MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Discussion about official Mozilla Firefox builds
Post Reply
User avatar
ander13
Posts: 103
Joined: July 31st, 2007, 11:24 pm
Location: Ukraine, Chernivtsi

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by ander13 »

I has begun getting error code MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED on several sites, e.g.
www.olx.ua uses an invalid security certificate. The certificate does not come from a trusted source. Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Code: Select all

https://www.olx.ua/

An additional policy constraint failed when validating this certificate.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIHeTCCBmGgAwIBAgIQGX4Mj5QN+pU35wlMn5Mk7DANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR4wHAYDVQQDExV0
aGF3dGUgRVYgU1NMIENBIC0gRzMwHhcNMTYwOTAyMDAwMDAwWhcNMTgwOTAyMjM1
OTU5WjCB7jETMBEGCysGAQQBgjc8AgEDEwJOTDEdMBsGA1UEDxMUUHJpdmF0ZSBP
cmdhbml6YXRpb24xETAPBgNVBAUTCDM0MjQzMjM0MQswCQYDVQQGEwJOTDESMBAG
A1UECAwJSG9vZmRkb3JwMRIwEAYDVQQHDAlIb29mZGRvcnAxETAPBgNVBAoMCE9M
WCBCLlYuMR0wGwYDVQQLDBRUZWNobmljYWwgRGVwYXJ0bWVudDE+MDwGA1UEAww1
ZXYuaG9yaXpvbnRhbHMuZXUuY2VydGlmaWNhdGVzLm5hc3BlcnNjbGFzc2lmaWVk
cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9oqYCMxQ5EX6o
C/JDDsBif7NSkjDmNop12fvdNqyJm4hX8n7BEW0IrVnlPp4UMZea/hujbZ8UUn48
WiK85+JA9HuGF463aCert2JiTXj4BxrrI/qS8bW3v+AUwZjq6y1+490ZxstsMmR1
M73lSQ6t3HieaqoexRLqRvu4ak9RQtp4XYIrtqAusq3LeZrc89RLUbXvJOLfzmGg
uC46BtewHn1Z2BwXUb1urailTHkZnVGd0KmONqa/lLneQj3yDeNK3+mniU1kqvJJ
vewlaJVQCjW3C5jkgJ4A4WeiBKwkGIn2S22lEh/iIFEZZVQqWsndCoAnotkuHCzh
oD1FjYsZAgMBAAGjggO6MIIDtjCB0gYDVR0RBIHKMIHHggpzc2wub2x4LnVhggp3
d3cub2x4LnVhggpzc2wub2x4LnBsggp3d3cub2x4LnBsggpzc2wub2x4LmJ5ggp3
d3cub2x4LmJ5ggp3d3cub2x4LnJvggpzc2wub2x4LnJvggpzc2wub2x4LmJnggp3
d3cub2x4LmJnggpzc2wub2x4Lmt6ggp3d3cub2x4Lmt6gjVldi5ob3Jpem9udGFs
cy5ldS5jZXJ0aWZpY2F0ZXMubmFzcGVyc2NsYXNzaWZpZWRzLmNvbTAJBgNVHRME
AjAAMA4GA1UdDwEB/wQEAwIFoDArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vdGku
c3ltY2IuY29tL3RpLmNybDB8BgNVHSAEdTBzMGgGC2CGSAGG+EUBBzABMFkwJgYI
KwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwIC
MCMMIWh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAHBgVngQwBATAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU8HBR2tMq
kU9Sd9eGd3QPznEabCIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRw
Oi8vdGkuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGkuc3ltY2IuY29t
L3RpLmNydDCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA3esdK3oNT6Ygi4Gt
gWhwfi6OnQHVXIiNPRHEzbbsvswAAAFW6wU9xwAABAMARzBFAiEAs2zTm/qa8FB4
PAlncRdlPrQqQlmZDJ3M+Pu4mRFZM4UCIHjutd9ACEn1EjFmj3g9qsEPOTxZ6DNm
H1LwTVVmhr4NAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFW
6wU/wQAABAMARjBEAiB5o4dyMrtOZUQu+dkk1fKzNwlOdgPfpUgqNw/sdbX6zgIg
QTLqD8qXYK2Xvf/pFi2M4DwVCT7u13il9wUonBqQ9e8AdwBo9pj4H2SCvjqM7rko
HUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVbrBT/JAAAEAwBIMEYCIQDZHIATjQxceFq8
B0i7JaVjNzcNJOxiFZneey4QXrZ3ZgIhAJEv/xLvpeP5Zu06xADzKeC1rmLJCkQs
PuC/kc9M1/IVMA0GCSqGSIb3DQEBCwUAA4IBAQA+2bVV6T18kEsF0DuVLGd+m0SN
EWjRpyBVpzCedNEV8evf+wWgEX6MFAIUnvCMu/sXTK6kSv3tsLmSY5bHSyDLpBJ1
uO0gRPZ3GNHEcMeJgnKlCdb4TUo1gtopg9slQxhXZRWDYzhrblBN+r9NU59yXkIr
et2Of8tyLm0oeDRPxUumhRNHIRtt93mdwW6seT9rdFdqrk2YiCo2m/5ioToeUdvY
yVLGJE+scGpVsvK66Jkoog/tXfPf6IRreeXaMtt3L/y9cqE74YJB/cpSuWBGH94d
ePz2w/8N8qy3PHv7aJIjKdF6/3ZIIv7Mh2jtfIyaaIJ2+thxo2SZjhC5l/rs
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIQXXL7M3Yg9kxygNvpEoH/ajANBgkqhkiG9w0BAQsFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMDMxMDAwMDAwWhcNMjMx
MDMwMjM1OTU5WjBEMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu
MR4wHAYDVQQDExV0aGF3dGUgRVYgU1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDE3dqUHjKyLqCDwKZ9X2Ut/Se4cw74C6nUViZpmGc1
OWRYzoJvmJTRj+CQ1u1VS5hL1xBZNAIb51ExUcQ4wrzbA1zK4XzcT1mX6gd/D4U+
kuqqp9m+AUHkYlZHNr1XkeYh0/hBC9i66O2BrXDAi27ziW4nnqamc1m7cQDUT0tI
6dXJJzacfBwCqqy9O9FTg2of5ghHM6exnwK+m0ftMwTcHIAn0UozoIzrAUehMpBk
e8TghMky6d00H4poZ/OtEGPr7oqasSobJnShKrCP/lKYRpfPo1Ycb26Zl40mDqns
wlNw/HqlGUm9tReCVd6X4F1ihIHwcKg0U08U/T1dPW+5AgMBAAGjggE1MIIBMTAS
BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQj
MCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly90Mi5zeW1jYi5jb20wOwYDVR0gBDQwMjAw
BgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3Bz
MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly90MS5zeW1jYi5jb20vVGhhd3RlUENB
LmNybDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0ktMS01MzYw
HQYDVR0OBBYEFPBwUdrTKpFPUnfXhnd0D85xGmwiMB8GA1UdIwQYMBaAFHtbRc+v
zst6/TGSGmq280brV0hQMA0GCSqGSIb3DQEBCwUAA4IBAQChLpQ+mxb0WBpvwfrB
fkOTssP3iesTYl3dzGETKx1OiHkRYhQ3MEb/iWIQhSqHHvjir/6TApPK8ulGA2uh
GqzV8IAbmG+4OlD4VHEGA+eEzI5h0l9NDJcCZbWMJrwFmPTcxq/kV3/j3KHXJ0cq
4Cw/CXTcWuW1fPqCmhX6dCuELmus7zWmMPpHSqo2RPZakQfT5E6XP6ZT2CkzMm+L
PbWlDeXkiuj1wPqv2DcoJ8PtNDHZfKavTRJP0CuSnGmV8iim/qjG4CxNNusRNNbh
gZmdQfLnxVcFDhnKr0I5H6cnXuAKF7iuR6uS8YoE3zDgu0+K+RuITwO0JXp43i59
KdEx
-----END CERTIFICATE-----
I am using latest Nightly:

Code: Select all

Name 	Firefox
Version 	63.0a1
Build ID 	20180818100051
Other users also noticed this behaviour:
1) netvibes has invalid security error on their css: https://cdn.netvibes.com/assets-1239/dist/common.css
2) https://www.olx.ua/
3) https://privatbank.ua/
johnp_
Posts: 154
Joined: March 7th, 2011, 11:22 am

Re: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by johnp_ »

Explanation:

https://blog.nightly.mozilla.org/2018/0 ... ightly-63/

Collection of affected Websites for Tech Evangelism (i.e. telling these site-operators that they have to get new certificates):

https://bugzilla.mozilla.org/show_bug.cgi?id=1484006
User avatar
SLK350
Posts: 147
Joined: July 21st, 2011, 3:19 am

Re: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by SLK350 »

Paypal doesn't work including my banking site. WTF!

Paypal.com
Nordea.se
Corsair Obsidian 500D * AMD Ryzen Threadripper 1920X * ASUS ROG STRIX X399-E GAMING * G.Skill 32GB DDR4 3200MHz CL14 Flare X * Samsung 970 Pro 1TB * Fractal Design Celsius S36 360mm * Benq BL3201PT * ASUS GeForce RTX 2080 Ti 11GB DUAL OC * Creative Soundblaster X7 * Windows 10 Pro x64 Insider
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by WaltS48 »

SLK350 wrote:Paypal doesn't work including my banking site. WTF!

Paypal.com
Nordea.se
1. Check the bug mentioned to see if your banking site is listed as a site not working. If not, add the site in a new comment.
2. Paypal is already known.
3. Don't use Nightly for those sites until they update their certificates.
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
User avatar
dickvl
Posts: 54145
Joined: July 18th, 2005, 3:25 am

Re: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by dickvl »

This is because in Nightly all Symantec certificates are distrusted by setting the distrust pref to 2.
You can revert this security feature to the behavior in the Firefox release by changing the pref to 1.

security.pki.distrust_ca_policy = 1

https://observatory.mozilla.org/analyze ... www.olx.ua

https://blog.mozilla.org/security/2018/ ... tificates/
https://blog.nightly.mozilla.org/2018/0 ... ightly-63/
https://support.mozilla.org/en-US/kb/wh ... ecure-mean
User avatar
SLK350
Posts: 147
Joined: July 21st, 2011, 3:19 am

Re: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Post by SLK350 »

dickvl wrote:This is because in Nightly all Symantec certificates are distrusted by setting the distrust pref to 2.
You can revert this security feature to the behavior in the Firefox release by changing the pref to 1.

security.pki.distrust_ca_policy = 1

https://observatory.mozilla.org/analyze ... www.olx.ua

https://blog.mozilla.org/security/2018/ ... tificates/
https://blog.nightly.mozilla.org/2018/0 ... ightly-63/
https://support.mozilla.org/en-US/kb/wh ... ecure-mean
Thanks, now my sites works again. This was horribly annoying. :D
Corsair Obsidian 500D * AMD Ryzen Threadripper 1920X * ASUS ROG STRIX X399-E GAMING * G.Skill 32GB DDR4 3200MHz CL14 Flare X * Samsung 970 Pro 1TB * Fractal Design Celsius S36 360mm * Benq BL3201PT * ASUS GeForce RTX 2080 Ti 11GB DUAL OC * Creative Soundblaster X7 * Windows 10 Pro x64 Insider
Post Reply