Firefox 'Secure Connection Failed'

I see a generic “Secure Connection Failed - The page you are trying to view cannot be shown because the authenticity of the received data could not be verified” error when trying to connect to https://worldbarcodes.com using Firefox 89.0 (64-bit).

Doing a forced refresh loads the HTML but no assets. They all show as 0 B transferred. At that point, Firefox displays a valid SSL connection with a signed Cloudflare certificate.

Of note:

  • SSL is set to ‘Full’ at Cloudflare with an active universal certificate.
  • Always Use HTTPS, Automatic HTTPS Rewrites and TLS 1.3 are on
  • I’m on macOS and no other browsers (Safari / Chrome / Brave / wget / curl) exhibit this issue.
  • Firefox on other networks and other countries has the same issue (I’m in NZ and have had reports from fellow Kiwis, and from as far away as Argentina) BUT
  • The site loads fine when I connect via a VPN. Weird…
  • System time is OK.
  • HSTS (Strict-Transport-Security) is enabled in Cloudflare.
  • SSL Server Test (Powered by Qualys SSL Labs) gives an A+ rating.

The security tab in dev tools shows the following after a forced refresh shows the HTML:
{
“Connection:”: {
“Protocol version:”: “TLSv1.3”,
“Cipher suite:”: “TLS_AES_128_GCM_SHA256”,
“Key Exchange Group:”: “x25519”,
“Signature Scheme:”: “ECDSA-P256-SHA256”
},
“Host worldbarcodes.com:”: {
“HTTP Strict Transport Security:”: “Enabled”,
“Public Key Pinning:”: “Disabled”
},
“Certificate:”: {
“Issued To”: {
“Common Name (CN):”: “sni.cloudflaressl.com”,
“Organization (O):”: “Cloudflare, Inc.”,
“Organizational Unit (OU):”: “”
},
“Issued By”: {
“Common Name (CN):”: “Cloudflare Inc ECC CA-3”,
“Organization (O):”: “Cloudflare, Inc.”,
“Organizational Unit (OU):”: “”
},
“Period of Validity”: {
“Begins On:”: “23 July 2020”,
“Expires On:”: “24 July 2021”
},
“Fingerprints”: {
“SHA-256 Fingerprint:”: “stuff”,
“SHA1 Fingerprint:”: “stuff”
},
“Transparency:”: “”
}
}

I’m seeing similar behavior for your site.
How long have you had this domain on Cloudflare?

The domain has been there for years.

I think I have the answer though - disabling HTTP/3 (with QUIC) has done it. Maybe going via a VPN downgraded it to HTTP/2 and that’s why it worked.

1 Like

That’s interesting because I use Firefox 89 with QUIC and haven’t had this problem viewing my sites.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.