Firefox and SSL sec error unknown issuer

Question

My client gets a sec error unknown issuer error message when visiting https   mediant ipmail nl with Firefox  I can t reproduce the error myself  I installed FF on a Vista and a XP machine and had no problems  FF on Ubuntu also works fine   Does anyone get the same error and does anyone have some clues for me so I can tell my ISP to change some settings  The certificate is a so called wild-card SSL certificate that works for all subdomains    ipmail nl   Was I wrong to pick the cheapest one

User · Answer

I know this thread is a little old but we ran into this too and will archive our eventual solution here for others.

We had the same problem with a Comodo wildcard "positive ssl" cert. We are running our website using a squid-reverse SSL proxy and Firefox would keep complaining "sec_error_unknown_issuer" as you stated, yet every other browser was OK.

I found that this is a problem of the certificate chain being incomplete. Firefox apparently does not have one of the intermediary certificates build in, though Firefox does trust the root CA. Therefore you have to provide the whole chain of certificates to Firefox. Comodo's support states:

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

This was already touched on earlier in this thread but it did not resove how you do this.

First you have to make a chained certificate bundle and you do that by using your favorite text editor and just paste them in, in the correct (reverse) order i.e.

Intermediate CA Certificate 2 - IntermediateCA2.crt - on top of the file
Intermediate CA Certificate 1 - IntermediateCA1.crt
Root CA Certificate - root.crt - at the end of the file

The exact order you can get from your ssl provider if its not obvious from the names.

Then save the file as whatever name you like. E.g. yourdomain-chain-bundle.crt

In this example I have not included the actual domain certificate and as long as your server can be configured to take a separate chained certificate bundle this is what you use.

More data can be found here:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files

If for some reason you can't configure your server to use a separate chained bundle, then you just paste your server certificate in the beginning (on the top) of the bundle and use the resulting file as your server cert. This is what needs to be done in the E.g Squid case. See below from the squid mailing list on this subject.

http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html

This resolved it for us.

User · Answer

To answer the non-reproducability aspect of the question - Firefox automatically imports intermediate certificates into its certificate store  So if you ve previously visited a site which has used the same Intermediate Certificate using a correctly configured certificate chain then Firefox will store that Certificate so you will not see the problem when you visit a site that has an incorrectly configured chain using the same Intermediate certificate   You can check this in Firefox s Certificate Manager  Options- Privacy amp Security- View Certificates     where you can see all stored certificates  Under the  Security Device  Column you can check where a certificate has come from - automatically manually imported certificates will appear as from  Software Security Device  as opposed to the  Builtin Object Token   which are the default set installed with Firefox  You can delete Distrust any specific certificates and test again

User · Answer

For nginx do this  Generate a chained crt file using    cat www example com crt bundle crt  gt  www example com chained crt   The resulting file should be used in the ssl certificate directive   server       listen              443 ssl      server name         www example com      ssl certificate     www example com chained crt      ssl certificate key www example com key

User · Answer

If anyone else is experiencing this issue with an Ubuntu LAMP and  COMODO Positive SSL  try to build your own bundle from the certs in the compressed file   cat AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSADomainValidationSecureServerCA crt  gt  YOURDOMAIN ca-bundle

User · Answer

If you got your cert from COMODO your need to add this line  the file is on the zip file you received   SSLCertificateChainFile  path COMODORSADomainValidationSecureServerCA crt

User · Answer

Which version of Firefox on which platform is your client using   The are people having the same problem as documented here in the Support Forum for Firefox  I hope you can find a solution there  Good luck   Update   Let your client check the settings in Firefox  On  Advanced  -  Encryption  there is a button  View Certificates   Look for  Comodo CA Limited  in the list  I saw that Comodo is the issuer of the certificate of that domain name server  On two of my machines  FF 3 0 3 on Vista and Mac  the entry is in the list  by default Mozilla

User · Answer

As  user126810 said  the problem can be fixed with a proper SSLCertificateChainFile directive in the config file   But after fixing the config and restarting the webserver  I also had to restart Firefox  Without that  Firefox continued to complain about bad certificate  looks like it used a cached one

User · Answer

Had same issue this end of week  only Firefox will not accept certificate    The solution for me has been to add  in the apache configuration of the website  the intermediate certificate with the following line    SSLCACertificateFile  your path to ssl ca certs pem   Find more infomration on https   httpd apache org docs 2 4 fr mod mod ssl html

User · Answer

Firefox is more stringent than other browsers and will require proper installation of an intermediate server certificate  This can be supplied by the cert authority the certificate was purchased from  the intermediate cert is typically installed in the same location as the server cert and requires the proper entry in the httpd conf file   while many are chastising Firefox for it s  generally  exclusive  flagging  of this  it s actually demonstrating a higher level of security standards

User · Answer

We had this problem and it was very much Firefox specific -- could only repro in that browser  Safari  IE8  Chrome  etc were all fine   Fixing it required getting an updated cert from Comodo and installing it   No idea what magic they changed  but it was definitely something in the cert that Firefox did NOT like

User · Answer

I had this problem with Firefox and my server  I contacted GoDaddy customer support  and they had me install the intermediate server certificate   http   support godaddy com help article 868 what-is-an-intermediate-certificate  After a re-start of the World Wide Web Publishing Service  everything worked perfectly   If you do not have full access to your server  your ISP will have to do this for you

User · Answer

June 2014   This is the configuration I used and it working fine after banging my head on the wall for some days  I use Express 3 4  I think is the same for Express 4 0   var privateKey    fs readFileSync  helpers sslcert key pem    utf8    var certificate   fs readFileSync  helpers sslcert csr pem    utf8     files     COMODORSADomainValidationSecureServerCA crt             COMODORSAAddTrustCA crt             AddTrustExternalCARoot crt              ca    function       var  i   len   results      results         for   i   0   len   files length   i  lt   len   i          file   files  i        results push fs readFileSync  helpers sslcert     file          return  results         var credentials    ca ca  key  privateKey  cert  certificate       process env PORT   Heroku Config environment var port   process env PORT    4000   var app   express    var server   http createServer app  listen port  function             console log  Express HTTP server listening on port     server address   port       https createServer credentials  app  listen 3000  function             console log  Express HTTPS server listening on port     server address   port           redirect all http requests to https app use function req  res  next      if  req secure        return res redirect   https   mydomain com   req url  join             next          Then I redirected the 80 and 443 ports   sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 4000 sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3000   As you can see after checking my certifications I have 4  0 1 2 3       openssl s client -connect mydomain com 443 -showcerts   grep        ubuntu ip-172-31-5-134    openssl s client -connect mydomain com 443 -showcerts   grep      depth 3 C   SE  O   AddTrust AB  OU   AddTrust External TTP Network  CN   AddTrust External CA Root verify error num 19 self signed certificate in certificate chain verify return 0  0 s  OU Domain Control Validated OU PositiveSSL CN mydomain com    i  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Domain Validation Secure Server CA  1 s  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Domain Validation Secure Server CA    i  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Certification Authority  2 s  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Certification Authority    i  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root  3 s  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root    i  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root     Protocol    TLSv1 1     Cipher      AES256-SHA     Session-ID  8FDEAEE92ED20742     3E7D80F93226142DD     Session-ID-ctx      Master-Key  C9E4AB966E41A85EEB7    4D73C67088E1503C52A9353C8584E94     Key-Arg     None     PSK identity  None     PSK identity hint  None     SRP username  None     TLS session ticket lifetime hint  300  seconds      TLS session ticket      0000 - 7c c8 36 80 95 4d 4c 47-d8 e3 ca 2e 70 a5 8f ac     6  MLG    p        0010 - 90 bd 4a 26 ef f7 d6 bc-4a b3 dd 8f f6 13 53 e9     J amp           S      0020 - f7 49 c6 48 44 26 8d ab-a8 72 29 c8 15 73 f5 79    I HD amp        s y     0030 - ca 79 6a ed f6 b1 7f 8a-d2 68 0a 52 03 c5 84 32    yj        R   2     0040 - be c5 c8 12 d8 f4 36 fa-28 4f 0e 00 eb d1 04 ce                        0050 - a7 2b d2 73 df a1 8b 83-23 a6 f7 ef 6e 9e c4 4c      s           L     0060 - 50 22 60 e8 93 cc d8 ee-42 22 56 a7 10 7b db 1e   P       B V          0070 - 0a ad 4a 91 a4 68 7a b0-9e 34 01 ec b8 7b b2 2f     J      4           0080 - e8 33 f5 a9 48 11 36 f8-69 a6 7a a6 22 52 b1 da    3  H   i    R       0090 - 51 18 ed c4 d9 3d c4 cc-5b d7 ff 92 4e 91 02 9e               N        Start Time  140   549     Timeout     300  sec      Verify return code  19  self signed certificate in certificate chain    Good luck  PD  if u want more answers please check  http   www benjiegillam com 2012 06 node-dot-js-ssl-certificate-chain

User · Answer

Just had the same problem with a Comodo Wildcard SSL cert  After reading the docs the solution is to ensure you include the certificate chain file they send you in your config i e   SSLCertificateChainFile  etc ssl crt yourSERVERNAME ca-bundle   Full details on Comodo site

User · Answer

I ve being going round in circles with Firefox 43  El Capitan and WHM cPanel SSL installation continually getting the Untrusted site error - I didn t buy the certificate it was handed over to me to install as the last guy walked out the door  Turns out I was installing under the wrong domain because I missed off the www - but the certificate still installed against the domain  when I installed the certificate in WHM using www domain com au it installed now worries and the FF error has gone - the certificate works fine for both www and non-www

User · Answer

I had this problem with Firefox and my server  I contacted GoDaddy customer support  and they had me install the intermediate server certificate   http   support godaddy com help article 868 what-is-an-intermediate-certificate  After a re-start of the World Wide Web Publishing Service  everything worked perfectly   If you do not have full access to your server  your ISP will have to do this for you

User · Answer

As  user126810 said  the problem can be fixed with a proper SSLCertificateChainFile directive in the config file   But after fixing the config and restarting the webserver  I also had to restart Firefox  Without that  Firefox continued to complain about bad certificate  looks like it used a cached one

User · Answer

Which version of Firefox on which platform is your client using   The are people having the same problem as documented here in the Support Forum for Firefox  I hope you can find a solution there  Good luck   Update   Let your client check the settings in Firefox  On  Advanced  -  Encryption  there is a button  View Certificates   Look for  Comodo CA Limited  in the list  I saw that Comodo is the issuer of the certificate of that domain name server  On two of my machines  FF 3 0 3 on Vista and Mac  the entry is in the list  by default Mozilla

User · Answer

For nginx do this  Generate a chained crt file using    cat www example com crt bundle crt  gt  www example com chained crt   The resulting file should be used in the ssl certificate directive   server       listen              443 ssl      server name         www example com      ssl certificate     www example com chained crt      ssl certificate key www example com key

User · Answer

We had this problem and it was very much Firefox specific -- could only repro in that browser  Safari  IE8  Chrome  etc were all fine   Fixing it required getting an updated cert from Comodo and installing it   No idea what magic they changed  but it was definitely something in the cert that Firefox did NOT like

User · Answer

I know this thread is a little old but we ran into this too and will archive our eventual solution here for others.

We had the same problem with a Comodo wildcard "positive ssl" cert. We are running our website using a squid-reverse SSL proxy and Firefox would keep complaining "sec_error_unknown_issuer" as you stated, yet every other browser was OK.

I found that this is a problem of the certificate chain being incomplete. Firefox apparently does not have one of the intermediary certificates build in, though Firefox does trust the root CA. Therefore you have to provide the whole chain of certificates to Firefox. Comodo's support states:

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

This was already touched on earlier in this thread but it did not resove how you do this.

First you have to make a chained certificate bundle and you do that by using your favorite text editor and just paste them in, in the correct (reverse) order i.e.

Intermediate CA Certificate 2 - IntermediateCA2.crt - on top of the file
Intermediate CA Certificate 1 - IntermediateCA1.crt
Root CA Certificate - root.crt - at the end of the file

The exact order you can get from your ssl provider if its not obvious from the names.

Then save the file as whatever name you like. E.g. yourdomain-chain-bundle.crt

In this example I have not included the actual domain certificate and as long as your server can be configured to take a separate chained certificate bundle this is what you use.

More data can be found here:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files

If for some reason you can't configure your server to use a separate chained bundle, then you just paste your server certificate in the beginning (on the top) of the bundle and use the resulting file as your server cert. This is what needs to be done in the E.g Squid case. See below from the squid mailing list on this subject.

http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html

This resolved it for us.

User · Answer

Which version of Firefox on which platform is your client using   The are people having the same problem as documented here in the Support Forum for Firefox  I hope you can find a solution there  Good luck   Update   Let your client check the settings in Firefox  On  Advanced  -  Encryption  there is a button  View Certificates   Look for  Comodo CA Limited  in the list  I saw that Comodo is the issuer of the certificate of that domain name server  On two of my machines  FF 3 0 3 on Vista and Mac  the entry is in the list  by default Mozilla

User · Answer

Had same issue this end of week  only Firefox will not accept certificate    The solution for me has been to add  in the apache configuration of the website  the intermediate certificate with the following line    SSLCACertificateFile  your path to ssl ca certs pem   Find more infomration on https   httpd apache org docs 2 4 fr mod mod ssl html

User · Answer

I ve being going round in circles with Firefox 43  El Capitan and WHM cPanel SSL installation continually getting the Untrusted site error - I didn t buy the certificate it was handed over to me to install as the last guy walked out the door  Turns out I was installing under the wrong domain because I missed off the www - but the certificate still installed against the domain  when I installed the certificate in WHM using www domain com au it installed now worries and the FF error has gone - the certificate works fine for both www and non-www

User · Answer

Firefox is more stringent than other browsers and will require proper installation of an intermediate server certificate  This can be supplied by the cert authority the certificate was purchased from  the intermediate cert is typically installed in the same location as the server cert and requires the proper entry in the httpd conf file   while many are chastising Firefox for it s  generally  exclusive  flagging  of this  it s actually demonstrating a higher level of security standards

User · Answer

To answer the non-reproducability aspect of the question - Firefox automatically imports intermediate certificates into its certificate store  So if you ve previously visited a site which has used the same Intermediate Certificate using a correctly configured certificate chain then Firefox will store that Certificate so you will not see the problem when you visit a site that has an incorrectly configured chain using the same Intermediate certificate   You can check this in Firefox s Certificate Manager  Options- Privacy amp Security- View Certificates     where you can see all stored certificates  Under the  Security Device  Column you can check where a certificate has come from - automatically manually imported certificates will appear as from  Software Security Device  as opposed to the  Builtin Object Token   which are the default set installed with Firefox  You can delete Distrust any specific certificates and test again

User · Answer

Just had the same problem with a Comodo Wildcard SSL cert  After reading the docs the solution is to ensure you include the certificate chain file they send you in your config i e   SSLCertificateChainFile  etc ssl crt yourSERVERNAME ca-bundle   Full details on Comodo site

User · Answer

June 2014   This is the configuration I used and it working fine after banging my head on the wall for some days  I use Express 3 4  I think is the same for Express 4 0   var privateKey    fs readFileSync  helpers sslcert key pem    utf8    var certificate   fs readFileSync  helpers sslcert csr pem    utf8     files     COMODORSADomainValidationSecureServerCA crt             COMODORSAAddTrustCA crt             AddTrustExternalCARoot crt              ca    function       var  i   len   results      results         for   i   0   len   files length   i  lt   len   i          file   files  i        results push fs readFileSync  helpers sslcert     file          return  results         var credentials    ca ca  key  privateKey  cert  certificate       process env PORT   Heroku Config environment var port   process env PORT    4000   var app   express    var server   http createServer app  listen port  function             console log  Express HTTP server listening on port     server address   port       https createServer credentials  app  listen 3000  function             console log  Express HTTPS server listening on port     server address   port           redirect all http requests to https app use function req  res  next      if  req secure        return res redirect   https   mydomain com   req url  join             next          Then I redirected the 80 and 443 ports   sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 4000 sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3000   As you can see after checking my certifications I have 4  0 1 2 3       openssl s client -connect mydomain com 443 -showcerts   grep        ubuntu ip-172-31-5-134    openssl s client -connect mydomain com 443 -showcerts   grep      depth 3 C   SE  O   AddTrust AB  OU   AddTrust External TTP Network  CN   AddTrust External CA Root verify error num 19 self signed certificate in certificate chain verify return 0  0 s  OU Domain Control Validated OU PositiveSSL CN mydomain com    i  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Domain Validation Secure Server CA  1 s  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Domain Validation Secure Server CA    i  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Certification Authority  2 s  C GB ST Greater Manchester L Salford O COMODO CA Limited CN COMODO RSA Certification Authority    i  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root  3 s  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root    i  C SE O AddTrust AB OU AddTrust External TTP Network CN AddTrust External CA Root     Protocol    TLSv1 1     Cipher      AES256-SHA     Session-ID  8FDEAEE92ED20742     3E7D80F93226142DD     Session-ID-ctx      Master-Key  C9E4AB966E41A85EEB7    4D73C67088E1503C52A9353C8584E94     Key-Arg     None     PSK identity  None     PSK identity hint  None     SRP username  None     TLS session ticket lifetime hint  300  seconds      TLS session ticket      0000 - 7c c8 36 80 95 4d 4c 47-d8 e3 ca 2e 70 a5 8f ac     6  MLG    p        0010 - 90 bd 4a 26 ef f7 d6 bc-4a b3 dd 8f f6 13 53 e9     J amp           S      0020 - f7 49 c6 48 44 26 8d ab-a8 72 29 c8 15 73 f5 79    I HD amp        s y     0030 - ca 79 6a ed f6 b1 7f 8a-d2 68 0a 52 03 c5 84 32    yj        R   2     0040 - be c5 c8 12 d8 f4 36 fa-28 4f 0e 00 eb d1 04 ce                        0050 - a7 2b d2 73 df a1 8b 83-23 a6 f7 ef 6e 9e c4 4c      s           L     0060 - 50 22 60 e8 93 cc d8 ee-42 22 56 a7 10 7b db 1e   P       B V          0070 - 0a ad 4a 91 a4 68 7a b0-9e 34 01 ec b8 7b b2 2f     J      4           0080 - e8 33 f5 a9 48 11 36 f8-69 a6 7a a6 22 52 b1 da    3  H   i    R       0090 - 51 18 ed c4 d9 3d c4 cc-5b d7 ff 92 4e 91 02 9e               N        Start Time  140   549     Timeout     300  sec      Verify return code  19  self signed certificate in certificate chain    Good luck  PD  if u want more answers please check  http   www benjiegillam com 2012 06 node-dot-js-ssl-certificate-chain

User · Answer

If anyone else is experiencing this issue with an Ubuntu LAMP and  COMODO Positive SSL  try to build your own bundle from the certs in the compressed file   cat AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSADomainValidationSecureServerCA crt  gt  YOURDOMAIN ca-bundle

User · Answer

Which version of Firefox on which platform is your client using   The are people having the same problem as documented here in the Support Forum for Firefox  I hope you can find a solution there  Good luck   Update   Let your client check the settings in Firefox  On  Advanced  -  Encryption  there is a button  View Certificates   Look for  Comodo CA Limited  in the list  I saw that Comodo is the issuer of the certificate of that domain name server  On two of my machines  FF 3 0 3 on Vista and Mac  the entry is in the list  by default Mozilla

User · Answer

If you got your cert from COMODO your need to add this line  the file is on the zip file you received   SSLCertificateChainFile  path COMODORSADomainValidationSecureServerCA crt

[firefox] Firefox and SSL: sec_error_unknown_issuer

Examples related to firefox

Examples related to ssl