User Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0 Iceweasel/15.0 Build ID: 20120829073406 Steps to reproduce: 1. Start Firefox 2. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer 3. Browse to https://startssl.com/ -> Error: sec_error_untrusted_issuer 4. Restart Firefox 5. Browse to https://startssl.com/ -> Success 6. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer Actual results: Failure at steps 2, 3, 6. Expected results: Success at all steps. See also bug 784296, bug 479508, bug 602750, bug 751960. From what I can tell, https://isig.org.nz/ serves a CA-certificate with sha256withRSA, and Firefox has a sha1withRSA in its store (with the same public key).
Created attachment 657917 [details] Certificate chain from https://startssl.com/ openssl s_client </dev/null -CApath /etc/ssl/ -connect startssl.com:https -showcerts
Created attachment 657918 [details] Certificate chain from https://isig.org.nz/ openssl s_client </dev/null -CApath /etc/ssl/ -connect isig.org.nz:https -showcerts
Visiting https://isig.org.nz/ works fine for me using FF 15.0.1. https://startssl.com/ now uses an EV cert signed by "StartCom Extended Validation Server CA" so I could not reproduce your case. https://isig.org.nz/ now serves a SHA1 certificate. Is this still a problem for you?
I no longer get the reported behaviour. I'm now able to browse to https://isig.org.nz/ without error. I'll close this bug, but please feel free to re-open if you think it merits further investigation.