Bug#756101: iceweasel: Cannot add exception for "sec_error_unknown_issuer"
Mike Hommey
mh at glandium.org
Sat Jul 26 09:10:31 UTC 2014
On Sat, Jul 26, 2014 at 10:39:57AM +0200, Frank Lanitz wrote:
> Package: iceweasel
> Version: 31.0-1
> Severity: normal
>
> Dear Maintainer,
>
> With latest updates I'm not able anymore to add an exception for HTTPS if
> iceweasel is not knowing the issuer of an certificate.This is very disturbing
> as e.g. Debian has also removed CAcert from list of certs so even I have the
> fingerprint of the cert of a server, I cannot add them as "ok" without doing
> some workaround via about:config.
>
> I'm only getting
> <domain> uses an invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
> (Error code: sec_error_unknown_issuer)
>
> without any further option than 'Get me out of here!'
If the site in question is using HSTS, this is expected, as it's exactly
how it's supposed to work. For instance, if I go to
https://www.cacert.org/, I go get a sec_error_unknown_issuer, but I get
a "Get me out of here!" button.
On the other hand, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1014387: a couple months ago,
I was getting a sec_error_unknown_issuer without a "Get me out of here!"
on https://panopticlick.eff.org/ because the server wasn't sending an
intermediate certificate and eff.org is HSTS.
(it's fixed now)
I'm pretty sure you're hitting something similar.
Mike
More information about the pkg-mozilla-maintainers
mailing list