MozillaZine

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Discussion about official Mozilla Firefox builds
ander13

User avatar
 
Posts: 103
Joined: July 31st, 2007, 11:24 pm
Location: Ukraine, Chernivtsi

Post Posted August 18th, 2018, 12:40 pm

I has begun getting error code MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED on several sites, e.g.

www.olx.ua uses an invalid security certificate. The certificate does not come from a trusted source. Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED


Code: Select all
https://www.olx.ua/

An additional policy constraint failed when validating this certificate.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIHeTCCBmGgAwIBAgIQGX4Mj5QN+pU35wlMn5Mk7DANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR4wHAYDVQQDExV0
aGF3dGUgRVYgU1NMIENBIC0gRzMwHhcNMTYwOTAyMDAwMDAwWhcNMTgwOTAyMjM1
OTU5WjCB7jETMBEGCysGAQQBgjc8AgEDEwJOTDEdMBsGA1UEDxMUUHJpdmF0ZSBP
cmdhbml6YXRpb24xETAPBgNVBAUTCDM0MjQzMjM0MQswCQYDVQQGEwJOTDESMBAG
A1UECAwJSG9vZmRkb3JwMRIwEAYDVQQHDAlIb29mZGRvcnAxETAPBgNVBAoMCE9M
WCBCLlYuMR0wGwYDVQQLDBRUZWNobmljYWwgRGVwYXJ0bWVudDE+MDwGA1UEAww1
ZXYuaG9yaXpvbnRhbHMuZXUuY2VydGlmaWNhdGVzLm5hc3BlcnNjbGFzc2lmaWVk
cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9oqYCMxQ5EX6o
C/JDDsBif7NSkjDmNop12fvdNqyJm4hX8n7BEW0IrVnlPp4UMZea/hujbZ8UUn48
WiK85+JA9HuGF463aCert2JiTXj4BxrrI/qS8bW3v+AUwZjq6y1+490ZxstsMmR1
M73lSQ6t3HieaqoexRLqRvu4ak9RQtp4XYIrtqAusq3LeZrc89RLUbXvJOLfzmGg
uC46BtewHn1Z2BwXUb1urailTHkZnVGd0KmONqa/lLneQj3yDeNK3+mniU1kqvJJ
vewlaJVQCjW3C5jkgJ4A4WeiBKwkGIn2S22lEh/iIFEZZVQqWsndCoAnotkuHCzh
oD1FjYsZAgMBAAGjggO6MIIDtjCB0gYDVR0RBIHKMIHHggpzc2wub2x4LnVhggp3
d3cub2x4LnVhggpzc2wub2x4LnBsggp3d3cub2x4LnBsggpzc2wub2x4LmJ5ggp3
d3cub2x4LmJ5ggp3d3cub2x4LnJvggpzc2wub2x4LnJvggpzc2wub2x4LmJnggp3
d3cub2x4LmJnggpzc2wub2x4Lmt6ggp3d3cub2x4Lmt6gjVldi5ob3Jpem9udGFs
cy5ldS5jZXJ0aWZpY2F0ZXMubmFzcGVyc2NsYXNzaWZpZWRzLmNvbTAJBgNVHRME
AjAAMA4GA1UdDwEB/wQEAwIFoDArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vdGku
c3ltY2IuY29tL3RpLmNybDB8BgNVHSAEdTBzMGgGC2CGSAGG+EUBBzABMFkwJgYI
KwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwIC
MCMMIWh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAHBgVngQwBATAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU8HBR2tMq
kU9Sd9eGd3QPznEabCIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRw
Oi8vdGkuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGkuc3ltY2IuY29t
L3RpLmNydDCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA3esdK3oNT6Ygi4Gt
gWhwfi6OnQHVXIiNPRHEzbbsvswAAAFW6wU9xwAABAMARzBFAiEAs2zTm/qa8FB4
PAlncRdlPrQqQlmZDJ3M+Pu4mRFZM4UCIHjutd9ACEn1EjFmj3g9qsEPOTxZ6DNm
H1LwTVVmhr4NAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFW
6wU/wQAABAMARjBEAiB5o4dyMrtOZUQu+dkk1fKzNwlOdgPfpUgqNw/sdbX6zgIg
QTLqD8qXYK2Xvf/pFi2M4DwVCT7u13il9wUonBqQ9e8AdwBo9pj4H2SCvjqM7rko
HUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVbrBT/JAAAEAwBIMEYCIQDZHIATjQxceFq8
B0i7JaVjNzcNJOxiFZneey4QXrZ3ZgIhAJEv/xLvpeP5Zu06xADzKeC1rmLJCkQs
PuC/kc9M1/IVMA0GCSqGSIb3DQEBCwUAA4IBAQA+2bVV6T18kEsF0DuVLGd+m0SN
EWjRpyBVpzCedNEV8evf+wWgEX6MFAIUnvCMu/sXTK6kSv3tsLmSY5bHSyDLpBJ1
uO0gRPZ3GNHEcMeJgnKlCdb4TUo1gtopg9slQxhXZRWDYzhrblBN+r9NU59yXkIr
et2Of8tyLm0oeDRPxUumhRNHIRtt93mdwW6seT9rdFdqrk2YiCo2m/5ioToeUdvY
yVLGJE+scGpVsvK66Jkoog/tXfPf6IRreeXaMtt3L/y9cqE74YJB/cpSuWBGH94d
ePz2w/8N8qy3PHv7aJIjKdF6/3ZIIv7Mh2jtfIyaaIJ2+thxo2SZjhC5l/rs
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIQXXL7M3Yg9kxygNvpEoH/ajANBgkqhkiG9w0BAQsFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMDMxMDAwMDAwWhcNMjMx
MDMwMjM1OTU5WjBEMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu
MR4wHAYDVQQDExV0aGF3dGUgRVYgU1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDE3dqUHjKyLqCDwKZ9X2Ut/Se4cw74C6nUViZpmGc1
OWRYzoJvmJTRj+CQ1u1VS5hL1xBZNAIb51ExUcQ4wrzbA1zK4XzcT1mX6gd/D4U+
kuqqp9m+AUHkYlZHNr1XkeYh0/hBC9i66O2BrXDAi27ziW4nnqamc1m7cQDUT0tI
6dXJJzacfBwCqqy9O9FTg2of5ghHM6exnwK+m0ftMwTcHIAn0UozoIzrAUehMpBk
e8TghMky6d00H4poZ/OtEGPr7oqasSobJnShKrCP/lKYRpfPo1Ycb26Zl40mDqns
wlNw/HqlGUm9tReCVd6X4F1ihIHwcKg0U08U/T1dPW+5AgMBAAGjggE1MIIBMTAS
BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQj
MCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly90Mi5zeW1jYi5jb20wOwYDVR0gBDQwMjAw
BgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3Bz
MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly90MS5zeW1jYi5jb20vVGhhd3RlUENB
LmNybDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0ktMS01MzYw
HQYDVR0OBBYEFPBwUdrTKpFPUnfXhnd0D85xGmwiMB8GA1UdIwQYMBaAFHtbRc+v
zst6/TGSGmq280brV0hQMA0GCSqGSIb3DQEBCwUAA4IBAQChLpQ+mxb0WBpvwfrB
fkOTssP3iesTYl3dzGETKx1OiHkRYhQ3MEb/iWIQhSqHHvjir/6TApPK8ulGA2uh
GqzV8IAbmG+4OlD4VHEGA+eEzI5h0l9NDJcCZbWMJrwFmPTcxq/kV3/j3KHXJ0cq
4Cw/CXTcWuW1fPqCmhX6dCuELmus7zWmMPpHSqo2RPZakQfT5E6XP6ZT2CkzMm+L
PbWlDeXkiuj1wPqv2DcoJ8PtNDHZfKavTRJP0CuSnGmV8iim/qjG4CxNNusRNNbh
gZmdQfLnxVcFDhnKr0I5H6cnXuAKF7iuR6uS8YoE3zDgu0+K+RuITwO0JXp43i59
KdEx
-----END CERTIFICATE-----


I am using latest Nightly:
Code: Select all
Name    Firefox
Version    63.0a1
Build ID    20180818100051


Other users also noticed this behaviour:
1) netvibes has invalid security error on their css: https://cdn.netvibes.com/assets-1239/dist/common.css
2) https://www.olx.ua/
3) https://privatbank.ua/

johnp_
 
Posts: 145
Joined: March 7th, 2011, 11:22 am

Post Posted August 18th, 2018, 1:28 pm

Explanation:

https://blog.nightly.mozilla.org/2018/0 ... ightly-63/

Collection of affected Websites for Tech Evangelism (i.e. telling these site-operators that they have to get new certificates):

https://bugzilla.mozilla.org/show_bug.cgi?id=1484006

SLK350

User avatar
 
Posts: 128
Joined: July 21st, 2011, 3:19 am

Post Posted August 19th, 2018, 7:12 am

Paypal doesn't work including my banking site. WTF!

Paypal.com
Nordea.se
Corsair Obsidian 500D * AMD Ryzen Threadripper 1920X * ASUS ROG STRIX X399-E GAMING * G.Skill 32GB DDR4 3200MHz CL14 Flare X * Samsung 970 Pro 1TB * Fractal Design Celsius S36 360mm * Benq BL3201PT * ASUS GeForce RTX 2080 Ti 11GB DUAL OC * Creative Soundblaster X7 * Windows 10 Pro x64 Insider

WaltS48

User avatar
 
Posts: 3767
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Post Posted August 19th, 2018, 7:16 am

SLK350 wrote:Paypal doesn't work including my banking site. WTF!

Paypal.com
Nordea.se


1. Check the bug mentioned to see if your banking site is listed as a site not working. If not, add the site in a new comment.
2. Paypal is already known.
3. Don't use Nightly for those sites until they update their certificates.
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5

dickvl

User avatar
 
Posts: 52428
Joined: July 18th, 2005, 3:25 am

Post Posted August 22nd, 2018, 8:53 pm

This is because in Nightly all Symantec certificates are distrusted by setting the distrust pref to 2.
You can revert this security feature to the behavior in the Firefox release by changing the pref to 1.

security.pki.distrust_ca_policy = 1

https://observatory.mozilla.org/analyze ... www.olx.ua

https://blog.mozilla.org/security/2018/ ... tificates/
https://blog.nightly.mozilla.org/2018/0 ... ightly-63/
https://support.mozilla.org/en-US/kb/wh ... ecure-mean

SLK350

User avatar
 
Posts: 128
Joined: July 21st, 2011, 3:19 am

Post Posted August 22nd, 2018, 11:45 pm

dickvl wrote:This is because in Nightly all Symantec certificates are distrusted by setting the distrust pref to 2.
You can revert this security feature to the behavior in the Firefox release by changing the pref to 1.

security.pki.distrust_ca_policy = 1

https://observatory.mozilla.org/analyze ... www.olx.ua

https://blog.mozilla.org/security/2018/ ... tificates/
https://blog.nightly.mozilla.org/2018/0 ... ightly-63/
https://support.mozilla.org/en-US/kb/wh ... ecure-mean


Thanks, now my sites works again. This was horribly annoying. :D
Corsair Obsidian 500D * AMD Ryzen Threadripper 1920X * ASUS ROG STRIX X399-E GAMING * G.Skill 32GB DDR4 3200MHz CL14 Flare X * Samsung 970 Pro 1TB * Fractal Design Celsius S36 360mm * Benq BL3201PT * ASUS GeForce RTX 2080 Ti 11GB DUAL OC * Creative Soundblaster X7 * Windows 10 Pro x64 Insider

Return to Firefox Builds


Who is online

Users browsing this forum: No registered users and 3 guests