Closed
Bug 387459
Opened 18 years ago
Closed 16 years ago
Mozilla Firefox 2.0.0.4 and GoDaddy SSL certificates.
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jcamarin, Unassigned)
References
()
Details
Attachments
(1 file)
|
193.68 KB,
image/png
|
Details |
Shows IE8, Chrome handle the url, but not Firefox 3.5.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
We use GoDaddy SSL certificates for many of our customers web sites. Here are a few for reference.
https://www.acesiowa.com
https://www.drafthorsejournal.net/
https://www.mymonkeytown.com/
It has been brought to our attention that Mozilla FireFox 2.0.0.4 (most recent) is not accepting the SSL's issued by GoDaddy.
Essentially, GoDaddy is not a trusted CA within FireFox. All of the tests are from Windows OS systems running FireFox 2.0.0.4.
I.E. 6.1.xxxx and I.E. 7.0.5730 do not report errors.
The operating systems them selves have the more recent ROOT CERTIFICATE update from Microsoft, via Windows Updates/WSUS etc.
My XP Workstation with an older version of FireFox (1.5.012) does NOT provide the error.
Again, the combination seems to be specific (no all) GoDaddy SSL Certificates (Turbo version maybe?) and FireFox 2.0.0.4.
Here is another example:
(Found Via a Google search for "FireFox GoDaddy SSL" a reference to:) https://www.piercebroscoffee.com/
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Actual Results:
The SSL Warning is displayed
Expected Results:
it should have validated the SSL certificate.
|
||
Comment 1•18 years ago
|
||
All four listed sites WFM in Firefox 2.0.0.4, maybe they weren't serving up the intermediate certs and now they are?
|
||
Comment 2•18 years ago
|
||
when i first opened the links firefox has tell me that the certificate owner was not secure, and i had to choose i f accept certificate for this session, forever ecc ecc...
after clicking cancel and reloading it does not ask me anymore and accept them...
|
||
Comment 3•17 years ago
|
||
I have the same problem on Windows 2008 Server with Firefox 3.0.3
Open the URL
https://www.spreadsheetserver.com/server1/SignIn.aspx
and I get the error below.
I tested on IE7 on Windows 2008 Server, and works ok.
I use a 10 year Godaddy cert since very cost-effective.
Secure Connection Failed
www.spreadsheetserver.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
|
||
Comment 4•16 years ago
|
||
I found this bug report debugging a similar problem on my own site.
It turns out that this is a server configuration issue. If you open up the certificate details in a recent browser, you see that the certificate hierarchy is as follows:
#1 Builtin Object Token:Go Daddy Class 2 CA
#2 -> Go Daddy Secure Certification AUthority
#3 -> your.domain.name
So, older releases of Firefox only include certificate #1 as a trusted cert. Newer releases include both #1 and #2
Older Firefox releases simply don't know that #2 is a valid authority signed by #1 -- your server should tell the browser that it is.
The takeaway: YOUR WEB SERVER SHOULD SEND THE ENTIRE CERTIFICATE CHAIN, not just your website certificate.
If you want to see this in practice, for instance, run the following commands:
openssl s_client -connect www.bankofamerica.com:443 -showcerts
^ sends 3 certs which is the whole chain to the root certificate.
openssl s_client -connect www.piercebroscoffee.com:443 -showcerts
^ sends just 1 certificate for the "www.piercebroscoffee.com" site
For Apache, configuring this is a matter of setting the SSLCertificateChainFile option
see: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile
|
||
Comment 5•16 years ago
|
||
I'm pretty sure this is a duplicate of bug 399324: a look at one of the sites mentioned here confirmed the AIA extension is used in the site's cert, and I recall seeing this before with GoDaddy certs.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 6•16 years ago
|
||
> The takeaway: YOUR WEB SERVER SHOULD SEND THE ENTIRE CERTIFICATE CHAIN,
> not just your website certificate.
EXACTLY! Just as the SSL and TLS standards have always said. The ability
to fetch missing certs is a workaround for misconfigured servers.
Resolution: DUPLICATE → INVALID
|
|
||
Comment 7•16 years ago
|
||
|
|
||
Comment 8•16 years ago
|
||
The web server in question is IIS6, probably next to Apache the most common webserver out there.
Since ONLY Firefox has this problem, saying that the web server is incorrectly configured will not help.
|
|
||
Comment 9•16 years ago
|
||
(In reply to comment #7)
> The web server in question is IIS6, probably next to Apache the most common
> webserver out there.
So? This is Firefox bugzilla, not IIS or GoDaddy support. And this is not a bug in Firefox, but in your server configuration.
See section "Install the Intermediate Certificate Bundle" at:
http://help.godaddy.com/topic/742/article/4875
For progress on automatically fetching intermediate certificates in future releases of Firefox, see bug #399324
You need to log in
before you can comment on or make changes to this bug.
Description
•