GitLab - Secure Connection Failed error on firefox - firefox

Recently i have re-installed my GitLab application on my Linux system. When i tried to access my GitLab application link (https://gitlab.domain.com) on Windows system's Firefox browser i am getting below error.
Since the certificate generated freshly it was conflicting with existing/previous certificate, So i have followed this Link workaround. However even after system reboot also same error occurring, I can't access my GitLab application on Firefox browser.
I'm able to access it on Chrome browser without any problem.
Please let me know still where i need to clear the old certificate to make it work on firefox?

That seems to be the same error as in issue 435013 reported 13 years ago (and still open), where Firefox has an issue with routers and NSS (Network Security Services) (error -8054)
As I understand it, and from the discussion on #312732 which is the underlying issue, the problem is that the crypto uses the cert ID as a unique key in a database.
When a dupe is encountered, you can't have two primary keys in a database, so it just dies with a fatal error, hence FireFox gives up connecting to the site and passes on the fatal error to be presented.
This is not a "fundamental NSS design issue", it's a political issue, Firefox is ACTIVELY refusing to let people access their network equipment.
Check also the firmware of your router:
It seems to me that it is VERY EASY for the server-side products that
generate these certificates to more-or-less fix the problem in updated
firmware with very little effort. Even simply randomizing the serial numbers
in the certs, they would nearly completely eliminate the problem, AFAICT. In
fact, it is worth making sure that the affected server-side hardware has
up-to-date firmware, because some vendors might have already fixed it on
their end already.
Possible workaround (which would work even after FF restart)
This is hardly any fix, but I installed a new Mozilla from scratch on a VM under Virtualbox.
I than browsed to all my local systems I was getting this error. On connecting from the new Window3s sytem running on VM to each local IP, I received the warning, and created the exception.
I than went in to Preferences>Advanced, and Exported all the certificates to a share on one of my NAS units.
I proceeded back to the broken Mozilla running on my Mac OS X 10.11.1, and I Imported all the certificates.
I then restarted FF, and connected to each device I was getting the error on, and I received the "This is an untrusted connection, Get me out of here, or would you like to create an exception." YES!!
I created the exception, and finally I could get to my firewalls, and all other local devices.
Other workaround:
Run: firefox --no-remote --ProfileManager
Create a new profile there.
Open a new instance of Firefox using the new profile. To run Firefox with the profile you can use the command from 1. or: firefox --no-remote -P profile_name
Do the actions there as if it was a separate installation of Firefox

Related

PostgreSQL Stack Builder Installation Certificate verification problem on Windows

I have downloaded and installed PostgreSQL 12 (64 bit) on a developer machine running Windows 10 Pro Education (64 bit).
When the installation came to the Stack Builder download application list step, an error occurred as follows:
A certification verification problem was encountered whilst accessing https://www.postgresql.org/applications-v2.xml schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline. This means that the source download cannot be verified. It is recommended that you do not continue with the download as it may be coming from a site that is pretending to be the intended download site and may contain viruses or malware.
Do you wish to continue?
I have tried to use Proxy servers referring to this answer. https://serverfault.com/questions/555125/postgresql-stack-builder-installation-proxy-setting-on-windows
I have also tried both solutions from that question. Still, I can not get the application list downloaded.
I want to install PostGIS. It seems the stack builder is safe and easy to use. What should I do to get the PostGIS installed?
Looks like https://www.postgresql.org/applications-v2.html link has some strong security. And it blocks some traffic. As #ay__ya has mentioned, in his case he made it work though VPN access. And in my case I was already behind the VPN and it was not working. So disabling VPN worked for me.
Go to https://www.postgresql.org/applications-v2.html and save as a *.CER file the certificate of the the webpage.
Using "certmgr.msc" import the *.CER file into your local certificates repository to the Trusted People store or/and Enterprise Trust store.
Rerun Stack builder and retry download application list step.
Should works now.

localhost chrome on catalina

I can not get localhost to work on chrome after upgrading to macOS Catalina. I spent a lot of time trying to figure out why I was getting this message
localhost normally uses encryption to protect your information. When Google Chrome tried to connect to localhost this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be localhost, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit localhost right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
(I wish I had taken a screen shot)
I don't know if this is the "best" solution but it got me able to code again so I figured I would share. I was seriously stuck and couldn't find any answers and saw someone mention this solution to another issue. Go to chrome://flags/#allow-insecure-localhost and change to enable.
Hope this helps someone else. I know this isn't really a question but there's not really a way to just share this. I guess I could use twitter and reddit.
OS X Catalina increased the requirements for an SSL/TLS certificate to be acceptable around November 2019. Notably, certificates now need a "Subject Alternative Name" section, which was not previously required. Note that this is an OS-level requirement and not specific to a single browser (although it doesn't affect FireFox because Firefox doesn't use the OS security stack).
The solution to your issue is how you generate the SSL certificate, not anything you can do as a Chrome user. This particular issue can not be bypassed by clicking through a Chrome warning message.
Also note that fixing this issue for OS X may make the certificate unusable on Chrome + Linux (I have linked to WebPack Dev Server's GitHub Issue discussion of this issue).

Where integration bots are stored?

Where does OSX Server store integration bots? Or is it my local Xcode who stores them? Server screwed my setup again, but this time I'm no longer able to see my bots.
Just want to express my deep frustration with Xcode CI:
OSX Server (or whatever it's called) is one of a kind piece of software, giving me incredible headaches lately with its' laginness, bugginess and poor performance. I think over the past week I experienced all possible errors Server has to offer:
"internal error updating bot" (please try again later);
"error reading service configuration" (or similar wording) - requires Xcode reset; continue to occur randomly again and again with no reasons;
"Xcode version is not supported" - only reboot seems to convince server to use Xcode which was already used previously
Randomly, fail integrations because "device is not connected", given that I test desktop application for OSX...
Finally, after yet another episode of screwing my setup, I no longer can see my bots on the server - they vanished. well done Server.
The bots and integrations are stored on the server.
The directory should look something like /Users/<xcode_server_tester_user_name>/Library/Caches/XCSBuilder/Bots
(OSX-Server 5.3 (16S4123), XCode 8.3.2 (8E2002))
I hate to say this but I found restarting the machine is a good way to resolve frustration No. 1 and 2.
device is not connected error often happens right after OS, OSX-Server or XCode is upgraded.
Usually reselecting devices from the XCode UI works for me.
Although sometimes it may require repeating multiple times and waiting for a long time for the device list to load.
On your OSX Server machine, deleting the simulator and re-adding it via Xcode->Devices sometimes helps too.
Another way is to delete all simulators from the linked Xcode on OSX Server machine and only keep the ones you want to test your project on. Config the bot to use All iOS Devices and Simulators.
Even though Xcode Server now runs as a specific user, the configuration files are kept in /Library/Developer/XcodeServer. You can also hit the Xcode Server API to get information about your bots.
In a Couchbase db.
I don't know how to access the contents though.
Enter this in Safari on your server
http://localhost:10355/_utils/

What would cause SSL Certificate errors across all installed OSX browsers but Firefox?

Every attempt to connect to Wired.com is met with a certificate error.
I've checked the usual suspects and even done things that probably have nothing to do with it.
Browsers tried
Safari=failed
Chrome=failed
Brave=failed
Firefox=success
Verified no Chrome extensions interfering (incognito w/ no approved incog extensions)
Same with Safari.
Flushed DNS
Rebooted
Time settings obv correct
I started to get paranoid thinking that something is hijacking my connection, but the only active ports I've got open and connected are... well, supposed to be open. And then the fact that it works with Firefox is even stranger. Firefox is my proxy browser, but it works via proxy w/out.
This is a recently upgraded Sierra machine. I'm not an avid wired reader, so I couldn't tell you if it was happening previously, but I can say I've got 4 other mac test machines here and none of them are experiencing the same issue.
Sierra vs Capitan doesn't make a difference. And this is now going on a 2 week issue. Wired appears to be literally the only site effected. At this point it's more a curiosity at getting to the bottom of this than anything else, since it does appear to be something isolated to this machine.
Also, I think we can rule out a CDN issue. As all my other machines are connecting from this same wanIP.
Man, just absolutely any suggestions for more internals I could go digging through to try and get to the bottom of this would be oh so greatly appreciated. Because I've about relegated myself to keyboard head smashing.
The problem (most likely) is caused due to recent issue at GlobalSign as they incorrectly revoked their cross-certificates. Full statament from GlobalSign: Certificate Revocation Issue
Thanks guys. That GlobalSign certificate was cached.
Removing the cache at
/var/db/crls worked
I backed it up first just in case, but sudo wiping the cache didn't cause any problems.
sudo rm /var/db/crls/crlcache*
sudo rm /var/db/crls/ocspcache.db*

Unable to surf to twitter with chrome: NET: ERR_CERT_AUTHORITY_INVALID

After I installed Ghostery into Chrome (MacOS 10.0.5, Chrome Version 42.0.2311.90 (64-bit), fully up to date), suddenly Chrome can't surf to twitter.com without complaining that the Symantec Class 3 EV SSL CA - G3 is invalid. I removed this extension, restarted Chrome, even restarted the computer, but still the issue remains.
Safari also complains, but interestingly, Firefox remains able to access twitter.com without complaints. So this implies to me that the certs as stored by Keychain Access are ok.
Has anybody seen this/know how to fix? So far, I've checked that the computer's time is fine (some posts say that might be an issue), and verified everything about accessing my twitter account with Firefox is fine.
If there's some version of the certs stored in Chrome and Safari I can clear to fix this, that'd be great, but clearing the generic content cache doesn't seem to do anything.
Any ideas appreciated.
I have just tested it and solved it, the reply is in #gui47's comment:
go to your keychain
remove the Verisign Class 3 Public Primary Certification Authority - G5 certificates from sessions or login
close everything, reboot
no idea why it happened so suddenly
If nothing you do solves the problem, what I discovered is that my corporate masters operate a man in the middle attack against all their employees using Blue Coat security (https://www.bluecoat.com/products/ssl-decryption-visibility-and-management). Your web browser will likely have your employer's dodgy certificate installed as a trusted root certificate, so for the vast majority of HTTPS web sites, the behaviour of this rather nasty piece of software will be transparent, however if the site uses HSTS and your web browser (such as recent versions of Chrome) looks for it, then you will get this error.
What this means is that your employer is not to be trusted and you shouldn't be online banking at this particular workplace. It also means that your employer, rightly or wrongly doesn't trust you. My IT department brazenly denied that this is a MitM attack, which leads me to also doubt their competence if they don't know what a MitM attack is, especially when they are the MitM!
Nothing is required.
Just clear your cache and do the following
Privacy -->Content settings -->Do not allow any site to run JavaScript
Problem solved.

Resources