New issue
Advanced search Search tips

Issue 700406 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for xxx failed err=-5992

Reported by altuny...@gmail.com, Mar 10 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Example URL:
Any url 

Steps to reproduce the problem:
1. try to browse for any site 
2. 
3. 

What is the expected behavior?

What went wrong?
My setup has not been updated for months but the google chrome was on autoupdate. I was using it from time to time with no problems, but a few days ago it stopped working and returns

This site can’t be reached

The webpage at xxx might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED

for any site i tried. I relaunched it from the command console and this is the output:

[30413:30433:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.googleapis.com failed err=-5992
[30413:30433:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for accounts.google.com failed err=-5992
[30413:30434:0310/193119:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for mtalk.google.com failed err=-5992
[30413:30442:0310/193119:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2
[30413:30434:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for safebrowsing.google.com failed err=-5992
[30413:30434:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for clients2.google.com failed err=-5992
[30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com.tr failed err=-5992
[30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for ssl.google-analytics.com failed err=-5992
[30413:30433:0310/193120:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for clients4.google.com failed err=-5992
[30413:30433:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for translate.googleapis.com failed err=-5992
[30413:30702:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com failed err=-5992
[30413:30705:0310/193121:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google-analytics.com failed err=-5992
[30413:30703:0310/193123:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for www.google.com failed err=-5992
[30413:30701:0310/193128:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for ssl.gstatic.com failed err=-5992
[30413:30442:0310/193141:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2
[30413:30413:0310/193153:ERROR:account_tracker.cc(357)] OnGetTokenFailure: Connection failed (-2).
[30413:30413:0310/193153:ERROR:account_tracker.cc(357)] OnGetTokenFailure: Connection failed (-2).
[30413:30442:0310/193235:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2
[30413:30815:0310/193403:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for alt1-safebrowsing.google.com failed err=-5992
[30413:30442:0310/193434:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2
[30413:30442:0310/193750:ERROR:connection_factory_impl.cc(367)] Failed to connect to MCS endpoint with error -2
[30413:26908:0310/193822:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for raw.githubusercontent.com failed err=-5992
[30413:30815:0310/194022:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for easylist.to failed err=-5992
[30413:30705:0310/194022:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for easylist-downloads.adblockplus.org failed err=-5992
[30413:26907:0310/194023:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for raw.githubusercontent.com failed err=-5992

I can browse with firefox without any problems on the same setup

Did this work before? N/A 

Chrome version: Version 54.0.2840.59 beta (64-bit)  Channel: stable
OS Version: 4.6.7-040607
Flash Version:


 

Comment 1 by mmenke@chromium.org, Mar 10 2017

Components: -Internals>Network Internals>Network>Certificate Internals>Installer
I think the main issue here is why your system isn't updating, so I'm adding the installer label.  Also adding a label for the cert issue, not sure if those are expected or not, given that you're using a beta version of Chrome that's 5 months out of date.
Labels: Needs-Feedback
-5992 = PR_NOT_IMPLEMENTED_ERROR 

It sounds like the system is misconfigured. Please include full details about the distribution you're using, and please try to ensure the "libnspr" and "libnss3" libraries are up to date and current (and/or reinstall). These are parts of the Linux Standard Base, so it's surprising you're having issues.

Comment 3 by altuny...@gmail.com, Mar 10 2017

@rsleevi I have lebnspr-4.11 and libnss3 3.21 on my system. 

its linux mint v18, kernel version  4.6.7-040607-generic

I'm using ff53b1 and gtalk client gajim without problems. But chromium based browsers -including opera- are not working anymore. My nssdb seems to be up to date or at least frequently used but  don't know how to check it or whether it matters :)

➜  ~  ls -l .pki/nssdb/
total 36
-rw------- 1 den den 14336 Mar 10 19:23 cert9.db
-rw------- 1 den den 14336 Jan  4  2013 key4.db
-rw------- 1 den den   440 Mar 11  2012 pkcs11.txt

Project Member

Comment 4 by sheriffbot@chromium.org, Mar 10 2017

Cc: rsleevi@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Firefox ships its own copy of libnss/libnspr, so it's not terribly surprising it would work.

NSS 3.28.1 is the current stable. You can try upgrading to that.

However, the problem is in a third-party library, so it will be difficult to debug, especially remotely. Can you indicate the contents of your pkcs11.txt file? Is it possible that you've installed one or more third-party security modules improperly?

Comment 6 Deleted

Comment 7 by altuny...@gmail.com, Mar 10 2017

Hm my comment doas not show up or it seems deleted. Reposting it. 

My pkcs11.txt is as follows

➜  ~  cat .pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/den/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

Labels: Needs-Feedback
Is it possible you have one or more (compilation) flags set for your libnss3/libnss3-1d/libnss3-nssdb installations? 

My understanding is that Mint 17 uses the Ubuntu nss3-3.21 deb file (despite 3.26.2 being current Ubuntu upstream), and from examining the build rules for Ubuntu, it doesn't exclude libpkix (the most likely candidate for the not implemented)

Can you also include a full net-internals log at https://dev.chromium.org/for-testers/providing-network-details

Comment 9 by mmenke@chromium.org, Mar 10 2017

Status: Untriaged (was: Unconfirmed)
I don't know how i can do that. i could not find much on google about it. is there any tool that i can use to get the compilation flags of the libraries ? 
I've found the reason and fixed the issue. 

ld.so.cache contained the libnss libraries refs from the firefox installation and chrome was depending on them, instead of system libraries. Removing the firefox path reference from ld.so.conf fixed the problem. But apparently up until recent versions, for all those years chrome was just working fine with the firefox' libnss.

Thanks
Status: WontFix (was: Untriaged)
OK, that's consistent with Firefox recently compiling out the code that Chrome depends on in their distribution of libnss.

Sign in to add a comment