Certificate errors since install of 28.8.0 (64-bit)

[nickm81]

The title says it all. I am seeing quite a few certificate errors since my upgrade to 28.8.0 (64-bit). One example is reddit.com, another example is my bank (firststateks.com). Screen shots are attached. Both sites loaded fine in PM previous to the 28.8.0 upgrade, and still load fine in other browsers (Chrome, Edge). I am not behind a proxy.

Here's the troubleshooting steps I've tried so far, restarting Pale Moon before and after each step --

- Cleared all cache/history/cookies/site preferences.
- Restarted with no add-ons.
- Created a brand new PM profile -- still certificate errors.


Any help or suggestions would be appreciated.

Thank you!

--

[Moonraker]

I can get to reddit.com just fine.I am using linux with PM 28.8.0.Which preferences are you using in certificate manager.?

[Moonchild]

Did your antivirus software intercept the https connection? ("https filtering" "web shield" or whatever else they might call it)

[nickm81]

Moonchild -- no, my antivirus does not monitor inbound or outbound connections to the PC.

Moonraker -- What settings should I check? I navigated to Preferences --> Advanced --> Certificates --> View Certificates, and I see the certificates and CAs, but apart from that, I'm not sure what I'm looking for.


Thanks.

[adesh]

Also check if date and time on your system is current.

[Moonchild]

The error is that the certificate issuer is unknown. The most common problem with that is something intercepting https and using a global wildcard certificate which is (obviously) never CA signed.
Other potential causes are already indicated in the error message itself: server operator error not having a proper chain of certificates offered is one, but I'm sure Reddit would have that in order, so it's very unlikely to actually be the case. Other potential issues could be a proxy setting or a problem with the browser installation.

so:

Moonchild -- no, my antivirus does not monitor inbound or outbound connections to the PC.

I have to ask: are you absolutely sure about this? Especially since it was with an update of the browser, it may have triggered a "potentially untrusted" state for the browser subject to tighter scrutiny. Alternatively it's possible that the AV interfered with the actual update process and now being a mismatch of libraries causing connection errors...

Please post the output of help->troubleshooting information.

[therube]

When you tested in the new Profile, it was virgin?

What are your settings for; Tools | Preferences | Advanced -> Connection [Settings..] --> ?

[coffeebreak]

Do you by any chance use the adblocker AdGuard? It uses HTTPS filtering.
See here and here.

[nickm81]

- System date and time is correct, set by NTP. Good call on that one, though. I've had folks burned by that before.
- New profile was brand new, created by me without importing anything into it.
- I am sure my antivirus is not touching incoming/outgoing HTTPS connections, these same websites load normally in other web browsers.
- I am not using AdGuard.
- The new profile was brand new, created by me just for this troubleshooting.

Forgot to mention earlier, I'm on Windows 10 Enterprise 64-bit (Version 1809).

My troubleshooting info text is attached. I had to edit out a few of the printers listed, since they were specific to my work place.

Thank you!

[Moonchild]

I am sure my antivirus is not touching incoming/outgoing HTTPS connections, these same websites load normally in other web browsers.

The latter doesn't necessarily conclude the former. antivirus usually has special rules for handling mainstream software that might not apply to Pale Moon.

they were specific to my work place.

If you are on a work network, then your endpoint security solution may actually intercept secure connections from "unknown" applications, which may include a new version of the browser if not pre-announced.
You may want to ask your IT dept. at the workplace if this might be the issue.

Thanks for the troubleshooting info but there's nothing in there that points to a problem within the browser.

[nickm81]

I am sure my antivirus is not touching incoming/outgoing HTTPS connections, these same websites load normally in other web browsers.

The latter doesn't necessarily conclude the former. antivirus usually has special rules for handling mainstream software that might not apply to Pale Moon.

they were specific to my work place.

If you are on a work network, then your endpoint security solution may actually intercept secure connections from "unknown" applications, which may include a new version of the browser if not pre-announced.
You may want to ask your IT dept. at the workplace if this might be the issue.

Thanks for the troubleshooting info but there's nothing in there that points to a problem within the browser.

I'm still bit skeptical, but I will definitely put the ask out there.

Thank you everyone for your help.

[Moonchild]

Not entirely sure what there is to be skeptical about -- if end-to-end encryption fails, Pale Moon will present you with an error. If it was a browser or server error, it would be reproducible by others as well (which doesn't seem to be the case) so the problem must lie on the path between browser and server, with the most likely location the work network or workstation setup.

It may help if you actually get the certificate information of the certificate that is presented (and that Pale Moon isn't trusting) to see which entity issued it.

[nickm81]

It may help if you actually get the certificate information of the certificate that is presented (and that Pale Moon isn't trusting) to see which entity issued it.

Good idea. How can I do that if Pale Moon doesn't load the site? If I click in the address bar where I'm normally able to inspect the cert, it says the standard "This website does not supply
identity information. Your connection to this website is not encrypted."

Thanks.

[Moonchild]

You may have to enable browser.xul.error_pages.expert_bad_cert in about:config first to get the option on the network error page to "add an exception".
Then visit the problematic site again, select "add exception" to open the exception dialog.
In that exception dialog you can then retrieve certificate information for the connection.

I know it's a bit of work to go through those hoops but they are there so people don't willy-nilly add exceptions for secure connections when they really shouldn't.