ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for xxx failed err=-5992
Reported by
altuny...@gmail.com,
Mar 10 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Example URL: Any url Steps to reproduce the problem: 1. try to browse for any site 2. 3. What is the expected behavior? What went wrong? My setup has not been updated for months but the google chrome was on autoupdate. I was using it from time to time with no problems, but a few days ago it stopped working and returns This site can’t be reached The webpage at xxx might be temporarily down or it may have moved permanently to a new web address. ERR_FAILED for any site i tried. I relaunched it from the command console and this is the output: [30413:30433:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.googleapis.com failed err=-5992 [30413:30433:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for accounts.google.com failed err=-5992 [30413:30434:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for mtalk.google.com failed err=-5992 [30413:30442:0310/193119:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2 [30413:30434:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for safebrowsing.google.com failed err=-5992 [30413:30434:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for clients2.google.com failed err=-5992 [30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com.tr failed err=-5992 [30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for ssl.google-analytics.com failed err=-5992 [30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for clients4.google.com failed err=-5992 [30413:30433:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for translate.googleapis.com failed err=-5992 [30413:30702:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com failed err=-5992 [30413:30705:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google-analytics.com failed err=-5992 [30413:30703:0310/193123:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com failed err=-5992 [30413:30701:0310/193128:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for ssl.gstatic.com failed err=-5992 [30413:30442:0310/193141:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2 [30413:30413:0310/193153:ERROR:account_tracker.cc(357)] OnGetTokenFailure: Connection failed (-2). [30413:30413:0310/193153:ERROR:account_tracker.cc(357)] OnGetTokenFailure: Connection failed (-2). [30413:30442:0310/193235:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2 [30413:30815:0310/193403:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for alt1-safebrowsing.google.com failed err=-5992 [30413:30442:0310/193434:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2 [30413:30442:0310/193750:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2 [30413:26908:0310/193822:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for raw.githubusercontent.com failed err=-5992 [30413:30815:0310/194022:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for easylist.to failed err=-5992 [30413:30705:0310/194022:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for easylist-downloads.adblockplus.org failed err=-5992 [30413:26907:0310/194023:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for raw.githubusercontent.com failed err=-5992 I can browse with firefox without any problems on the same setup Did this work before? N/A Chrome version: Version 54.0.2840.59 beta (64-bit) Channel: stable OS Version: 4.6.7-040607 Flash Version:
,
Mar 10 2017
-5992 = PR_NOT_IMPLEMENTED_ERROR It sounds like the system is misconfigured. Please include full details about the distribution you're using, and please try to ensure the "libnspr" and "libnss3" libraries are up to date and current (and/or reinstall). These are parts of the Linux Standard Base, so it's surprising you're having issues.
,
Mar 10 2017
@rsleevi I have lebnspr-4.11 and libnss3 3.21 on my system. its linux mint v18, kernel version 4.6.7-040607-generic I'm using ff53b1 and gtalk client gajim without problems. But chromium based browsers -including opera- are not working anymore. My nssdb seems to be up to date or at least frequently used but don't know how to check it or whether it matters :) ➜ ~ ls -l .pki/nssdb/ total 36 -rw------- 1 den den 14336 Mar 10 19:23 cert9.db -rw------- 1 den den 14336 Jan 4 2013 key4.db -rw------- 1 den den 440 Mar 11 2012 pkcs11.txt
,
Mar 10 2017
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
Firefox ships its own copy of libnss/libnspr, so it's not terribly surprising it would work. NSS 3.28.1 is the current stable. You can try upgrading to that. However, the problem is in a third-party library, so it will be difficult to debug, especially remotely. Can you indicate the contents of your pkcs11.txt file? Is it possible that you've installed one or more third-party security modules improperly?
,
Mar 10 2017
Hm my comment doas not show up or it seems deleted. Reposting it.
My pkcs11.txt is as follows
➜ ~ cat .pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/den/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
,
Mar 10 2017
Is it possible you have one or more (compilation) flags set for your libnss3/libnss3-1d/libnss3-nssdb installations? My understanding is that Mint 17 uses the Ubuntu nss3-3.21 deb file (despite 3.26.2 being current Ubuntu upstream), and from examining the build rules for Ubuntu, it doesn't exclude libpkix (the most likely candidate for the not implemented) Can you also include a full net-internals log at https://dev.chromium.org/for-testers/providing-network-details
,
Mar 10 2017
,
Mar 10 2017
I don't know how i can do that. i could not find much on google about it. is there any tool that i can use to get the compilation flags of the libraries ?
,
Mar 14 2017
I've found the reason and fixed the issue. ld.so.cache contained the libnss libraries refs from the firefox installation and chrome was depending on them, instead of system libraries. Removing the firefox path reference from ld.so.conf fixed the problem. But apparently up until recent versions, for all those years chrome was just working fine with the firefox' libnss. Thanks
,
Mar 14 2017
OK, that's consistent with Firefox recently compiling out the code that Chrome depends on in their distribution of libnss. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmenke@chromium.org
, Mar 10 2017