1431838 - Certificate Chains including "Google Internet Authority G2" not validated (SEC_ERROR_UNKNOWN_ISSUER)

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[armin.aha]

Attachment: www.google.com certificate + intermediate certificates

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180104112904

Steps to reproduce:

Visit https://www.google.com



Actual results:

www.google.com sends the following certificates (see attachment):
1. subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
2. subject: /C=US/O=Google Inc/CN=Google Internet Authority G2
   issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
3. subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Firefox gives the following error:

www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER




Expected results:

"/C=US/O=Equifax/OU=Equifax Secure Certificate Authority" is not a trusted root certificate, but there is a trusted root certificate for "C=US/O=GeoTrust Inc./CN=GeoTrust Global CA".

I expect Firefox to create a valid certificate chain as follows: "www.google.com" (1) -> Google Internet Authority G2 (2) -> GeoTrust Global CA (trusted root, built in object token).

https://www.youtube.com/ is also affected. It also uses the "Google Internet Authority G2" intermediate and the "GeoTrust Global CA" certificate signed by Equifax.

Comment 1

[armin.aha]

Now both websites are working again without any change in certificates..
Maybe there was another server side issue.

Comment 2

[Josh Birnbaum]

I'm seeing the same thing now.  I confirmed that Chrome is seeing the same certificate, and is accepting it as valid, while Firefox does not.

Comment 3

[Maris Nartiss]

I still have this issue with FF 56.0 on Gentoo Linux. armin.aha – double check cert of google sites, as they use G2 and G3 certs. G3 work just fine, but any site with G2 fails, thus "works/doesn't work" will depend on which of Googles servers you hit.

I exported "www.google.com" and (intermediate) "Google Internet Authority G2" from "Certificate Viewer" window and checked them with: openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -CAfile GoogleInternetAuthorityG2.crt googlecom.crt
Openssl and Chrome considers those certs to be fine, FF is the only one not liking them, although "GeoTrust Global CA" (issuer of "Google Internet Authority G2", according to "Certificate Viewer") is trusted.

Comment 4

[armin.aha]

Now I have the issue again. Yesterday it worked once with the "Google Internet Authority G2" intermediate.

If I disable OCSP then the "www.google.com" -> "Google Internet Authority G2" -> "GeoTrust Global CA" chain validates. 
If I enable OCSP again I get the SEC_ERROR_UNKNOWN_ISSUER error.

The OCSP server in the "www.google.com" certificate is http://clients1.google.com/ocsp, the one in the "Google Internet Authority G2" certificate is http://g.symcd.com. Maybe it's an issue with one of these servers

I can also confirm that the "Google Internet Authority G3" certificates work fine.

Comment 5

[armin.aha]

I just checked with Wireshark: http://clients1.google.com/ocsp return a 404 HTTP error for OCSP requests.

Comment 6

[armin.aha]

There is also Thunderbird Bug 1431881 about the same issue.

Comment 7

[Dana Keeler (she/her) [:keeler]]

I suspect the OCSP issues are due to https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/MMO3HSYghwQ (and have apparently been fixed).
Are you still seeing SEC_ERROR_UNKNOWN_ISSUER errors?

Comment 8

[armin.aha]

David - thanks, this sounds exactly like my issue. OCSP is now working again and the error is gone :)

I'll resolve this issue as it is not a Firefox bug.