Jump to content
SwartPerel

Certificate Issues for Firefox 74.0 64bit

Recommended Posts

I am finding that Firefox 74.0 64bit (& some earlier versions too), do not recognise the certificate issued by ESET & this seems to cause broken websites in, e.g. the BBC Channels & pages domain. I wondered whether others are having this problem, and whether ESET has submitted its certificates to Mozilla yet. BBC.com etc., usually hides images in particular, but also video links. I have granted the websites all the necessary permissions, but I get "Connection verified by a certificate issuer that is not recognised by Mozilla." Any ideas?

Share this post


Link to post
Share on other sites

https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store

  • In Firefox, type 'about:config' in the address bar
  • If prompted, accept any warnings
  • Right-click to create a new boolean value, and enter 'security.enterprise_roots.enabled' as the Name
  • Set the value to 'true'

Share this post


Link to post
Share on other sites

Thanks Marcos,

I notice that I have already created this value, and set it to 'true' - I can't remember when I did this, but it may have been early last year. But this problem still remains :(

Share this post


Link to post
Share on other sites
Posted (edited)
47 minutes ago, SwartPerel said:

I have granted the websites all the necessary permissions, but I get "Connection verified by a certificate issuer that is not recognised by Mozilla." Any ideas?

If you are referring to what is displayed when you mouse click on the lock symbol per the below screen shot, this is normal behavior. This wording indicates that Eset's certificate is intercepting SSL/TLS communication:

Eset_Firefox.thumb.png.2f3555ed1a6ad089659501ce0d364bcb.png

Eset_cert.thumb.png.435114ba8eca845eb03dfbe23ac4d7de.png

Edited by itman

Share this post


Link to post
Share on other sites

Eset's certificate should have been added to FireFox's Authorities root CA store automatically:

FireFox.thumb.png.cf4028393839aaf22d1d72fed4697289.png

Share this post


Link to post
Share on other sites
Quote

Eset's certificate should have been added to FireFox's Authorities root CA store automatically:

As of Internet protection module 1395, this won't be true any more.

Share this post


Link to post
Share on other sites

How do I import ESET's certificate? I can see it when I inspect Page Info, but the only option appears to be to download the pem file. And would this fix the broken websites like those in the BBC domain list?

Share this post


Link to post
Share on other sites
Posted (edited)
7 hours ago, Marcos said:

As of Internet protection module 1395, this won't be true any more.

Since I have this module, I did the following:

1. Deleted Eset's root CA store certificate from Firefox's Authorities certificate store.

2. Shutdown FireFox. Restarted FireFox.

Zip issues on any HTTPS web site where Eset's root CA store certificate is being used.

Next via about:config, checked the status of security.enterprise_roots.enabled. Note that I had not previously entered this value manually. See the below screen shot:

Firefox_Eset_Cert.thumb.png.5098836a60301ce84bca04cc0f3b6358.png

Note the lock symbol? Appears this is something FireFox creates internally to prevent modification of that setting?

Finally, note the two highlighted security.disable settings. I believe the highlighting indicates a change from default fault which I assume is "true." Again, this is something FireFox did internally; or perhaps by my manually accessing those via Firefox security options; or Eset did prior to module 1395?

What I am speculating is that perhaps user manual entry of security.enterprise_roots.enabled is what is the OP's problem? That perhaps it is interfering/overriding Firefox's like created setting?

Edited by itman

Share this post


Link to post
Share on other sites

It seems that once the security.enterprise_roots.enabled is created, Firefox automatically locks it - you'll from my screenshot that my set-up is the same.

1672967239_Firefox-aboutconfig-security.thumb.jpg.1bd2feeba23121d32b40ebdf729a1381.jpg

So no I don't know why this is happening :(

Also ESET's certificate does not appear in the Firefox's Authorities certificate store, so I could delete it. It may be why I'm having this problem? I also cannot find ESET's certificate in the Program Files or ProgramData folders, so wonder if it is included in a DLL?

Thanks for the input, but still no solution.

Share this post


Link to post
Share on other sites

First suggestion is to use GPO ( https://github.com/mozilla/policy-templates/releases ) or Enterprise Policy Generator add-on by Sören Hentzschel for manage security settings (so Mozz can't override user preferences), the second is to use ESR releases to avoid this kind of issues.
Try disable/re-enable the preference "Add the root certificate to known browsers" under "web and mail"-"ssl-tls" and check if Eset cert has been added to the browser. (just tested with ESR and it works)
Check also for "security.certerrors.mitm.auto_enable_enterprise_roots" (true) https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference
 

Share this post


Link to post
Share on other sites

Well, that has worked, thank you Enrico. For some odd reason the Add the root certificate etc. setting had been switched off - perhaps in one of the regular updates! At any rate, it all seems to work now. Mind you, I've only tested a couple of troublesome webites, but the certificate now appears in the Firefox's Authorities certificate store. Thanks again :)

Share this post


Link to post
Share on other sites
5 minutes ago, SwartPerel said:

Also ESET's certificate does not appear in the Firefox's Authorities certificate store, so I could delete it. It may be why I'm having this problem? I

Based on your screen shot, you don't need to add Eset's root CA certificate to FireFox's Authorities certificate because by default, FireFox will look for it in the Windows root CA certificate store. Therefore, the next thing is to verify that Eset's certificate exists there and is a valid certificate. Do the following:

1. Enter certmgr.msc in the your desktop search window.

2. Open certmgr.

3. Verify that the Eset certificate exists in Windows Trusted Root Certification Authority per the below screen shot:

Eset_root_CA.thumb.png.9081e003e6ad6a0bfd58366ef873e40e.png

 

Share this post


Link to post
Share on other sites

Have done as you suggested, itman, screenshot below. Does the fact matter that I have three certificates from ESET, and none are as recent as yours? I should mention that I have a current licence of ESET, due to be renewed, within the next week I think, so presumably will get an updated certificate.

Share this post


Link to post
Share on other sites
Posted (edited)
30 minutes ago, SwartPerel said:

Have done as you suggested, itman, screenshot below. Does the fact matter that I have three certificates from ESET, and none are as recent as yours? I should mention that I have a current licence of ESET, due to be renewed, within the next week I think, so presumably will get an updated certificate.

That could be the issue since I don't know what Eset certificate Firefox would use when multiple ones exist now that it is deferring to the Windows root CA certificate store.

When Eset is installed, it adds its certificate included within the installer to the Windows root CA certificate store. Likewise when Eset is uninstalled, it is supposed to delete its certificate from the Windows root CA certificate store. Note that an Eset in-product upgrade does not replace the original Eset Windows root CA certificate. However, I believe an off-line download and install on top of existing Eset installation will install a new Eset certificate. This is how most likely you ended up with multiple Eset certificates in the Windows root CA certificate store.

Edited by itman

Share this post


Link to post
Share on other sites

Thanks, itman, Well, I'll see when the licence is renewed. I wonder whether it is safe to delete the older certificates? I don't see why it should cause any issues, as long as Firefox is closed and ESET isn't trying to update.

Share this post


Link to post
Share on other sites
1 minute ago, SwartPerel said:

I wonder whether it is safe to delete the older certificates?

At this point, it makes no difference since you have added Eset's root CA certificate to FireFox's Authorities store. Note that by default, FireFox will search there for a certificate. If not found, it then will search in the Windows root CA certificate store. Just realize that it appears Eset is now no longer updating FireFox's Authorities store at installation time. Or for that matter, after Eset installation via prior stated update methods.

Appears your issue was related to this:

Quote

Starting with Firefox version 68, when a TLS connection error occurs Firefox will automatically enable the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security.

Share this post


Link to post
Share on other sites

Thanks, itman; that was probably the cause of the problem. Many thanks.

Share this post


Link to post
Share on other sites

One thing that needs noting as far as Internet protection module 1395.

It has a date of 3/31/2020 associated with it. So unless you have this module in your Eset installation, Eset's root CA certificate still needs to be installed in FireFox's Authorities certificate store.

Share this post


Link to post
Share on other sites

My certificate isn't working on Firefox either. Everything seems to set nicely. Tried enabling, re-enabling this configs but still same. I also have another app named Phyrox which is an unofficial portable version of Firefox. It's not working there anymore either. This is a new installation of the newly released version of Eset. Working in other browser but not in any Firefox based one.

1.PNG

2.PNG

3.PNG

4.PNG

Share this post


Link to post
Share on other sites

I managed to install the certificate in Firefox, through ESET, and it appears to be working, but the Internet Protection Module is only 1388.1, dated Feb 19th. My licence will auto renew on April 6th, so perhaps it will be updated then. I ran update again, but will have to check after restart for module update.

Share this post


Link to post
Share on other sites
Posted (edited)

Well I just noticed these logs in events section. It occurs if I disable and then enable the option "Add root certificate to all known browser"

1.PNG.354341eb52040a3b44b5650d4e536748.PNG

Edited by SeriousHoax

Share this post


Link to post
Share on other sites
1 hour ago, SeriousHoax said:

My certificate isn't working on Firefox either. Everything seems to set nicely.

Check the Eset cert. in Firefox and verify its OK. Then mouse click on Edit Trust tab and verify that its set to identify web sites.

Share this post


Link to post
Share on other sites

If "worse comes to worst," you can always switch to pre-release updates. Ver. 13.1.24 should then be available for update. Appears ver. 13.1.24 contains Internet protection module 1395.

Share this post


Link to post
Share on other sites
5 minutes ago, itman said:

Check the Eset cert. in Firefox and verify its OK. Then mouse click on Edit Trust tab and verify that its set to identify web sites.

I think it's necessary to do this only when it's manually imported to Firefox certificate store. With the "enterprise_root...." config automatically enabled by Eset, Firefox uses windows store certificates. Anyway, I just did that too but still not working.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...