This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Hierdie gesprek is in die argief. Vra asseblief 'n nuwe vraag as jy hulp nodig het.

Why do I get a certificate error with error "sec_error_untrusted_issuer" but when i go to view the certificate and add an exception it says "this site provides valid,verified identification. There is no need to add an exception"

  • 4 antwoorde
  • 783 hierdie probleem
  • 1 view
  • Laaste antwoord deur Phil_Young

more options

Using firefox 3.6.4 to access an internal site which has been configured using the apache directive SSLCertificateChainFile with the certificate authority certificate and Intermediate certificate authority certificates which are supposed to validate the certificate even if the users browser is missing the certificate for the CA which signed the web server cert. Microsoft IE works fine for the same site but firefox always gives this error on first connection to the site.

Using firefox 3.6.4 to access an internal site which has been configured using the apache directive SSLCertificateChainFile with the certificate authority certificate and Intermediate certificate authority certificates which are supposed to validate the certificate even if the users browser is missing the certificate for the CA which signed the web server cert. Microsoft IE works fine for the same site but firefox always gives this error on first connection to the site.

All Replies (4)

more options

Incorrectly configured server. i.e. missing intermediate chain certificate. IE can download automatically, but Mozilla can't, hence the cert error. As far as why it randomly decides it is valid sometimes prior to you try to add a security exception I don't know.

http://www.sslshopper.com/ssl-certificate-not-trusted-error.html

more options

Thanks for your reply. In this case I'm confident that the intermediate certificate is installed correctly but firefox isn’t behaving how I would expect. I did some more investigation and found that the intermediate certificate is being loaded into firefox when I attempt to browse the site however it gets loaded in with the default settings of "Software Security Device" with the three checkboxes for trust settings unchecked. If I manually go in and check the box for the intermediate certificate authority to identify websites then I can browse to the site without getting the warning. To me this defeats the point of an intermediate cert. I would expect that if I trust the issuer of the intermediate cert to identify websites then I should automatically trust the intermediate CA cert to identify websites as IE seems to do. At the very least I should get a popup or something asking if I want to trust the intermediate CA cert to identify websites when it gets loaded into my certificate store on accessing the site. Allowing the intermediate CA cert to determine that the web server cert is valid but not trusting it to identify the site doesn’t seem to make any sense.

more options

I have the same problem in 3.6.6 (I think). I can't even access the Firefox add-ons facility due to spurious certificate errors, and this appears to affect the majority of sites I attempt to access!

I don't have problems with IE or Chrome when accessing these sites.

more options

I have Firefox 4.0 with this issue. The certificate that it was trying to use had expired and was not the one on the secure Web site. I followed some advice I found on mozillaZine, "How to clear SSL cache". (Yes, I know. Firefox does NOT cache SSL certs.) It said to go to Tools >> Clear Private Data. I didn't see that but clicked on Start Private Browsing. I browsed to the secure Web site and the new cert showed up. It still didn't like it because the top level CA is a noob. When I cycled out of the Private Browsing mode, the secure Web site was available.