I am trying to reach an internal company website ([URL]), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s): ~~~ Someone could be trying to impersonate the site and you should not continue. Web sites prove their identity via certificates. Firefox does not trust [URL] because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates. Error code: SEC_ERROR_UNKNOWN_ISSUER View Certificate ~~~ If i click on the error code, i get these details: ~~~ [URL] Peer's Certificate issuer is not recognised. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- [certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [certificate] -----END CERTIFICATE----- ~~~ If i click 'View Certificate', i get a chain of three certificates: # Subject common name = [certificate] # Subject common name = [certificate] # Subject common name = [certificate] If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the [certificate] certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same. I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located. To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?