Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

only firefox has certificate issue "unknown_issuer" with self-signed certificate

  • 5 wotmołwy
  • 2 matej tutón problem
  • 12 napohladow
  • Poslednja wotmołwa wot sebastianzang

more options

We have various Apache instances that host internal sites.

We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert.

The certificate chain is good, I used various tools to verify that the certificate is good.

Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots

Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available.

What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?

We have various Apache instances that host internal sites. We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert. The certificate chain is good, I used various tools to verify that the certificate is good. Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available. What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?
Připowěsnjene fota wobrazowki

Wubrane rozrisanje

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root

Tutu wotmołwu w konteksće čitać 👍 0

Wšě wotmołwy (5)

more options

I'll start with the most common thing:

Is the server configured to send the intermediate certificates? Firefox either needs to receive them from the server, or to have previously received them from another server. Unlike some other browsers, Firefox will not seek them from other sources.

more options

Ha, I knew I forgot to include that. Yes, we declare the chain certificate in the apache config.

SSLCertificateFile "/apps/$SiteDir/conf/certs/$Cert.cer" SSLCertificateKeyFile "/apps/$SiteDir/conf/certs/$Cert.key" SSLCertificateChainFile "/apps/intermediate.cer"

more options

Hmm, I would expect to see the intermediate and root certs in the Digicert screen shot if the server is sending them. Am I misunderstanding how that tool works? What if you point it at another site for comparison.

more options

Did you check the certificate chain in Firefox and verified that the topmost in the chain has the appropriate trust bit(s) set if that isn't a built-in trusted root certificate?

more options

Wubrane rozrisanje

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root