X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

The certificate is not trusted because no issuer chain was provided

Posted

I have a problem accessing an https website with Firefox (26.0), but have no problems accessing it with either Chrome or IE. The particular URL deep links into a message forum.

https://www.lotro.com/forums/showthread.php?535472-Update-12-1-Scaling-Instance-Loot

I get the following error message:

This connection is untrusted You have asked Firefox to connect securely to www.lotro.com, but we can't confirm that your connection is secure. www.lotro.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Adding an exception works, but only for this one message thread. The next time I have a different thread we go through the same routine.

OK, I've read the forums a bit: Disabled all Add-ons I'm not running any SSL scanning. Both browser.xul.error_pages.enabled and browser.xul.error_pages.expert_bad_cert are set to True. Certificate dates are fine as is my clock/date. I've deleted cert8.db

When it does load rather than getting a lock I get an exclamation point and a mouseover says Website does not supply identify information.

When I tell Firefox to get the certificate I get:

Certificate Status: This site attempts to identify itself with invalid information. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.

When I view the certificate I find: Issued To Common Name (CN) *.lotro.com Organization (O) The Saul Zaentz Company Organizational Unit (OU) Secure LInk SSL Wirecard Issued By CN Network Solutions Certificate Authority O Network Solutions L.L.C. OU <Not Part of Certificate> Validity Issued on 1/3/2012 Expires on 1/17/2016

Under Details > Extensions I find Certificate Basic Constraints: Critical, Is not a Certificate Authority.

The security trust chain looks like this:

USERTrust

UTN-USER-First-Hardware Network Solutions Certificate Authority *.lotro.com

Post a Reply

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.9 r900
  • Google Update
  • iTunes Detector Plug-in
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.05
  • 5.1.20913.0
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Picasa plugin
  • Pando Web Plugin
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • NPWLPG
  • Windows Activation Technologies Plugin for Mozilla
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Provides additional functionality on Facebook. See our web site for details.
  • Office Authorization plug-in for NPAPI browsers

Application

  • Firefox 26.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
  • Support URL: https://support.mozilla.org/1/firefox/26.0/WINNT/en-US/

Extensions

  • Adblock Plus 2.4 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Add Bookmark Here ² 23.0.20131128 (abhere2@moztw.org)
  • ColorZilla 2.8 ({6AC85730-7D0F-4de0-B3FA-21142DD85326})
  • DoNotTrackMe: Online Privacy Protection 3.1.1030 (donottrackplus@abine.com)
  • Evernote Web Clipper 5.9.1 ({E0B8C461-F8FB-49b4-8373-FE32E9252800})
  • Ghostery 5.0.6 (firefox@ghostery.com)
  • LastPass 3.0.12 (support@lastpass.com)
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Xmarks 4.2.3 (foxmarks@kei.com)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: AMD Radeon HD 6800 Series
  • adapterDescription2:
  • adapterDeviceID: 0x6738
  • adapterDeviceID2:
  • adapterDrivers: aticfx64 aticfx64 aticfx64 aticfx32 aticfx32 aticfx32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a atitmm64
  • adapterDrivers2:
  • adapterRAM: 1024
  • adapterRAM2:
  • adapterVendorID: 0x1002
  • adapterVendorID2:
  • clearTypeParameters: DISPLAY1 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 100 ] DISPLAY2 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 100 ]
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.1.7601.18245
  • driverDate: 10-8-2013
  • driverDate2:
  • driverVersion: 13.152.1.8000
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (AMD Radeon HD 6800 Series Direct3D9Ex vs_3_0 ps_3_0)
  • windowLayerManagerRemote: False
  • windowLayerManagerType: Direct3D 10

Modified Preferences

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.privatebrowsing.autostart: True
  • browser.search.param.yahoo-fr: chr-greentree_ff&ilc=12&type=714647
  • browser.search.useDBForOrder: True
  • browser.sessionstore.upgradeBackup.latestBuildID: 20131205075310
  • browser.startup.homepage: https://www.google.com/
  • browser.startup.homepage_override.buildID: 20131205075310
  • browser.startup.homepage_override.mstone: 26.0
  • dom.mozApps.used: True
  • extensions.lastAppVersion: 26.0
  • gfx.direct3d.last_used_feature_level_idx: 0
  • keyword.URL: http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=714647&p=
  • network.cookie.cookieBehavior: 1
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1387498258
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • privacy.donottrackheader.enabled: True
  • privacy.sanitize.migrateFx3Prefs: True
  • privacy.sanitize.sanitizeOnShutdown: True
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1386479964

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

It sounds like you are getting good certificate, or at least the same one I'm getting (first screen shot). Can you check whether you have an entry for "UTN-USER-First-Hardware" in your Authorities tab?

orange Firefox button (or Tools menu) > Options > Advanced > Certificates mini-tab > "View Certificates" button

On the Authorities tab, toward the bottom under The USERTRUST Network, can you find "UTN-USER-First-Hardware"? (second screen shot)

Was this helpful to you? 5
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Forgot the screen shots. Here they are:

Was this helpful to you? 1
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Regarding the warning icon in the address bar, I get that as well. It indicates that there is some non-secure "passive" content in the page, like images. For forums, I wouldn't be too concerned about that.

The reference to identify information is there for all regular SSL certificates. Only EV SSL certificates (green lock) can verify identity, because the issuer requires some proof of identity for the customer before issuing it.

Was this helpful to you? 0
Reply

Question owner

I went in and looked at my Authorities tab and DO have The USERTRUST Network and UTN-USER-First-Hardware. I also have Network Solutions L.L.C and Network Solutions Certificate Authority.

I deleted UTN-USER-First-Hardware and went to http://www.tbs-certificates.com/FAQ/en/42.html and imported the certificate. But when I try I'm told This certificate is already installed as a certificate authority. :( It is back in my Authorities tab is it the new one or not? I didn't exit and reload firefox while doing this.

While searching for UTN-USER-First-Hardware I saw a few stories about some bad certificates issued back in 2011 (addons.mozilla.com and the like). Was their certificate revoked?

Modified by Paul5358

Was this helpful to you? 0
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Helpful Reply

Hi Paul5358, the story of the fraudulent 2011 certificates is an interesting story, and in the end, the known bad certificates were blocked in two ways (hardcoded in Firefox, and when Firefox checks certificate validity, reporting that they are invalid). The certificate used for LOTRO is not one of those bad certificates.

Because Comodo is a leading low-cost provider of SSL certificates, distrusting the UTN-USER-First-Hardware certificate used to sign the fraudulent certificate also will distrust thousands of legitimate certificates used around the web. In a post-mortem article, that was estimated to impact 205,000 sites (13% of all secure sites) whose SSL certs ultimately are signed by that certificate. So I don't think it's practical to distrust it (you can't actually delete the certificate, as you discovered, but you can distrust it).

But this leaves the mystery of why you get an SSL error when visiting the forum. Could there be some software that is intercepting your secure connections and bungling the certificates, such as security/filtering software or malware? Or is Firefox connecting through a dysfunctional proxy/privacy service? One place to check for indirect connections is the Options dialog.

orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default setting is "Use system proxy settings", which should piggyback on the settings in Internet Explorer. You also could try "No proxy".

Modified by jscher2000

Was this helpful to you? 5
Reply

Question owner

I checked Configure Proxies to Access the Internet. And found it was set to; "Use system proxy settings". I changed it to "No proxy", saved it and reloaded. No joy :(

Leaving the proxy settings at No, I disabled all of the Add-ons and rebooted into Safe Boot with Network via MSConfig to eliminate the chance that some loaded and forgotten program was doing something. Still the connection is untrusted.

Because I use LassPass and Xmarks, I'm not adverse to blowing away Firefox and reloading it. If I can remove it and not leave any crumbs behind.

Modified by Paul5358

Was this helpful to you? 0
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

You can manipulate the two aspects of the program separately:

(1) Settings - to test with clean settings, you can create a new profile; let's hold that thought.

(2) Program - sometimes program files become corrupted, which usually can be repaired by re-running the full installer. However, if other software has dropped files into Firefox's program folder, those won't be replaced or removed. This is by design so you don't lose plugins dropped there, but could be the source of the problem. To address that situation, you can rename the Firefox folder and then reinstall.

Download the installer for your preferred language from this page:

https://www.mozilla.org/en-US/firefox/all/

After exiting Firefox, rename the program folder to something like OldFox.

On 64-bit Windows, it's:

C:\Program Files (x86)\Mozilla Firefox

On 32-bit Windows, it's:

C:\Program Files\Mozilla Firefox

Then run the installer. It should find your existing personal data automatically.

Any improvement?

Was this helpful to you? 0
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

To complete the thought in the previous post, here's the two-minute new profile experiment:

Create a new Firefox profile

A new profile will have your system-installed plugins (e.g., Flash) and extensions (e.g., security suite toolbars), but no themes, other extensions, or other customizations. It also should have completely fresh settings databases and a fresh cache folder.

Exit Firefox and start up in the Profile Manager using Start > search box (or Run):

firefox.exe -P

Any time you want to switch profiles, exit Firefox and return to this dialog.

You'll click the Create Profile button. I recommend using the default location suggested, and to avoid data loss, not re-using any existing folder. Then start Firefox in the new profile you created.

Does Firefox accept the certificate when you access the site in the new profile?

When returning to the Profile Manager, you might be tempted to use the Delete Profile button. But... it's a bit too easy to accidentally delete your "real" profile, so I recommend resisting the temptation. If you do want to clean up later, I suggest making a backup of all your profiles first in case something were to go wrong.

Was this helpful to you? 0
Reply

Question owner

With regards to the fraudulent certificates ... if a major root CA were forced to give a root certificate so some ... agency. Short of scrapping the whole chain of trust concept, is there anything that can be done? Seems like the weakest link is very weak.

I don't want to derail my own thread, but I'm sure this has been a topic of discussion. Perhaps you could point me in the right direction to do some reading.

Modified by Paul5358

Was this helpful to you? 0
Reply

Question owner

I renamed C:\Program Files (x86)\Mozilla Firefox as Mozilla Firefox Old and ran Firefox Setup 26.0. Same results.

I'll try the profile next.

Was this helpful to you? 0
Reply

Question owner

I created a new profile and a couple of things didn't work as expected. It took my new name but the only option highlighted was to select a folder. I skipped that and selected Next and things completed. But when I launched Firefox none of my addons were present.

Oh, by the way, lotro is still untrusted.

Was this helpful to you? 0
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Hi Paul5358, it's normal to find that the new profile is mostly blank. That's the point of the test, actually, to see how Firefox would run if you had removed all your settings.

So I think you've ruled out both the program files side and the settings side.

There might be some registry settings that we've left in place through all this, but hopefully someone else will have some insight on the problem since I'm out of time.

Was this helpful to you? 0
Reply
cor-el
  • Top 10 Contributor
  • Moderator
10751 solutions 96756 answers

Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.

Was this helpful to you? 0
Reply

Question owner

Within a second, it looks like my internal time is correct 6:58:10 PM Sunday, December 22, 2013.

Was this helpful to you? 0
Reply
cor-el
  • Top 10 Contributor
  • Moderator
10751 solutions 96756 answers

Try to create a new profile as a test to check if your current profile is causing the problems.

See "Creating a profile":

If the new profile works then you can transfer some files from an existing profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over the problem.

Was this helpful to you? 0
Reply

Question owner

I've found another site that gives my Firefox instillation the same fits;

https://krebsonsecurity.com/

krebsonsecurity.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

The chain of trust is:

USERTrust

    PositiveSSL CA 2
         krebsonsecurity.com

I assume that USERTrust in kreb's certificate is the same or related to The USERTRUST Network used in lotro's certificate.

Is there something silly I could have done back in ... 2011 when Comodo / UTN-USER-First-Hardware certificate signed those fraudulent certificates? Was there some "temporary" fix I could have put in the registry or hosts file or something?

Modified by Paul5358

Was this helpful to you? 0
Reply

Question owner

I created a new profile, and the problem persists.

I tried the kreb's site again and noticed that if I just type in krebsonsecurity.com and hit enter Firefox works as expected. The problem comes when I enter https://krebsonsecurity.com/ and I found that is also true of the lotro site. Https is how the lotro link is listed in Google, but perhaps these sites don't support secure connections?

Modified by Paul5358

Was this helpful to you? 1
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Hi Paul5358, I get a different authority signing the cert on krebsonsecurity than you do. Screen shot attached.

Was this helpful to you? 1
Reply
jscher2000
  • Top 10 Contributor
2365 solutions 20922 answers

Your last reply raises a good point: if you do not need to use HTTPS to browse the site, because privacy is not a high concern, then it certainly is simpler not to.

But it still should work as designed... I'm not aware of any way to block an authority's certificates from outside of Firefox, and any changes you made inside of Firefox usually would have been limited to your old profile.

Modified by jscher2000

Was this helpful to you? 0
Reply

Question owner

The krebs certification path I listed was how Chrome displays it (attached). I didn't try Firefox the first time, but I did just now and it displays like yours. My Authorities is much smaller than yours though. Under AddTrust AB I only have the 4 Builtin Object Tokens.

Was this helpful to you? 0
Reply
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.