Closed Bug 1159471 Opened 7 years ago Closed 6 years ago does not send intermediate certificate and chains to a root certificate that didn't sign it


(Web Compatibility :: Desktop, defect)

Not set


(Not tracked)



(Reporter: KaiE, Unassigned)




(2 files)

First, please DON'T ask the operator of that site to fix their site. It's the only site I know with this error, so we'll need it in its current incorrect state to debug Firefox.

This is about:

If you connect to the site with a FRESH PROFILE, I get

Another user reported they get

I see the server is configured incorrectly, it doesn't send the intermediate.

If I use an NSS diagnostic utility to connect, I get the expected error

So, for whatever reason, mozilla::pkix concludes the server's cert is bad, and worse than not having an issuer.

However, the following is surprising to me.

In the above fresh profile, visit the following link to install the intermediate:

Don't check any checkboxes. Just confirm with OK, which will import the intermediate, but doesn't add any trust.

Now, load the site again

To my surprise, the site now works.

It seems like an incorrect reporting of the reason for rejection when the intermediate is missing.
The root certificate that is included in NSS's certificate database has a public key that is different than the public key used to sign the certificate. The intermediate you linked to has the public key that was used to sign the certificate. Both certificates have the same subject name, so the end-entity certificate chains to both of them. When mozilla::pkix only has the root certificate and not the intermediate, the signature verification fails. When mozilla::pkix has both certificates available, it tries both and finds the one that works.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Target Milestone: --- → May
Version: 38 Branch → Trunk
Summary: mozilla::pkix unexpected bad_signature/ca_cert_invalid with TLS server that lacks intermediate → does not send intermediate certificate and chains to a root certificate that didn't sign it
Thanks for the analysis, it's the first time I encounter a scenario like this.

Did any CA violate any rules, by issueing this intermediate with the same subject as a builtin root but with a different key?
Attached file server certificate
Documenting the server's current certificate.
Documenting the helpful intermediate.
Not sure why I was CC'd - perhaps because of Comment #2?

The answer is no.
(In reply to Ryan Sleevi from comment #5)
> Not sure why I was CC'd - perhaps because of Comment #2?
> The answer is no.


OTOH, that's supposedly the same CA, with the same certificate population, and this isn't reflected by checking the CRLs:

There should be no security problem here, because they don't chain back to the same TA. But I don't think it's by design.
See Also: → 1189145
So what is the next step with this bug? The issue still exists, should we contact the site?
This site loads fine for me in a clean profile -- seems fixed.
Closed: 6 years ago
Flags: needinfo?(kaie)
Resolution: --- → FIXED
This is site evangelism. I confirm the site sends out a chain of intermediates, so if it works, nothing remains to be done.
Flags: needinfo?(kaie)
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.