NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview, Firefox and Thunderbird

RESOLVED FIXED

Status

support.mozilla.org - Lithium
General
P1
critical
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: ahunt, Assigned: madalina)

Tracking

(Blocks: 1 bug)

Details

(Whiteboard: [li-00138510] , URL)

(Reporter)

Description

8 months ago
Trying to open https://support.mozilla.org fails on Android, in any Chrome-based browser. That includes Chrome itself, and any WebView based app - including Focus for Android.

Chrome claims "NET::ERR_CERT_AUTHORITY_INVALID".

I don't know too much about SSL certs, but it seems that (unlike most other browsers?) Chrome/WebView on Android relies on a full certificate chain on the server. Various online checkers corroborate this theory, they complain that e.g. "The server's certificate chain is incomplete":
https://www.ssllabs.com/ssltest/analyze.html?d=support.mozilla.org


Note: we're using Webview for Focus on Android, so currently we can't show any SUMO articles - that's probably something that would need to be fixed before release.
Severity: normal → major
Severity: major → minor
This affects some builds of Thunderbird as well, apparently.
Giorgos, Can you take a look? This cert issue means Focus for Android can't serve content from SUMO.
Flags: needinfo?(giorgos)
This is an even bigger deal than that. Unless you've downloaded the intermediate certificate from some other server, this will be broken for you I think. That means new Firefox profiles are broken as well, and quite possibly other browsers.

http://i.imgur.com/J8l3z6k.png This is what I get if I try a new profile on Firefox 52.0.2 on OSX.

I think this might be another FX53 release blocker, although that's certainly not my decision to make.
Severity: minor → critical

Comment 4

8 months ago
Thunderbird also. 
"support.mozilla.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>"
Summary: NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview → NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview, Firefox and Thunderbird

Comment 5

8 months ago
Is this just another side product of Avast and their scanning of TLS by having the user make them a certifying authority?  I know the error is the same as that users see when avast is installed.

Comment 6

8 months ago
I use Avast, but I just used the quick disable feature and got same result. And also on a machine that does not have avast.
Nah it's not an Avast issue, the ssllabs test in the first comment makes it pretty clear: the DigiCert SHA2 High Assurance Server CA with a fingerprint of SHA1: a031c46782e6e6c662c2c87c76da9aa62ccabd8e needs to be provided in the cert chain from support.mozilla.org, it's not part of the standard browser trust store.

So while a lot of people may have that certificate cached from elsewhere, if you don't have it, support.mozilla.org won't work for you, and that probably includes new installs of most or all browsers.
(In reply to Patrick McClard;pmcclard from comment #2)
> Giorgos, Can you take a look? This cert issue means Focus for Android can't
> serve content from SUMO.

I'd echo :sancus here. It seems that for some user that intermediate cert is part of the o/s (e.g. debian based distros) but for other it's not, which is causing the issue. Firefox include the "DigiCert High Assurance EV Root CA" according to [0] and afaiu it will be used to verify the intermediate but we still need to get the intermediate.

Both the ssllabs check posted by :sancus and htbridge.com check (part of Mozilla's Observatory) [1] identify the chain as incomplete and suggest that the server should serve the intermediate cert as well.

In other words this is a misconfiguration of Lithium's servers. 


[0] https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
[1] https://www.htbridge.com/ssl/?id=2645df16f9fb6a4cd99761477659e048587ee4109f8b978d1808f84950caef4b
Flags: needinfo?(giorgos)

Updated

8 months ago
Blocks: 1353718
(Assignee)

Comment 9

8 months ago
Reported to Lithium - root cause seems to be Lithium switching CDNs.
Case number: 00138510(https://supportcases.lithium.com/5006100000AcTwW)
(Assignee)

Updated

8 months ago
Assignee: nobody → mana
(Assignee)

Updated

8 months ago
Duplicate of this bug: 1353778
(Assignee)

Updated

8 months ago
Whiteboard: [li-00138510]
I have filed a severity 1 support case for this!

Case 00138542 is severity 1! url for the case is https://supportcases.lithium.com/5006100000AcZQH

BEGIN text of the case (since it's not an open support case system)

We need the Lithium Certificate issue to be fixed by the end of the day Wednesday April 5, 2017, please stop ignoring case 00138510

Description	From: Roland moco Tanglao <rtanglao@mozilla.com>
To: outage@lithium.com, sumo-team@mozilla.com
Hello fine Lithium folks :-)

Escalating since our support case, 00138510, has been ignored :-( [1]

and certificate problems are sev 1 in my opinion and were broken

as far as I can tell when Lithium switched CDNs

Please fix by end of the day Wednesday April 5, 2017. I believe this is
a 15 minute fix!

Cheers!

...Roland
END text of the case
oops missing last bit of the copy and paste from the case:
ignored case:

[1] https://linkprotect.cudasvc.com/url?a=https://supportcases.lithium.com/5006100000AcTwW&c=E,1,SaNaeM5gyYstYeil5oHoytmkD8mLwmpfhzAkjkLPdLg0BTo-g4vtNuOkwt7j-NqdvvKdYli9IoZRei_T8kTnwTX-yATTk4HZ4PCAD7pgXzrNnPvQ_OrSwA,,&typo=1 aka case 00138510
Component: General → General
Priority: -- → P1
Product: support.mozilla.org → support.mozilla.org - Lithium
https://www.ssllabs.com/ssltest/analyze.html?d=support.mozilla.org and
https://www.htbridge.com/ssl/?id=2645df16f9fb6a4cd99761477659e048587ee4109f8b978d1808f84950caef4b

both show the intermediate cert is now being served, and manual testing on a new Firefox profile also works. Calling this one fixed.

Thanks :rolandtanglao for the escalation :D
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
Roland Thanks for realising that the Lithium bugs | support cases; are not open and providing details and information.
Something I note you have also done in other bugzilla bugs relating to sumo Lithium.
You need to log in before you can comment on or make changes to this bug.