Trying to open https://support.mozilla.org fails on Android, in any Chrome-based browser. That includes Chrome itself, and any WebView based app - including Focus for Android. Chrome claims "NET::ERR_CERT_AUTHORITY_INVALID". I don't know too much about SSL certs, but it seems that (unlike most other browsers?) Chrome/WebView on Android relies on a full certificate chain on the server. Various online checkers corroborate this theory, they complain that e.g. "The server's certificate chain is incomplete": https://www.ssllabs.com/ssltest/analyze.html?d=support.mozilla.org Note: we're using Webview for Focus on Android, so currently we can't show any SUMO articles - that's probably something that would need to be fixed before release.
This affects some builds of Thunderbird as well, apparently.
Giorgos, Can you take a look? This cert issue means Focus for Android can't serve content from SUMO.
This is an even bigger deal than that. Unless you've downloaded the intermediate certificate from some other server, this will be broken for you I think. That means new Firefox profiles are broken as well, and quite possibly other browsers. http://i.imgur.com/J8l3z6k.png This is what I get if I try a new profile on Firefox 52.0.2 on OSX. I think this might be another FX53 release blocker, although that's certainly not my decision to make.
Thunderbird also. "support.mozilla.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>"
Is this just another side product of Avast and their scanning of TLS by having the user make them a certifying authority? I know the error is the same as that users see when avast is installed.
I use Avast, but I just used the quick disable feature and got same result. And also on a machine that does not have avast.
Nah it's not an Avast issue, the ssllabs test in the first comment makes it pretty clear: the DigiCert SHA2 High Assurance Server CA with a fingerprint of SHA1: a031c46782e6e6c662c2c87c76da9aa62ccabd8e needs to be provided in the cert chain from support.mozilla.org, it's not part of the standard browser trust store. So while a lot of people may have that certificate cached from elsewhere, if you don't have it, support.mozilla.org won't work for you, and that probably includes new installs of most or all browsers.
(In reply to Patrick McClard;pmcclard from comment #2) > Giorgos, Can you take a look? This cert issue means Focus for Android can't > serve content from SUMO. I'd echo :sancus here. It seems that for some user that intermediate cert is part of the o/s (e.g. debian based distros) but for other it's not, which is causing the issue. Firefox include the "DigiCert High Assurance EV Root CA" according to  and afaiu it will be used to verify the intermediate but we still need to get the intermediate. Both the ssllabs check posted by :sancus and htbridge.com check (part of Mozilla's Observatory)  identify the chain as incomplete and suggest that the server should serve the intermediate cert as well. In other words this is a misconfiguration of Lithium's servers.  https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport  https://www.htbridge.com/ssl/?id=2645df16f9fb6a4cd99761477659e048587ee4109f8b978d1808f84950caef4b
Reported to Lithium - root cause seems to be Lithium switching CDNs. Case number: 00138510(https://supportcases.lithium.com/5006100000AcTwW)
I have filed a severity 1 support case for this! Case 00138542 is severity 1! url for the case is https://supportcases.lithium.com/5006100000AcZQH BEGIN text of the case (since it's not an open support case system) We need the Lithium Certificate issue to be fixed by the end of the day Wednesday April 5, 2017, please stop ignoring case 00138510 Description From: Roland moco Tanglao <email@example.com> To: firstname.lastname@example.org, email@example.com Hello fine Lithium folks :-) Escalating since our support case, 00138510, has been ignored :-(  and certificate problems are sev 1 in my opinion and were broken as far as I can tell when Lithium switched CDNs Please fix by end of the day Wednesday April 5, 2017. I believe this is a 15 minute fix! Cheers! ...Roland END text of the case
oops missing last bit of the copy and paste from the case: ignored case:  https://linkprotect.cudasvc.com/url?a=https://supportcases.lithium.com/5006100000AcTwW&c=E,1,SaNaeM5gyYstYeil5oHoytmkD8mLwmpfhzAkjkLPdLg0BTo-g4vtNuOkwt7j-NqdvvKdYli9IoZRei_T8kTnwTX-yATTk4HZ4PCAD7pgXzrNnPvQ_OrSwA,,&typo=1 aka case 00138510
https://www.ssllabs.com/ssltest/analyze.html?d=support.mozilla.org and https://www.htbridge.com/ssl/?id=2645df16f9fb6a4cd99761477659e048587ee4109f8b978d1808f84950caef4b both show the intermediate cert is now being served, and manual testing on a new Firefox profile also works. Calling this one fixed. Thanks :rolandtanglao for the escalation :D
Roland Thanks for realising that the Lithium bugs | support cases; are not open and providing details and information. Something I note you have also done in other bugzilla bugs relating to sumo Lithium.