Waterfox: Can not open forum.geforce.com due to certificate

No problem here with 56.2.3 on FreeBSD-CURRENT: https://imgur.com/UQJtCXc

Windows

Which version?

I see this issue with Waterfox 56.2.3 on Linux. I also see it in Firefox, and in Otter Browser (which is not Gecko based). I don't see the issue in Chromium.

@hyno111 What other browsers did you try?

@grahamperrin Do you know if FreeBSD Waterfox build is done with ac_add_options --with-system-nss or similar build-time option? I ask because, of the browsers I have available, Chromium is the only one I installed using the system package manager.

OK, I have it now, 56.2.3 on Kubuntu,

forums.geforce.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Do you know if FreeBSD Waterfox build is done with ac_add_options --with-system-nss or similar build-time option?

# pkg info waterfox | grep repository
        repository     : poudriere
# 

Configure options from about:buildconfig on FreeBSD-CURRENT:

CONFIG_SHELL=/bin/sh --enable-application=browser --enable-update-channel=release --disable-tests PKG_CONFIG=pkgconf CC=cc CXX=c++ --disable-debug-symbols --enable-release --enable-jack --enable-profiling --enable-system-ffi --enable-default-toolkit=cairo-gtk3 --with-system-graphite2 --with-system-harfbuzz LLVM_CONFIG=llvm-config60 --enable-rust-simd PERL=/usr/local/bin/perl MAKE=gmake --enable-system-hunspell --enable-alsa --enable-dtrace --enable-gconf --disable-install-strip --disable-libproxy --enable-optimize --enable-pie --enable-pulseaudio --enable-startup-notification --disable-strip --enable-system-pixman --enable-system-sqlite --disable-updater --prefix=/usr/local --with-app-basename=Waterfox --with-app-name=waterfox --with-distribution-id=org.waterfoxproject --with-intl-api --with-system-bz2 --with-system-icu --with-system-jpeg=/usr/local --with-system-libevent --with-system-libvpx --with-system-nspr --with-system-nss --with-system-ogg --with-system-png=/usr/local --with-system-vorbis --with-system-zlib

https://www.freshports.org/www/waterfox build dependencies include:

• nss>=3.32.1 : security/nss

This might be some firefox grandstanding, the symantec certificates that mozilla blocked have not been trusted now they are under the digicert umbrella, mozilla are taking some bullshit stance on the transferral and continue to block these perfectly fine certificates.

From related topics in the affected forum

https://forums.geforce.com/default/topic/1067929/

After a month or so this is finally fixed. nVidia updated their certificate.

It's still refusing to load for me in Firefox

https://forums.geforce.com/default/topic/1071155/

… blocked by the test versions (v70 and v71) of Chrome. …

Firefox is rejecting the certificate now.

THey're still using a RapidSSL certificate, which is a Symantec brand and will be blocked by Chrome and Firefox soon.

https://forums.geforce.com/default/topic/1073578/3d-vision/-/post/5881650/#5881650 two days ago:

… the SSL certificate used on the forums is issued by Symantec, and the recent Firefox builds completely block it. With Firefox as my main browser, I … switch to Chrome to check it.

With Kubuntu updated a few minutes ago, the forum is usable with these applications:

• Waterfox 56.2.3
• Firefox
• Firefox Nightly, but NB this is inferior (62.0a1) to Firefox (62.0)
• Tor
• Falkon
• Chromium (69.0.3497.81).

Certificate issuer:

CN = RapidSSL TLS RSA CA G1
OU = www.digicert.com
O = DigiCert Inc
C = US

@hyno111 thanks and I'm curious, did you find things better following an update (maybe automated) to Windows?

Nothing changed in my system, but I can no longer reproduce the issue.
The system is Windows 10 x64 1709.

Thanks for the reply.

Note to self, for a different SEC_ERROR_UNKNOWN_ISSUER case, useful responses at:

• https://www.reddit.com/comments/9kgj59/-/e730vsb/
• https://www.reddit.com/comments/9kgj59/-/e71h4fq/

From the latter:

… virus scanner …fox doesn't trust your Kaspersky's certs.

The real … certificate is issued by Digicert: