[18790:18823:0705/233925.020291:ERROR:cert_verify_proc_nss.cc(980)] CERT_PKIXVerifyCert for site failed err=-8101
Reported by
dalean...@gmail.com,
Jul 6
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce the problem: 1. Access site with cert type: X9.62 ECDSA Signature with SHA-256 2. get error [18790:18823:0705/233925.020291:ERROR:cert_verify_proc_nss.cc(980)] CERT_PKIXVerifyCert for site failed err=-8101 What is the expected behavior? Able to access the site What went wrong? Unable to access the site. Your connection is not private Attackers might be trying to steal your information from powerwall (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_INVALID with debugging, got: [18790:18823:0705/233925.020291:ERROR:cert_verify_proc_nss.cc(980)] CERT_PKIXVerifyCert for site failed err=-8101 Did this work before? N/A Chrome version: 67.0.3396.99 Channel: stable OS Version: Ubuntu 16.04 Flash Version:
,
Jul 6
,
Jul 6
Can you please attach a chrome://net-export log (as detailed at https://www.chromium.org/for-testers/providing-network-details ). Is this a publicly accessible site, or a private Enterprise site? If you can attach the certificate (if Enterprise) or point to which site on https://crt.sh/ (if publicly accessible), that'd also elp. Finally, what version of Mozilla NSS are you running (for Ubuntu, this is the libnss3 package)
,
Jul 6
(-8101 appears to be SEC_ERROR_INADEQUATE_CERT_TYPE.)
,
Jul 9
,
Jul 9
ii libnss3:amd64 2:3.28.4-0ubuntu0.16.04.3 amd64 Network Security Service libraries
,
Jul 9
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 9
I include this in my self signed cert:
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
Could the ExtKeyUsage be causing the issue?
,
Jul 10
Was there something in particular that directed you to include keyEncipherment? As you're using an ECDSA key, that's not the correct key usage (see https://tools.ietf.org/html/rfc5480#section-3 ). Just using KeyUsageDigitalSignature is correct. I suspect it may have been a carryover from when you previously used an RSA key, which does need keyEncipherment for some TLS ciphersuites. Does that resolve your issue?
,
Jul 10
Removing the CA flag and the KeyUsageCertSign usage fixed it. Strange that firefox, safari, chrome etc all work on mac, and on ubuntu. Only chrome didn't work though. That still seems strange to me
,
Jul 10
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 10
In this case, it's due to NSS being stricter than other platforms cryptographic libraries. We're working to ensure that we're consistently strict on all platforms, but it was definitely an invalid certificate. Microsoft and Apple are just more forgiving of those (than they should be / than others are) |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by kenrb@chromium.org
, Jul 6Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug