This thread was archived. Please ask a new question if you need help.
Firefox cannot verify SSL cert
I'm looking after a site, that some firefox installs cannot connect to using https, because FF reports that it cannot verify the the certficate with a recognised authority.
I believe that the cert and chain are all installed correctly on the web server, IE and Chrome both work fine.
I've checked the cert on a number of sites and they all report that it is ok. http://www.networking4all.com
This is a public site so adding exceptions to the browsers is not an option. The cert on this site has been installed for nearly a year and we've only just had this issue reported.
Anyone got any ideas ?
All Replies (5)
I looked at the cert and the issuer and you're right, everything looks good but you get the untrusted_issuer error. So let's try some more basic debugging:
When did this start happening? Was it with the install of Firefox 11 (and thus, does Firefox 10 or earlier work?) Was this something that happened after Firefox 11 was installed (in which case, we may need to look to see if something got blocked or revoked weirdly)?
Try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.
If that helped to solve the problem then you can remove the renamed cert8.db.old file.
Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates.
Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.
If you have user certificates that you want to keep then export those certificates to a .cer file before removing the cert8.db file.
Ok, dug a whole lot deeper on this one. You're using a cert that chains to Trustwave.
The weird thing is that one of the man-in-the-middle certificates happens to have the same serial number as the CA cert that issued your cert: MicrosCA. So it broke that link in the chain and Firefox isn't able to build a proper trust chain. You'll need to contact Micros and get a new certificate issued off a CA cert that has a new serial number.
Thanks, I'll get on to our cert issuer and see if we can get this sorted.