Closed Bug 1483824 Opened 7 years ago Closed 7 years ago

Letsencrypt certificates not trusted

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
63 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kirsty, Unassigned)

Details

Attachments

(1 file)

troubleshooting-information.json
18.22 KB, application/json
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Build ID: 20180815225731 Steps to reproduce: Firefox troubleshooting information attached. 1) Go to https://blog.nightly.mozilla.org/2018/08/14/symantec-distrust-in-firefox-nightly-63 2) Greeted by Warning: Potential Security Risk Ahead page. * Have reinstalled Firefox nightly. * Have tried both inside and outside of a company network. * Have tried in safe mode. * Have tested the following urls: - https://blog.nightly.mozilla.org/2018/08/14/symantec-distrust-in-firefox-nightly-63 - https://letsencrypt.org/certificates/ - https://www.kirstywright.co.uk Actual results: On any tested site with a LetsEncrypt SSL certificate Firefox is marking it as 'SEC_ERROR_UNKNOWN_ISSUER'. I am given the option to add the site as an exception. https://i.gyazo.com/0e59019160fca211c3901a344fe9f556.png A screenshot of what the 'view certificate' screen looks like is there. A gist of what the browser printed out on the error page when visiting LetsEncrypts main website is here https://gist.github.com/KirstyWright/4b6b75043f9f851f062f5e686b157213 . Expected results: Expected site would load over https with zero issues.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 20180815225731 (In reply to Kirsty Wright from comment #0) > * Have tested the following urls: All work for me. > 'SEC_ERROR_UNKNOWN_ISSUER'. Do you have any sort of security software that performs SSL scanning? If so, does disabling the feature make a difference?
(In reply to Gingerbread Man from comment #1) > Do you have any sort of security software that performs SSL scanning? If so, > does disabling the feature make a difference? Not that I am aware of, I originally assumed it could be somthing with the office network but I had the same issues when tethering off of my phone. I can visit these sites with other browsers completely fine. These sites were all working prior to the most recent update.
Just to add that this is also happening on a Windows machine. They do share a sync account but that's about it.
Component: Untriaged → Security: PSM
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
If you go to the CA tab of the certificate manager (about:preferences -> search for "certificates" -> click "view certificates" -> click "authorities") and find the "DST Root CA X3" certificate (in the "Digital Signature Trust Co." section), if you select it and click the "edit trust" button, is the websites trust box checked?
Flags: needinfo?(kirsty)
(In reply to [:keeler] (use needinfo) from comment #4) > If you go to the CA tab of the certificate manager (about:preferences -> > search for "certificates" -> click "view certificates" -> click > "authorities") and find the "DST Root CA X3" certificate (in the "Digital > Signature Trust Co." section), if you select it and click the "edit trust" > button, is the websites trust box checked? The "This certificate can identify web sites." is not ticked for that certificate.
Flags: needinfo?(kirsty)
Flags: needinfo?(dkeeler)
If you check that box, does it work?
Flags: needinfo?(dkeeler) → needinfo?(kirsty)
(In reply to [:keeler] (use needinfo) from comment #6) > If you check that box, does it work? Yes, it does.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(kirsty)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: