Closed Bug 661107 Opened 14 years ago Closed 14 years ago

No issuer chain provided from SSL cert for testpilot.mozillalabs.com

Categories

(Infrastructure & Operations Graveyard :: WebOps: Labs, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Labs
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chrisccoulson, Assigned: zandr)

References

Details

Navigating to https://testpilot.mozillalabs.com/ results in a "This Connection is Untrusted" warning, with the error code "sec_error_unknown_issuer" (The certificate is not trusted because no issuer chain was provided). The test-pilot extension also triggers this, resulting in this dialog when starting Firefox: https://launchpadlibrarian.net/72701040/Screenshot.jpg I think this only started happening recently (we suddenly got quite a few bug reports in Ubuntu in the last few days). It seems that the certificate is signed by an intermediate CA cert (GeoTrust SSL CA) which is not included with NSS. According to https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422, the intermediate CA cert should be installed on the server alongside your SSL cert (although, I'm merely speculating here, it could be a different issue entirely). If I use the SSL checker at https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO9557, it points me to the missing intermediate cert. If I import this cert, then the warnings go away. I'm not sure which product this should be reported against. I looked in the Websites product first, but there doesn't appear to be a component specific to testpilot.mozillalabs.org.
CC'ing some people
Zandr updated the ssl certs for *.mozillalabs.com and might have not updated the intermediary certs. This is a setting in Zeus, under SSL certificates -> specific cert -> Intermediary and you can upload it there and you should be fine. (if you need help finding it, ping me on IRC)
Assignee: nobody → server-ops-labs
Component: Test Pilot → Server Operations: Labs
Product: Mozilla Labs → mozilla.org
QA Contact: test-pilot → zandr
Version: unspecified → other
Assignee: server-ops-labs → zandr
And Chris, you're probably bang on target :)
Chris- Good catch. I did update the cert and apparently didn't get the intermediate right. I'll get that sorted shortly.
Excellent, thanks!
OK, this is fixed, Cert checks using the geotrust tool pass. /me closes bug, puts brown bag over head, hides in shame. :)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Hi, this bug seems to be back with version 9 (latest version) of Firefox on Windows 7 and GeoTrust certificates. Getting a "no issuer chain was provided" message. Customers are complaining at secure checkout regarding this. Geotrust tech support has been alerted but they said this is something that has to be fixed in firefox, the server, or have the customer install in their browser. Unfortunately we have no control over customer, the server is a legacy server using unchained cert. Can you manually add the Geotrust RapidSSL intermediate certificate to the latest Firefox Windows version? Curiously it seems to work properly in the Mac version of Firefox as well as all other browsers tested on Mac and Windows. You can hit https://www.web-secured.com using Firefox 9 with Windows 7 to see the "no issuer chain provided" message.
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.