Closed Bug 457852 Opened 17 years ago Closed 17 years ago

sec_error_unknown_issuer for cert issued by Network Solutions

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: headhunter3, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2 Our certificate was issued by Network Solutions and shows properly as valid in other browsers including IE7, Chrome, and Safari, but in firefox 3 it generates a sec_error_unknown_issuer error. Reproducible: Always Steps to Reproduce: 1. Install FF3 2. Browse to http://support.i-evolve.net 3. Look at screen Actual Results: sec_error_unknown_issuer error is displayed. Expected Results: The page should have been displayed.
This CA root cert should be included with FF3.0.2 (bug 403915) and it's wfm with FF3.0.2 and Seamonkey trunk You can not create bug reports to include a Root CA certificate but in this case it should work after Firefox 3.0.2
Matti : this certificate is not present by default in either Firefox 3.0.2 or 3.1b1
Actually, this is a problem with the way that web server is configured. It's not sending a proper certificate chain. You can prove this to yourself by doing the following: 1) Start/Restart FF3 2) Visit site, see error page 3) Visit https://www.networksolutions.com/ which (obviously) chains to the same root, and which serves a proper set of intermediate certificates. These are cached by Firefox. 4) Revisit i-evolve site, and now it loads properly, because we got the necessary intermediate certs from another source. Or, if you prefer, from a suitably equipped command line, you can run: openssl s_client -connect support.i-evolve.net:443 -showcerts and see that the rest of the certificate chain is not being sent. headhunter3 - your cert is valid, but your webserver needs to send a complete certificate chain. Your contact at network solutions can help you set that up, I imagine, if you have any difficulty. I confirm that I also get an unrecognized cert error in other browsers like Safari if I go straight there, without doing other browsing which might cause them to encounter the required certs somewhere else.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
I use FF3.0.3 (not 3.0.2) without a proxy or Firewall on vista. 1) start Firefox 3.0.3 (homepage is about:blank and my FF is only used for triage, I use SM as browser) 2) visit http://support.i-evolve.net/ 3) wfm 4) create new profile 5) error Is this cached somehow in the profile ?
The intermediate certs are cached in our cert DB somewhere, I didn't think they were written out, but it could be. I'll cc: kai in, in case he wants to comment, but yeah, in either case the best fix is certainly to set up the server to send the appropriate cert chain. :)
(In reply to comment #5) > The intermediate certs are cached in our cert DB somewhere, I didn't think they > were written out, but it could be. I'll cc: kai in, in case he wants to > comment, Yes, we cache valid intermediate certs on disk. Although a server that doesn't send out a required intermediate cert operates out of specs, we've decided to cache valid intermediates, in order to lower the pain for end users - as this is a very common mistake made by server admins. >but yeah, in either case the best fix is certainly to set up the > server to send the appropriate cert chain. :) Yes, please fix the server. Your CA should have given you instructions on how to add the intermediate along your server cert.
(In reply to comment #3) > headhunter3 - your cert is valid, but your webserver needs to send a complete > certificate chain. Your contact at network solutions can help you set that up, > I imagine, if you have any difficulty. I confirm that I also get an > unrecognized cert error in other browsers like Safari if I go straight there, > without doing other browsing which might cause them to encounter the required > certs somewhere else. Thanks for the help. I didn't know about the caching.
You need to log in before you can comment on or make changes to this bug.