.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Wombat on 2018-09-08 20:11:29
You can set option security.cert_pinning.enforcement_level to value 0 in about:config page.
This would disable checking of pinned certificates completely which is not as bad as it sounds.
For example Chrome is going to drop that feature (https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ) due to issues like with this site.
If this problem keeps repeating and it becomes annoying it is good to know, thanks.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: kode54 on 2018-09-09 01:12:30
The problem will expire in less than two weeks, the duration that was originally configured in the TLS settings. HTTPS Public Key Pinning will not be utilized again, no matter the "coveted" "A+" rating on some TLS checker page.
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: TheEmpathicEar on 2018-09-09 04:02:21
The problem will expire in less than two weeks, the duration that was originally configured in the TLS settings. HTTPS Public Key Pinning will not be utilized again, no matter the "coveted" "A+" rating on some TLS checker page.
Amen to that!
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Roseval on 2018-09-10 16:14:51
Quickest solution to this for chrome users:
1. Navigate to hydrogenaud.io
2. Open Devtools (Settings > More Tools > Developer Tools)
3. Now while devtools are open,  click and hold the reload button next to the  address bar.
4. Choose: Empty cache and hard reload.

Thanks!
Title: Re: SSL_ERROR_BAD_CERT_ALERT
Post by: Nikaki on 2018-09-11 17:48:50
Or just clean your browser's cache. Keep cookies, history, entries, etc. Just select cache data and clean it.