NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview, Firefox and Thunderbird


Status - Lithium
8 months ago
8 months ago


(Reporter: ahunt, Assigned: madalina)


(Blocks: 1 bug)


(Whiteboard: [li-00138510] , URL)



8 months ago
Trying to open fails on Android, in any Chrome-based browser. That includes Chrome itself, and any WebView based app - including Focus for Android.


I don't know too much about SSL certs, but it seems that (unlike most other browsers?) Chrome/WebView on Android relies on a full certificate chain on the server. Various online checkers corroborate this theory, they complain that e.g. "The server's certificate chain is incomplete":

Note: we're using Webview for Focus on Android, so currently we can't show any SUMO articles - that's probably something that would need to be fixed before release.
Severity: normal → major
Severity: major → minor
This affects some builds of Thunderbird as well, apparently.
Giorgos, Can you take a look? This cert issue means Focus for Android can't serve content from SUMO.
Flags: needinfo?(giorgos)
This is an even bigger deal than that. Unless you've downloaded the intermediate certificate from some other server, this will be broken for you I think. That means new Firefox profiles are broken as well, and quite possibly other browsers. This is what I get if I try a new profile on Firefox 52.0.2 on OSX.

I think this might be another FX53 release blocker, although that's certainly not my decision to make.
Severity: minor → critical

Comment 4

8 months ago
Thunderbird also. 
" uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>"
Summary: NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview → NET::ERR_CERT_AUTHORITY_INVALID in Android Chrome and Webview, Firefox and Thunderbird

Comment 5

8 months ago
Is this just another side product of Avast and their scanning of TLS by having the user make them a certifying authority?  I know the error is the same as that users see when avast is installed.

Comment 6

8 months ago
I use Avast, but I just used the quick disable feature and got same result. And also on a machine that does not have avast.
Nah it's not an Avast issue, the ssllabs test in the first comment makes it pretty clear: the DigiCert SHA2 High Assurance Server CA with a fingerprint of SHA1: a031c46782e6e6c662c2c87c76da9aa62ccabd8e needs to be provided in the cert chain from, it's not part of the standard browser trust store.

So while a lot of people may have that certificate cached from elsewhere, if you don't have it, won't work for you, and that probably includes new installs of most or all browsers.
(In reply to Patrick McClard;pmcclard from comment #2)
> Giorgos, Can you take a look? This cert issue means Focus for Android can't
> serve content from SUMO.

I'd echo :sancus here. It seems that for some user that intermediate cert is part of the o/s (e.g. debian based distros) but for other it's not, which is causing the issue. Firefox include the "DigiCert High Assurance EV Root CA" according to [0] and afaiu it will be used to verify the intermediate but we still need to get the intermediate.

Both the ssllabs check posted by :sancus and check (part of Mozilla's Observatory) [1] identify the chain as incomplete and suggest that the server should serve the intermediate cert as well.

In other words this is a misconfiguration of Lithium's servers. 

Flags: needinfo?(giorgos)


8 months ago
Blocks: 1353718

Comment 9

8 months ago
Reported to Lithium - root cause seems to be Lithium switching CDNs.
Case number: 00138510(


8 months ago
Assignee: nobody → mana


8 months ago
Duplicate of this bug: 1353778


8 months ago
Whiteboard: [li-00138510]
I have filed a severity 1 support case for this!

Case 00138542 is severity 1! url for the case is

BEGIN text of the case (since it's not an open support case system)

We need the Lithium Certificate issue to be fixed by the end of the day Wednesday April 5, 2017, please stop ignoring case 00138510

Description	From: Roland moco Tanglao <>
Hello fine Lithium folks :-)

Escalating since our support case, 00138510, has been ignored :-( [1]

and certificate problems are sev 1 in my opinion and were broken

as far as I can tell when Lithium switched CDNs

Please fix by end of the day Wednesday April 5, 2017. I believe this is
a 15 minute fix!


END text of the case
oops missing last bit of the copy and paste from the case:
ignored case:

[1],1,SaNaeM5gyYstYeil5oHoytmkD8mLwmpfhzAkjkLPdLg0BTo-g4vtNuOkwt7j-NqdvvKdYli9IoZRei_T8kTnwTX-yATTk4HZ4PCAD7pgXzrNnPvQ_OrSwA,,&typo=1 aka case 00138510
Component: General → General
Priority: -- → P1
Product: → - Lithium and

both show the intermediate cert is now being served, and manual testing on a new Firefox profile also works. Calling this one fixed.

Thanks :rolandtanglao for the escalation :D
Last Resolved: 8 months ago
Resolution: --- → FIXED
Roland Thanks for realising that the Lithium bugs | support cases; are not open and providing details and information.
Something I note you have also done in other bugzilla bugs relating to sumo Lithium.
You need to log in before you can comment on or make changes to this bug.