Security Error in Mozilla Firefox with Corporate Internal Servers

Submitted by fishfin on Sat, 01/12/2019 - 03:59

Disclaimer: I am not a Windows, browser, or security expert, but have reasonable understanding on the topics. The solutions discussed here are provided in good faith.

Warning: Read the long article if you want to understand the real problem, or jump to the fix straight away.


If you have seen a security error/warning in Firefox (v55+) lately, while accessing a corporate internal server (see sample snapshot below), you might want to go through this whole article. Note: Even if you have Firefox v55+, you may not have faced this issue, it happens only in certain cases. Read on...

Firefox Error

What this Article is not about

Security error/warning in Firefox because of self-signed certificates, server name mismatch, expired certificates and such.

Background

  1. A Corporate Internal Server will typically have a digital certificate chain that is: the specific server certificate, issued by a Corporate Internal Intermediate CA or a Corporate Internal Root CA.
  2. The client machine (in this case, your machine) will already the Corporate Internal Intermediate/Root CA certificate installed in the OS, which means it is 'trustworthy'.
  3. If there is an Internal Intermediate CA, its digital certificate will be issued by a Corporate Internal Root CA. This certificate will also be already installed in your corporate laptop/workstation.
  4. In short, the Corporate Internal Intermediate and Root CA certificates can be found installed by default in the corporate laptops/workstations, these certificates do not exist by default on non-corporate machines, they need to be manually installed if you are using a BYOD - Bring Your Own Device (outside the scope of this discussion).
  5. Inspite of the Corporate Intermediate and Root CA certificates being installed, new versions of Firefox display the security error on corporate Windows machines.

Checks and Balances

First make sure that this is really the problem by following the steps below:

  1. Press Win+R, then type certmgr.msc to open the Windows Certificate Manager.
  2. Make sure you locate Trusted Root Certification Authorities > Certificates > Corporate Internal Root CA, and Intermediate Certification Authorities > Certificates > Corporate Internal Intermediate CA.
    Enterprise Certificates
  3. If one of these certificates is missing, your problem is something else, sorry!

  4. To make sure of the server certificate, on the Firefox error/warning panel, click 'Advanced', then click 'Add Exception...'. Stop, do not click 'Confirm Security Exception' that is not going to permanently solve the problem. To view the certificate, click 'View...', verify that 'Issued To > Common Name' is exactly the same as the host.domain you are trying to connect to, and that 'Issued By > Common Name' is your Corporate Internal Intermediate or Root CA.
    Certificate Details

    If this is not the case, you will need to look elsewhere for a solution.

  5. As a bonus check (but not mandatory), visit the exact same URL in Internet Explorer, Microsoft Edge or Chrome, you should not have any certificate error. (This issue is very specific to Firefox 55+).

So, What's Cooking?

Beginning Firefox 55 (circa end of 2017), there were numerous security changes in the browser. One of the changes was, Firefox stopped accessing trusted certificates from the Windows OS (to stop sites from getting access to the Windows certificate store?). Firefox has its own set of trusted certificate store (though I am not sure where exactly, it is probably a file %APPDATA%/Mozilla/Firefox/cert*.db) which it trusts, and this takes care of the standard CAs of the world (which are usually also present in the Windows certificates store). But of course, it does not contain the IBM Internal CA certificates.

If you were initially on a previous version of Firefox (e.g. 54), and had accessed a site whose issuer was not in Firefox certificate store, but was present in the Windows certificate store, based on my experiments, it seems that Firefox stores a reference to the issuer certificate in the user's Firefox profile (at C:\Users\user_name\AppData\Roaming\Mozilla\Firefox\Profiles\*.default). If now you updated and upgraded to Firefox 55, even though the new version stopped reading the Windows certificate store, because the issuer certificate is already 'marked' in the profile, Firefox is fine with it, and shows no errors or warning.

However, if you installed Firefox 55+ for the first time ever, OR you upgraded to Firefox 55+ and have never visited a site with a certificate chain not in Firefox's certificate chain, but now accessing it, you will face this issue.

A More Complex Problem

Assuming you have this problem, consider the following case, which demonstrates how it can quickly escalate the problem without the slightest clue to the end-user.

Assume there are two servers in the system - srv1.corpdomain.com and srv2.corpdomain.com, both have the certificate chains as follows:

  • srv1.corpdomain.com certificate > Internal Intermediate CA certificate (optional) > Internal Root CA certificate
  • srv2.corpdomain.com certificate > Internal Intermediate CA certificate (optional) > Internal Root CA certificate

Lets say the end-user visits https://srv1.corpdomain.com/demo from Firefox which he has installed for the first time ever on his IBM machine, and this version is 55+. He will get a security error/warning on the intermediate certificate. He goes to 'Advanced', and marks it as a permanent exception to trust this certificate.

The demo page loads. Now assume that the demo page has AJAX/XHR (asynchronous loading, which does not require a page refresh) call to the URL https://srv2.corpdomain.com/asyncfetch. This URL will have exactly the same security error/warning under the covers, unfortunately, the user will never see it, to him the results of the call will simply never load. You see the problem now, don't you?

The Fix

To force Firefox 55+ to read Windows OS certificate store, do the following:

  1. In the address bar, type about:config to modify advanced settings of Firefox, then hit Enter.
  2. Read and accept the browser warning on modifying advanced settings before you proceed. Because I usually am careful on the web, and because what we are trying to fix in Firefox is not broken in IE and Chrome, the browser warning is acceptable to me. If however you are not comfortable, stop now, and reach out to your corporate help desk.
  3. In the search field, type security.enterprise and hit Enter.
  4. You will see one row for security.enterprise_roots.enabled|default|boolean|false. Double-click this row to make the value true.
    Firefox Config
  5. Close the about:config tab now. Better still, restart your browser.
  6. That's it, you have now forced Firefox to use Windows certificate store. Visit your URLs as normal now.

I hope this helps fix your issue. Thanks for visiting.

Tags