New issue
Advanced search Search tips

Issue 714172 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Any connection to httpS fails after received cert with ERR_FAILED

Reported by thenic...@gmail.com, Apr 21 2017 
Chrome Version       : 58.0.3029.81 (Official Build) (64-bit)Build)
also in Chromium Version       : 57.0.2987.98 (Developer Build)

OS Version: Ubuntu 16.04.2 (all packages up-to-date)
URLs (if applicable) : https://google.com
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: /
  Firefox 4.x: yes
     IE 7/8/9: /

What steps will reproduce the problem?
1. Go to any encrypted site, ie  https://google.com
2. Stare at screen
3.

What is the expected result?

Seeing a web page while being protected from lizards by encryption.


What happens instead of that?

"""
This site can’t be reached

The webpage at https://www.google.de/ might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED
"""

Devtools say "cert is valid", but "page is not secure" - nothing more.


Please provide any additional information below. Attach a screenshot if
possible.

Happens with each httpS site I tried.


Attached: 

Logs from chrome://net-internals (reset before shift-reloading)
net-internals-log.json - trying to access https://profdrkarlhecht.de
net-internals-log-googlecom.json - trying to access https://google.com

Also:
Running from shell gives following STD(ERR|OUT)
[21165:21185:0421/173343.015548:ERROR:cert_verify_proc_nss.cc(918)] CERT_PKIXVerifyCert for www.google.de failed err=-5992
[21165:21186:0421/173343.072385:ERROR:cert_verify_proc_nss.cc(918)] CERT_PKIXVerifyCert for translate.googleapis.com failed err=-5992
[21242:21242:0421/173343.363828:ERROR:child_thread_impl.cc(762)] Request for unknown Channel-associated interface: ui::mojom::GpuMa
net-internals-log.json
63.6 KB View Download
net-internals-log-googlecom.json
239 KB View Download

Comment 1 by ellyjo...@chromium.org, Apr 21 2017

Components: Internals>Network>SSL
Status: Untriaged (was: Unconfirmed)
Marking for network triage.

Comment 2 by thenic...@gmail.com, Apr 21 2017 

not sure if related:

while I was debugging before, I deleted my ~/.pki, which resulted in this error disappearing: 
nss_util.cc(808)] After loading Root Certs, loaded==false: NSS error code: -8018

Comment 3 by davidben@chromium.org, Apr 21 2017

Components: -Internals>Network>SSL Internals>Network>Certificate
Looks like something in NSS is unhappy. Moving to the certificate folks.

I checked the error codes, and neither seem especially helpful:

-5992 is PR_NOT_IMPLEMENTED_ERROR
-8018 is SEC_ERROR_UNKNOWN_PKCS11_ERROR

Comment 4 by rsleevi@chromium.org, Apr 21 2017

Labels: Needs-Feedback
Yeah, it seems like a local installation corruption more than anything.

What versions of libnss3(d) are you using?

Comment 5 by thenic...@gmail.com, Apr 21 2017 

libnss3 2:3.26.2-0ubuntu0.16.04.2

This behaviour started after an upgrade. Any files I could check?

Comment 6 by thenic...@gmail.com, Apr 21 2017 

Error does not happen with a fresh user on the same system.

Comment 7 by rsleevi@chromium.org, Apr 21 2017 

That's encouraging, because it suggests it's something related to your local user configuration. While the NSS DB is stored in ~/.pki/nssdb, it's possible for the system distribution of NSS to have distributed and/or configured one or more modules in other paths (including user paths) that the new user might not have.

I'm not the best at debugging Linux system configuration issues, but usually the suggestion has been to make sure that ~/.pki/nssdb is clean, to ldd the (Chrome, Chromium) binary you're running to make sure it's using the correct version of NSS (per your distribution), and if it still fails, to contact your OS distros support.

Comment 8 by thenic...@gmail.com, Apr 22 2017 

I did a little env-debugging. For some reason I had set LD_LIBRARY_PATH="/usr/lib/firefox" which (I think) caused chrome to load Firefox's libnss, tls et al.

unset'ing the env variable fixed the original problem. 

ldd /usr/lib/firefox/libnss3.so
	linux-vdso.so.1 =>  (0x00007ffef0578000)
	libnspr4.so => /usr/lib/x86_64-linux-gnu/libnspr4.so (0x00007f945ca60000)
	libnssutil3.so => /usr/lib/x86_64-linux-gnu/libnssutil3.so (0x00007f945c833000)
	libplc4.so => /usr/lib/x86_64-linux-gnu/libplc4.so (0x00007f945c62d000)
	libplds4.so => /usr/lib/x86_64-linux-gnu/libplds4.so (0x00007f945c429000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f945c060000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f945be42000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f945bc3e000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f945ba36000)
	/lib64/ld-linux-x86-64.so.2 (0x0000563cd9b2e000)

from: firefix 53.0+build6-0ubuntu0.16.04.1


Thank you for your help. If you're curious I would be happy to provide any more details. 

[SOLVED] for me :)

Comment 9 by rsleevi@chromium.org, Apr 23 2017

Status: WontFix (was: Untriaged)

Sign in to add a comment