SSL Certificate accepted by Safari and IE but not Firefox

Posted on 2009-12-30
Last Modified: 2012-05-08
I recently moved my website from an old host to a new host. In the process, I also transferred the SSL certificate form the old host to the new.

HTTPS is working great and without warnings in Safari and IE, but not firefox. The error from Firefox is "The certificate is not trusted because the issuer certificate is not trusted". The strange thing is that I did not get this error from the old server, and no exception had been added.

I am running an apache web server. Here is a snippet of my vhost config:

    SSLEngine on
    SSLCACertificateFile "/var/turbopanel/certs/0/"
    SSLCertificateFile "/var/turbopanel/certs/0/Cert0.crt"
    SSLCertificateKeyFile "/var/turbopanel/certs/0/Cert0.key"

These certificates are getting grabbed correctly and the site works great, but not in firefox.

Any thoughts on how to get this to work for FireFox?
Question by:retailevolved
    LVL 33

    Assisted Solution

    by:Dave Howe
    Probably worth looking at the certificate path in IE, and seeing if there is an intermediate certificate in IE that is not being seen in firefox. as a test then, import the intermediate into firefox, and see if the error goes away. if so, then you may need to add that to the crt file on the server.

    Author Comment

    @DaveHowe: Thanks for the tipe - you are exactly right as to the source of the problem.

    Here's some additional info that I have discovered in my research:

    * The original certificate was migrated from an nginx web server. To make intermediate certificates work on nginx, the intermediate certificate(s) are tacked on to the actual server certificate, resulting in one certificate file.

    * Here's what I think is happening - IE and Safari are able to put together the certificate chain on their own, but FireFpx is not.

    * As an attempted fix I added SSLCertificateChainFile and pointed to a certificate containing only the intermediate files. I also removed the intermediate files from the orgiinal ticket. The result is a key, a certificate, and an intermediate certificate. Here's what is interesting about this attempt: *All* of the browsers started warning me about certificates.

    * To me, it looks like Apache is completely ignoring the contents of the SSLCertificateChainFile directive. When the main certificate includes the intermediate certificates, most browsers play nice. When it is separated out, no browsers work.

    I am still looking for a solution for this if anybody has any more ideas.
    LVL 33

    Expert Comment

    by:Dave Howe
    often you can include the intermediate certificate (in pem format, of course) in the file for the host certificate - just cut and paste it into the same file.
    LVL 31

    Accepted Solution

    Try this instead of SSLCACertificateFile:
    SSLCertificateChainFile "/var/turbopanel/certs/0/"

    Alternatively, see if that line exists in your old config pointing to a different file.  This should either be a standalone root certificate, or a PKCS #7 root certificate chain file that does not include the server's own SSL certificate but does include a single or, more commonly, multiple CA certificates.

    If you need to convert the cert from DER to PEM you can do:
    openssl pkcs7 -inform DER -in "/var/turbopanel/certs/0/" -outform PEM -out "/var/turbopanel/certs/0/"

    or for a standalone cert replace 'pkcs7' with 'x509' with the rest the same.

    Author Comment

    I tried out the SSLCertificateChainFile - this still works in IE and Safari, but not FireFox.

    The old config was nginx - it actually only referenced the key and the server certificate (that included the chain certificates appended to the end). I have tried a similar configuration, but it breaks in all browsers.

    Did I mention this is a cheapo GoDaddy cert? I am going to call StarField technologies and see if they can assist.

    I'll post when I know more.

    Author Comment

    Here's the solution:

    1) It never ceases to amaze me that no matter how long I've been doing this, I still make mistakes.

    2) As it turns out, during my testing, I removed Starfield Technologies as a trusted CA from Firefox. A clean install of Firefox fixed the issue. Phew! I was relieved to see that my customers were not experiencing this issue.

    Apologies for wasting your time, but I learned a lot from the experts here as usual.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    It's here again; Microsoft is launching a new version of Internet Explorer: Internet Explorer 9, with noticeable changes on its interface, functions and new tools. As they say on its promotional video: "It's time to play, on a more beautiful web", f…
    Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now