Why do I get a certificate error with error "sec_error_untrusted_issuer" but when i go to view the certificate and add an exception it says "this site provides valid,verified identification. There is no need to add an exception"
Using firefox 3.6.4 to access an internal site which has been configured using the apache directive SSLCertificateChainFile with the certificate authority certificate and Intermediate certificate authority certificates which are supposed to validate the certificate even if the users browser is missing the certificate for the CA which signed the web server cert. Microsoft IE works fine for the same site but firefox always gives this error on first connection to the site.
Additional System Details
- JInitiator 188.8.131.52 for Netscape Navigator (DLL Helper)
- Office Plugin for Netscape Navigator
- Citrix ICA Client Plugin (Win32)
- Adobe PDF Plug-In For Firefox and Netscape
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- Default Plug-in
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- Shockwave Flash 10.1 r82
- Adobe Shockwave for Director Netscape plug-in, version 11.5
- Next Generation Java Plug-in 1.6.0_21 for Mozilla browsers
- Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
- User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:184.108.40.206) Gecko/20100611 Firefox/3.6.4
Incorrectly configured server. i.e. missing intermediate chain certificate. IE can download automatically, but Mozilla can't, hence the cert error. As far as why it randomly decides it is valid sometimes prior to you try to add a security exception I don't know.
Thanks for your reply. In this case I'm confident that the intermediate certificate is installed correctly but firefox isn’t behaving how I would expect. I did some more investigation and found that the intermediate certificate is being loaded into firefox when I attempt to browse the site however it gets loaded in with the default settings of "Software Security Device" with the three checkboxes for trust settings unchecked. If I manually go in and check the box for the intermediate certificate authority to identify websites then I can browse to the site without getting the warning. To me this defeats the point of an intermediate cert. I would expect that if I trust the issuer of the intermediate cert to identify websites then I should automatically trust the intermediate CA cert to identify websites as IE seems to do. At the very least I should get a popup or something asking if I want to trust the intermediate CA cert to identify websites when it gets loaded into my certificate store on accessing the site. Allowing the intermediate CA cert to determine that the web server cert is valid but not trusting it to identify the site doesn’t seem to make any sense.
I have the same problem in 3.6.6 (I think). I can't even access the Firefox add-ons facility due to spurious certificate errors, and this appears to affect the majority of sites I attempt to access!
I don't have problems with IE or Chrome when accessing these sites.
I have Firefox 4.0 with this issue. The certificate that it was trying to use had expired and was not the one on the secure Web site. I followed some advice I found on mozillaZine, "How to clear SSL cache". (Yes, I know. Firefox does NOT cache SSL certs.) It said to go to Tools >> Clear Private Data. I didn't see that but clicked on Start Private Browsing. I browsed to the secure Web site and the new cert showed up. It still didn't like it because the top level CA is a noob. When I cycled out of the Private Browsing mode, the secure Web site was available.