Encrypted HTTPS websites always ask if I want to trust the certificate
I am using Mozilla Firefox 64-bit with version 107.0 on Windows 10 21H2. I connect very often to HTTPS websites without a valid certificate. Often with certificates issued by themselves. Before it was always enough to say "I trust this website" once. Now the question comes again and again, whenever I connect. What could be the cause of this?
Všetky odpovede (18)
Does no one have any ideas about this? This topic would be very important to me. Because it is already a bit annoying.
Can you provide any example of this issue?
What would you like to have with it? It's like I described: I open the web interface of my switch on day 1 for example and it comes up with the standard query if I trust this website "Warning: Potential Security Risk Ahead". I click on "Advanced..." and then on "Accept the Risk and Continue". On the second day 2 when I go back to the web interface of the switch the same message appears again.
Does it happen for every website? If not, can you provide an exemplary domain address?
It happens with every page...
Is there an Advanced... button? Can you click it and paste here the certificate?
TyDraniu schrieb
Is there an Advanced... button? Can you click it and paste here the certificate?
Attached are two screenshots of the certificate and the warning. Is that enough for you
There should be also Download (string) link below. Try to click it and paste here the output.
TyDraniu schrieb
There should be also Download (string) link below. Try to click it and paste here the output.
Attached here is this issue:
https://mamt-nas01/redirect.html?count=0.07759302844965466
Der Zertifikat-Aussteller der Gegenstelle wurde nicht erkannt.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Zertifikatskette:
BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIQW1DOKQjATneN1uH97hPDCTANBgkqhkiG9w0BAQsFADBH
MUUwQwYDVQQDDDxUaGUgb3JpZ2luYWwgY2VydGlmaWNhdGUgcHJvdmlkZWQgYnkg
dGhlIHNlcnZlciBpcyB1bnRydXN0ZWQwHhcNMTYwMzExMTA0NTI3WhcNMjYwMzA5
MTA0NTI3WjCBjjELMAkGA1UEBhMCVFcxDzANBgNVBAgTBlRhaXBlaTEPMA0GA1UE
BxMGVGFpcGVpMRswGQYDVQQKExJRTkFQIFN5c3RlbXMsIEluYy4xDDAKBgNVBAsT
A1FUUzERMA8GA1UEAxMIUU5BUCBOQVMxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRA
cW5hcC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyPxLm7HD5
1AiJOo6Dh2Jzi0oT328Eeriuw6Wg8g7cw/nnmU14eclP2R4QAaOHvxAFdxWLnZdx
zrs9PykyKETxh4kZTc2k8C+Ckr6sDd5Rx5SYRV0P9vJ6o65LiXEtEin8CimymCzR
FG/ie0cGXbtTj6qYhShEcSFNHRfKJEtk5zfGXC1yrF5o1nL9j5R4NzpEQDXGkbp5
8YorpBIE6dTKdNvyE3BqeXhBi1FqPGkuGKgj4pciujSpTzuzeBwDQOut+uEhHthR
3BjHqp+f9IeVKMrIYfRCt52B1b56dlKyz5ZhF/msrgcjc3YXA0h5Mm7dYuFuQ/2u
+yJL1mHPx4vbAgMBAAGjXTBbMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUQsix2U9U
9yAWqWlMoCfMy+3UcD0wHwYDVR0jBBgwFoAUQsix2U9U9yAWqWlMoCfMy+3UcD0w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEASNfGszhqHo51rJUbsy3C
6rVacIJJtC28Y0sF/Z9vE6tbcNB4untVwZG/M2DoDgWvZ6MsIXXb4LKRBuxS6E+p
zGJHhaePAMxT0O0WNLAYdWJKAu9lCoKeeKUAVzYfzyswDA9YTXYIsqOu7ay0U8Px
Mmu0OUEqcaJ3BaStnSUmL5aPiCHND4Y/URAmqmyz+SO6yQIuQ7VjQaZ7blEetgp8
fyGRo1Po1XqC0mymwHU3mU1BKhHemIHWwLRPLysgU2tN7RFG8DVnM43f3k+W/Ini
JHYYvNIwytxPRqyf4zip+/h5jB1yxpOpv5YLGFF7y2dGTF5Mu5OnIHpkYjaSVeZh
Ig==
END CERTIFICATE-----
cor-el schrieb
If you click the blue SEC_ERROR_UNKNOWN_ISSUER link then Firefox should show the base64 encoded certificate data and copy this data to the clipboard.
I have just posted.
cor-el schrieb
The screenshot shows a QNAP NAS certificate that you would expect to be used for connecting to a NAS and not for accessing internet.
This is also a local access, so no access via the Internet to the device. The strange thing is that I get this error message every time I connect to this NAS.
Andreas Fendt said
The strange thing is that I get this error message every time I connect to this NAS.
Does Firefox forget if you simply close and re-open that tab, or only when you exit/restart Firefox and try again in the new session?
Firefox may remember exceptions only for the current session if you either
(A) use private windows -- site-specific information is not persisted to disk
(B) modified the value of security.certerrors.permanentOverride to false in about:config (but this is very uncommon unless you used a hardening list)
I am really pleased how many are concerned with my problem. Thank you!
jscher2000 - Support Volunteer schrieb
Does Firefox forget if you simply close and re-open that tab, or only when you exit/restart Firefox and try again in the new session?
This is an interesting question: when I click on "Accept risk and continue", it doesn't matter for some time whether I restart Firefox (with about:profiles -> Restart Normal) or close the tab and open it again. There is no warning anymore. After a few hours I get this warning again.
jscher2000 - Support Volunteer schrieb
Firefox may remember exceptions only for the current session if you either (A) use private windows -- site-specific information is not persisted to disk
In this context, I am not concerned with private windows. I open these web pages normally.
jscher2000 - Support Volunteer schrieb
(B) modified the value of security.certerrors.permanentOverride to false in about:config (but this is very uncommon unless you used a hardening list)
I have not changed this setting and it is set to true.
Andreas Fendt said
I am really pleased how many are concerned with my problem. Thank you!jscher2000 - Support Volunteer schrieb
Does Firefox forget if you simply close and re-open that tab, or only when you exit/restart Firefox and try again in the new session?This is an interesting question: when I click on "Accept risk and continue", it doesn't matter for some time whether I restart Firefox (with about:profiles -> Restart Normal) or close the tab and open it again. There is no warning anymore. After a few hours I get this warning again.
After a few hours... Unless your server generated a new certificate, it's hard to understand what would be changing in a few hours.
Or could there be any process on your system that removes/replaces the cert9.db file in your profile folder which stores exceptions? (Profiles - Where Firefox stores your bookmarks, passwords and other user data)
jscher2000 - Support Volunteer schrieb
After a few hours... Unless your server generated a new certificate, it's hard to understand what would be changing in a few hours.
I will wait a few hours and revisit the same QNAP NAS and post the certificate string here. Maybe this will change.
jscher2000 - Support Volunteer schrieb
Or could there be any process on your system that removes/replaces the cert9.db file in your profile folder which stores exceptions? (Profiles - Where Firefox stores your bookmarks, passwords and other user data)
I don't know. Maybe it's because of my anti-virus program ESET? Maybe it changes the cert9.db?
First Try:
https://mamt-nas01/redirect.html?count=0.8902489143157176 Der Zertifikat-Aussteller der Gegenstelle wurde nicht erkannt. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Zertifikatskette: -----BEGIN CERTIFICATE----- MIIDvTCCAqWgAwIBAgIQDPAS73CEOWQA8UC3FQIoQjANBgkqhkiG9w0BAQsFADBH MUUwQwYDVQQDDDxUaGUgb3JpZ2luYWwgY2VydGlmaWNhdGUgcHJvdmlkZWQgYnkg dGhlIHNlcnZlciBpcyB1bnRydXN0ZWQwHhcNMTYwMzExMTA0NTI3WhcNMjYwMzA5 MTA0NTI3WjCBjjELMAkGA1UEBhMCVFcxDzANBgNVBAgTBlRhaXBlaTEPMA0GA1UE BxMGVGFpcGVpMRswGQYDVQQKExJRTkFQIFN5c3RlbXMsIEluYy4xDDAKBgNVBAsT A1FUUzERMA8GA1UEAxMIUU5BUCBOQVMxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRA cW5hcC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyPxLm7HD5 1AiJOo6Dh2Jzi0oT328Eeriuw6Wg8g7cw/nnmU14eclP2R4QAaOHvxAFdxWLnZdx zrs9PykyKETxh4kZTc2k8C+Ckr6sDd5Rx5SYRV0P9vJ6o65LiXEtEin8CimymCzR FG/ie0cGXbtTj6qYhShEcSFNHRfKJEtk5zfGXC1yrF5o1nL9j5R4NzpEQDXGkbp5 8YorpBIE6dTKdNvyE3BqeXhBi1FqPGkuGKgj4pciujSpTzuzeBwDQOut+uEhHthR 3BjHqp+f9IeVKMrIYfRCt52B1b56dlKyz5ZhF/msrgcjc3YXA0h5Mm7dYuFuQ/2u +yJL1mHPx4vbAgMBAAGjXTBbMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUQsix2U9U 9yAWqWlMoCfMy+3UcD0wHwYDVR0jBBgwFoAUQsix2U9U9yAWqWlMoCfMy+3UcD0w DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAb/H0ZYKL9rDHx8Rl+3YM hSRGrD/JA7NjIOYUbgC7v9Gsu2TJPIfuUBFN60803Y8ff2quUk4z0DaCrCAFIZXw GezQKMo2WPEoLO0ehblpktnJAM6KkkcCoybpjky9JfwX+OXWPAlpIK7dToYKI09W PpuRHZtBjB8qwONReeuLe+RLLfGYPBK/ralsWiiLGgmEmTzR/D3DXASjS58L2jH5 j3PV/jq5xUCH8cRHIck6ATKGwvGyjHQECeQbsLkN0qETPEgyrHnKYGIcCgY2ryzy LHhpa4qIPp2RBObvZgkUdIjZNY8iGzr0D/ntFAAuRUdePgjDlYMw55WYVgW904++ Dg== -----END CERTIFICATE-----
Second Try:
https://mamt-nas01/redirect.html?count=0.9115867796392408
Der Zertifikat-Aussteller der Gegenstelle wurde nicht erkannt.
HTTP Strict Transport Security: false HTTP Public Key Pinning: false
Zertifikatskette:
-----BEGIN CERTIFICATE----- MIIDvTCCAqWgAwIBAgIQKWekz/bt5gfj2QhzfHh6nzANBgkqhkiG9w0BAQsFADBH MUUwQwYDVQQDDDxUaGUgb3JpZ2luYWwgY2VydGlmaWNhdGUgcHJvdmlkZWQgYnkg dGhlIHNlcnZlciBpcyB1bnRydXN0ZWQwHhcNMTYwMzExMTA0NTI3WhcNMjYwMzA5 MTA0NTI3WjCBjjELMAkGA1UEBhMCVFcxDzANBgNVBAgTBlRhaXBlaTEPMA0GA1UE BxMGVGFpcGVpMRswGQYDVQQKExJRTkFQIFN5c3RlbXMsIEluYy4xDDAKBgNVBAsT A1FUUzERMA8GA1UEAxMIUU5BUCBOQVMxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRA cW5hcC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyPxLm7HD5 1AiJOo6Dh2Jzi0oT328Eeriuw6Wg8g7cw/nnmU14eclP2R4QAaOHvxAFdxWLnZdx zrs9PykyKETxh4kZTc2k8C+Ckr6sDd5Rx5SYRV0P9vJ6o65LiXEtEin8CimymCzR FG/ie0cGXbtTj6qYhShEcSFNHRfKJEtk5zfGXC1yrF5o1nL9j5R4NzpEQDXGkbp5 8YorpBIE6dTKdNvyE3BqeXhBi1FqPGkuGKgj4pciujSpTzuzeBwDQOut+uEhHthR 3BjHqp+f9IeVKMrIYfRCt52B1b56dlKyz5ZhF/msrgcjc3YXA0h5Mm7dYuFuQ/2u +yJL1mHPx4vbAgMBAAGjXTBbMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUQsix2U9U 9yAWqWlMoCfMy+3UcD0wHwYDVR0jBBgwFoAUQsix2U9U9yAWqWlMoCfMy+3UcD0w DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJcIpQEPiTpMKzwaBtZRz AdSDN30dD+/TJiGlZ+0GXj1UY+U2IDO8Yv5Zx0Tq4l6dkmaHZ3KbqAa39SGn4zpp MLbiUAkVG98YnfZHd2lMq6WeFm1zAhpQmP9kHWl0anaB+wkQxDykAe8OlB9QvV2O KhzB9upU4o+e8ojfEXPa75m6I70BmDBiVT5iqwYxiQWMblrccV+lj4EZxnt9vnAe YnTxBxdETz01eB2xSaiy08JnUGfteuthu3D/6b4KWXGPzwcmewybbinIy4zhNR1y Omltmr/t1Ta3ZJeQA6nlCIFQJZeeAtNZB26CDGnICN4vvIKH11ZRKJrxW/5vfzeW Jg== -----END CERTIFICATE-----
As you can see, the server's certificate keeps changing. Every few hours. What could be the cause of this?
Perhaps new certificates are generated regularly by the device or by an intermediary server representing itself as the device. ??
Two things I notice about the cert after decoding:
(1) "Issuer: CN = The original certificate provided by the server is untrusted"
I think that is provided by the server and is not a judgment issued by Firefox?
(2) The Subject Alt Name (SAN) field is blank.
More recent versions of Firefox require the server name to be in this field.
But setting those aside, the fact that the certificate keeps changing would still be a problem when you need to make an exception.
Have you checked for firmware updates? https://www.qnap.com/de-de/download
Go to menu ≡ -> Settings and check your Proxy settings. It should be set to No proxy.