Certificate Issues for Firefox 74.0 64bit

[SwartPerel 0]

I am finding that Firefox 74.0 64bit (& some earlier versions too), do not recognise the certificate issued by ESET & this seems to cause broken websites in, e.g. the BBC Channels & pages domain. I wondered whether others are having this problem, and whether ESET has submitted its certificates to Mozilla yet. BBC.com etc., usually hides images in particular, but also video links. I have granted the websites all the necessary permissions, but I get "Connection verified by a certificate issuer that is not recognised by Mozilla." Any ideas?

[Marcos 5,074]

https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store

• In Firefox, type 'about:config' in the address bar
• If prompted, accept any warnings
• Right-click to create a new boolean value, and enter 'security.enterprise_roots.enabled' as the Name
• Set the value to 'true'

[SwartPerel 0]

Thanks Marcos,

I notice that I have already created this value, and set it to 'true' - I can't remember when I did this, but it may have been early last year. But this problem still remains

[itman 1,659]

47 minutes ago, SwartPerel said:

I have granted the websites all the necessary permissions, but I get "Connection verified by a certificate issuer that is not recognised by Mozilla." Any ideas?

If you are referring to what is displayed when you mouse click on the lock symbol per the below screen shot, this is normal behavior. This wording indicates that Eset's certificate is intercepting SSL/TLS communication:

Edited April 2, 2020 by itman

[itman 1,659]

Eset's certificate should have been added to FireFox's Authorities root CA store automatically:

[Marcos 5,074]

Quote

Eset's certificate should have been added to FireFox's Authorities root CA store automatically:

As of Internet protection module 1395, this won't be true any more.

[SwartPerel 0]

How do I import ESET's certificate? I can see it when I inspect Page Info, but the only option appears to be to download the pem file. And would this fix the broken websites like those in the BBC domain list?

[itman 1,659]

7 hours ago, Marcos said:

As of Internet protection module 1395, this won't be true any more.

Since I have this module, I did the following:

1. Deleted Eset's root CA store certificate from Firefox's Authorities certificate store.

2. Shutdown FireFox. Restarted FireFox.

Zip issues on any HTTPS web site where Eset's root CA store certificate is being used.

Next via about:config, checked the status of security.enterprise_roots.enabled. Note that I had not previously entered this value manually. See the below screen shot:

Note the lock symbol? Appears this is something FireFox creates internally to prevent modification of that setting?

Finally, note the two highlighted security.disable settings. I believe the highlighting indicates a change from default fault which I assume is "true." Again, this is something FireFox did internally; or perhaps by my manually accessing those via Firefox security options; or Eset did prior to module 1395?

What I am speculating is that perhaps user manual entry of security.enterprise_roots.enabled is what is the OP's problem? That perhaps it is interfering/overriding Firefox's like created setting?

Edited April 3, 2020 by itman

[SwartPerel 0]

It seems that once the security.enterprise_roots.enabled is created, Firefox automatically locks it - you'll from my screenshot that my set-up is the same.

So no I don't know why this is happening

Also ESET's certificate does not appear in the Firefox's Authorities certificate store, so I could delete it. It may be why I'm having this problem? I also cannot find ESET's certificate in the Program Files or ProgramData folders, so wonder if it is included in a DLL?

Thanks for the input, but still no solution.

[Enrico 3]

First suggestion is to use GPO ( https://github.com/mozilla/policy-templates/releases ) or Enterprise Policy Generator add-on by Sören Hentzschel for manage security settings (so Mozz can't override user preferences), the second is to use ESR releases to avoid this kind of issues.
Try disable/re-enable the preference "Add the root certificate to known browsers" under "web and mail"-"ssl-tls" and check if Eset cert has been added to the browser. (just tested with ESR and it works)
Check also for "security.certerrors.mitm.auto_enable_enterprise_roots" (true) https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference
 

[SwartPerel 0]

Well, that has worked, thank you Enrico. For some odd reason the Add the root certificate etc. setting had been switched off - perhaps in one of the regular updates! At any rate, it all seems to work now. Mind you, I've only tested a couple of troublesome webites, but the certificate now appears in the Firefox's Authorities certificate store. Thanks again

[itman 1,659]

5 minutes ago, SwartPerel said:

Also ESET's certificate does not appear in the Firefox's Authorities certificate store, so I could delete it. It may be why I'm having this problem? I

Based on your screen shot, you don't need to add Eset's root CA certificate to FireFox's Authorities certificate because by default, FireFox will look for it in the Windows root CA certificate store. Therefore, the next thing is to verify that Eset's certificate exists there and is a valid certificate. Do the following:

1. Enter certmgr.msc in the your desktop search window.

2. Open certmgr.

3. Verify that the Eset certificate exists in Windows Trusted Root Certification Authority per the below screen shot:

 

[SwartPerel 0]

Have done as you suggested, itman, screenshot below. Does the fact matter that I have three certificates from ESET, and none are as recent as yours? I should mention that I have a current licence of ESET, due to be renewed, within the next week I think, so presumably will get an updated certificate.

[itman 1,659]

30 minutes ago, SwartPerel said:

Have done as you suggested, itman, screenshot below. Does the fact matter that I have three certificates from ESET, and none are as recent as yours? I should mention that I have a current licence of ESET, due to be renewed, within the next week I think, so presumably will get an updated certificate.

That could be the issue since I don't know what Eset certificate Firefox would use when multiple ones exist now that it is deferring to the Windows root CA certificate store.

When Eset is installed, it adds its certificate included within the installer to the Windows root CA certificate store. Likewise when Eset is uninstalled, it is supposed to delete its certificate from the Windows root CA certificate store. Note that an Eset in-product upgrade does not replace the original Eset Windows root CA certificate. However, I believe an off-line download and install on top of existing Eset installation will install a new Eset certificate. This is how most likely you ended up with multiple Eset certificates in the Windows root CA certificate store.

Edited April 3, 2020 by itman

[SwartPerel 0]

Thanks, itman, Well, I'll see when the licence is renewed. I wonder whether it is safe to delete the older certificates? I don't see why it should cause any issues, as long as Firefox is closed and ESET isn't trying to update.

[itman 1,659]

1 minute ago, SwartPerel said:

I wonder whether it is safe to delete the older certificates?

At this point, it makes no difference since you have added Eset's root CA certificate to FireFox's Authorities store. Note that by default, FireFox will search there for a certificate. If not found, it then will search in the Windows root CA certificate store. Just realize that it appears Eset is now no longer updating FireFox's Authorities store at installation time. Or for that matter, after Eset installation via prior stated update methods.

Appears your issue was related to this:

Quote

Starting with Firefox version 68, when a TLS connection error occurs Firefox will automatically enable the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security.

[SwartPerel 0]

Thanks, itman; that was probably the cause of the problem. Many thanks.

[itman 1,659]

One thing that needs noting as far as Internet protection module 1395.

It has a date of 3/31/2020 associated with it. So unless you have this module in your Eset installation, Eset's root CA certificate still needs to be installed in FireFox's Authorities certificate store.

[SeriousHoax 83]

My certificate isn't working on Firefox either. Everything seems to set nicely. Tried enabling, re-enabling this configs but still same. I also have another app named Phyrox which is an unofficial portable version of Firefox. It's not working there anymore either. This is a new installation of the newly released version of Eset. Working in other browser but not in any Firefox based one.

[SwartPerel 0]

I managed to install the certificate in Firefox, through ESET, and it appears to be working, but the Internet Protection Module is only 1388.1, dated Feb 19th. My licence will auto renew on April 6th, so perhaps it will be updated then. I ran update again, but will have to check after restart for module update.

[SeriousHoax 83]

Well I just noticed these logs in events section. It occurs if I disable and then enable the option "Add root certificate to all known browser"

Edited April 3, 2020 by SeriousHoax

[itman 1,659]

1 hour ago, SeriousHoax said:

My certificate isn't working on Firefox either. Everything seems to set nicely.

Check the Eset cert. in Firefox and verify its OK. Then mouse click on Edit Trust tab and verify that its set to identify web sites.

[itman 1,659]

If "worse comes to worst," you can always switch to pre-release updates. Ver. 13.1.24 should then be available for update. Appears ver. 13.1.24 contains Internet protection module 1395.

[SeriousHoax 83]

5 minutes ago, itman said:

Check the Eset cert. in Firefox and verify its OK. Then mouse click on Edit Trust tab and verify that its set to identify web sites.

I think it's necessary to do this only when it's manually imported to Firefox certificate store. With the "enterprise_root...." config automatically enabled by Eset, Firefox uses windows store certificates. Anyway, I just did that too but still not working.

[SeriousHoax 83]

I'm attaching the logs. Maybe Marcos can have a look and identify the issue.

eis_logs.zip