Firefox and SSL: sec_error_unknown_issuer
|
9:31 PM |
No comments |
Firefox and SSL: sec_error_unknown_issuer
My client gets a sec_error_unknown_issuer error message when visiting https://mediant.ipmail.nl with firefox. I can't reproduce the error myself. I installed ff on a vista and a xp machine and had no problems. FF on Ubuntu also works fine.
Does anyone get the same error and does anyone have some clues for me so i can tell my isp to change some settings? The certificate is a so called wild-card ssl certificate that works for all subdomains (*.ipmail.nl). Was i wrong to pick the cheapest one?
Regards, Pieter
Answer by splattne for Firefox and SSL: sec_error_unknown_issuer
Which version of Firefox on which platform is your client using?
The are people having the same problem as documented here in the Support Forum for Firefox. I hope you can find a solution there. Good luck!
Update:
Let your client check the settings in Firefox: On "Advanced" - "Encryption" there is a button "View Certificates". Look for "Comodo CA Limited" in the list. I saw that Comodo is the issuer of the certificate of that domain name/server. On two of my machines (FF 3.0.3 on Vista and Mac) the entry is in the list (by default/Mozilla).
Answer by user126810 for Firefox and SSL: sec_error_unknown_issuer
Just had the same problem with a Comodo Wildcard SSL cert. After reading the docs the solution is to ensure you include the certificate chain file they send you in your config i.e.
SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle Full details on Comodo site
Answer by Jeff Atwood for Firefox and SSL: sec_error_unknown_issuer
We had this problem and it was very much Firefox specific -- could only repro in that browser, Safari, IE8, Chrome, etc were all fine.
Fixing it required getting an updated cert from Comodo and installing it.
No idea what magic they changed, but it was definitely something in the cert that Firefox did NOT like.
Answer by toddb for Firefox and SSL: sec_error_unknown_issuer
I had this problem with Firefox and my server. I contacted GoDaddy customer support, and they had me install the intermediate server certificate:
http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate
After a re-start of the World Wide Web Publishing Service, everything worked perfectly.
If you do not have full access to your server, your ISP will have to do this for you.
Answer by Jason Clark for Firefox and SSL: sec_error_unknown_issuer
Firefox is more stringent than other browsers and will require proper installation of an intermediate server certificate. This can be supplied by the cert authority the certificate was purchased from. the intermediate cert is typically installed in the same location as the server cert and requires the proper entry in the httpd.conf file.
while many are chastising Firefox for it's (generally) exclusive 'flagging' of this, it's actually demonstrating a higher level of security standards.
Answer by GvS for Firefox and SSL: sec_error_unknown_issuer
I'm using nginx and this helped me: http://nginx.org/en/docs/http/configuring_https_servers.html#chains
Answer by vadipp for Firefox and SSL: sec_error_unknown_issuer
As @user126810 said, the problem can be fixed with a proper SSLCertificateChainFile directive in the config file.
But after fixing the config and restarting the webserver, I also had to restart Firefox. Without that, Firefox continued to complain about bad certificate (looks like it used a cached one).
Answer by Cc65 for Firefox and SSL: sec_error_unknown_issuer
For nginx do this Generate a chained crt file using
$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt The resulting file should be used in the ssl_certificate directive:
server { listen 443 ssl; server_name www.example.com; ssl_certificate www.example.com.chained.crt; ssl_certificate_key www.example.com.key; ... } Answer by Steven Lizarazo for Firefox and SSL: sec_error_unknown_issuer
If you got your cert from COMODO your need to add this line, the file is on the zip file you received.
SSLCertificateChainFile /path/COMODORSADomainValidationSecureServerCA.crt Answer by leancode for Firefox and SSL: sec_error_unknown_issuer
I know this thread is a little old but we ran into this too and will archive our eventual solution here for others.
We had the same problem with a Comodo wildcard "positive ssl" cert. We are running our website using a squid-reverse SSL proxy and Firefox would keep complaining "sec_error_unknown_issuer" as you stated, yet every other browser was OK.
I found that this is a problem of the certificate chain being incomplete. Firefox apparently does not have one of the intermediary certificates build in, though Firefox does trust the root CA. Therefore you have to provide the whole chain of certificates to Firefox. Comodo's support states:
An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.
This was already touched on earlier in this thread but it did not resove how you do this.
First you have to make a chained certificate bundle and you do that by using your favorite text editor and just paste them in, in the correct (reverse) order i.e.
- Intermediate CA Certificate 2 - IntermediateCA2.crt - on top of the file
- Intermediate CA Certificate 1 - IntermediateCA1.crt
- Root CA Certificate - root.crt - at the end of the file
The exact order you can get from your ssl provider if its not obvious from the names.
Then save the file as whatever name you like. E.g. yourdomain-chain-bundle.crt
In this example I have not included the actual domain certificate and as long as your server can be configured to take a separate chained certificate bundle this is what you use.
More data can be found here:
If for some reason you can't configure your server to use a separate chained bundle, then you just paste your server certificate in the beginning (on the top) of the bundle and use the resulting file as your server cert. This is what needs to be done in the E.g Squid case. See below from the squid mailing list on this subject.
http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html
This resolved it for us.
Answer by lito for Firefox and SSL: sec_error_unknown_issuer
June 2014:
This is the configuration I used and it working fine after banging my head on the wall for some days. I use Express 3.4 (I think is the same for Express 4.0)
var privateKey = fs.readFileSync('helpers/sslcert/key.pem', 'utf8'); var certificate = fs.readFileSync('helpers/sslcert/csr.pem', 'utf8'); files = ["COMODORSADomainValidationSecureServerCA.crt", "COMODORSAAddTrustCA.crt", "AddTrustExternalCARoot.crt" ]; ca = (function() { var _i, _len, _results; _results = []; for (_i = 0, _len = files.length; _i < _len; _i++) { file = files[_i]; _results.push(fs.readFileSync("helpers/sslcert/" + file)); } return _results; })(); var credentials = {ca:ca, key: privateKey, cert: certificate}; // process.env.PORT : Heroku Config environment var port = process.env.PORT || 4000; var app = express(); var server = http.createServer(app).listen(port, function() { console.log('Express HTTP server listening on port ' + server.address().port); }); https.createServer(credentials, app).listen(3000, function() { console.log('Express HTTPS server listening on port ' + server.address().port); }); // redirect all http requests to https app.use(function(req, res, next) { if(!req.secure) { return res.redirect(['https://mydomain.com', req.url].join('')); } next(); }); Then I redirected the 80 and 443 ports:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 4000 sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3000 As you can see after checking my certifications I have 4 [0,1,2,3]:
openssl s_client -connect mydomain.com:443 -showcerts | grep "^ "
ubuntu@ip-172-31-5-134:~$ openssl s_client -connect mydomain.com:443 -showcerts | grep "^ " depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Protocol : TLSv1.1 Cipher : AES256-SHA Session-ID: 8FDEAEE92ED20742.....3E7D80F93226142DD Session-ID-ctx: Master-Key: C9E4AB966E41A85EEB7....4D73C67088E1503C52A9353C8584E94 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 7c c8 36 80 95 4d 4c 47-d8 e3 ca 2e 70 a5 8f ac |.6..MLG....p... 0010 - 90 bd 4a 26 ef f7 d6 bc-4a b3 dd 8f f6 13 53 e9 ..J&..........S. 0020 - f7 49 c6 48 44 26 8d ab-a8 72 29 c8 15 73 f5 79 .I.HD&.......s.y 0030 - ca 79 6a ed f6 b1 7f 8a-d2 68 0a 52 03 c5 84 32 .yj........R...2 0040 - be c5 c8 12 d8 f4 36 fa-28 4f 0e 00 eb d1 04 ce ........(....... 0050 - a7 2b d2 73 df a1 8b 83-23 a6 f7 ef 6e 9e c4 4c .+.s...........L 0060 - 50 22 60 e8 93 cc d8 ee-42 22 56 a7 10 7b db 1e P"`.....B.V..{.. 0070 - 0a ad 4a 91 a4 68 7a b0-9e 34 01 ec b8 7b b2 2f ..J......4...{./ 0080 - e8 33 f5 a9 48 11 36 f8-69 a6 7a a6 22 52 b1 da .3..H...i....R.. 0090 - 51 18 ed c4 d9 3d c4 cc-5b d7 ff 92 4e 91 02 9e .....=......N... Start Time: 140...549 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) Good luck! PD: if u want more answers please check: http://www.benjiegillam.com/2012/06/node-dot-js-ssl-certificate-chain/
Answer by chmoder for Firefox and SSL: sec_error_unknown_issuer
If anyone else is experiencing this issue with an Ubuntu LAMP and "COMODO Positive SSL" try to build your own bundle from the certs in the compressed file.
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > YOURDOMAIN.ca-bundle
Answer by Rob for Firefox and SSL: sec_error_unknown_issuer
I've being going round in circles with Firefox 43, El Capitan and WHM/cPanel SSL installation continually getting the Untrusted site error - I didn't buy the certificate it was handed over to me to install as the last guy walked out the door. Turns out I was installing under the wrong domain because I missed off the www - but the certificate still installed against the domain, when I installed the certificate in WHM using www.domain.com.au it installed now worries and the FF error has gone - the certificate works fine for both www and non-www.
Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72
0 comments:
Post a Comment