[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1530
  • Last Modified:

SSL Certificate accepted by Safari and IE but not Firefox

I recently moved my website from an old host to a new host. In the process, I also transferred the SSL certificate form the old host to the new.

HTTPS is working great and without warnings in Safari and IE, but not firefox. The error from Firefox is "The certificate is not trusted because the issuer certificate is not trusted". The strange thing is that I did not get this error from the old server, and no exception had been added.

I am running an apache web server. Here is a snippet of my vhost config:

    SSLEngine on
    SSLCACertificateFile "/var/turbopanel/certs/0/Cert0.ca"
    SSLCertificateFile "/var/turbopanel/certs/0/Cert0.crt"
    SSLCertificateKeyFile "/var/turbopanel/certs/0/Cert0.key"

These certificates are getting grabbed correctly and the site works great, but not in firefox.

Any thoughts on how to get this to work for FireFox?
  • 3
  • 2
2 Solutions
Dave HoweCommented:
Probably worth looking at the certificate path in IE, and seeing if there is an intermediate certificate in IE that is not being seen in firefox. as a test then, import the intermediate into firefox, and see if the error goes away. if so, then you may need to add that to the crt file on the server.
retailevolvedAuthor Commented:
@DaveHowe: Thanks for the tipe - you are exactly right as to the source of the problem.

Here's some additional info that I have discovered in my research:

* The original certificate was migrated from an nginx web server. To make intermediate certificates work on nginx, the intermediate certificate(s) are tacked on to the actual server certificate, resulting in one certificate file.

* Here's what I think is happening - IE and Safari are able to put together the certificate chain on their own, but FireFpx is not.

* As an attempted fix I added SSLCertificateChainFile and pointed to a certificate containing only the intermediate files. I also removed the intermediate files from the orgiinal ticket. The result is a key, a certificate, and an intermediate certificate. Here's what is interesting about this attempt: *All* of the browsers started warning me about certificates.

* To me, it looks like Apache is completely ignoring the contents of the SSLCertificateChainFile directive. When the main certificate includes the intermediate certificates, most browsers play nice. When it is separated out, no browsers work.

I am still looking for a solution for this if anybody has any more ideas.
Dave HoweCommented:
often you can include the intermediate certificate (in pem format, of course) in the file for the host certificate - just cut and paste it into the same file.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

ParanormasticCryptographic EngineerCommented:
Try this instead of SSLCACertificateFile:
SSLCertificateChainFile "/var/turbopanel/certs/0/Cert0.ca"

Alternatively, see if that line exists in your old config pointing to a different file.  This should either be a standalone root certificate, or a PKCS #7 root certificate chain file that does not include the server's own SSL certificate but does include a single or, more commonly, multiple CA certificates.

If you need to convert the cert from DER to PEM you can do:
openssl pkcs7 -inform DER -in "/var/turbopanel/certs/0/Cert0.ca" -outform PEM -out "/var/turbopanel/certs/0/Cert0_PEM.ca"

or for a standalone cert replace 'pkcs7' with 'x509' with the rest the same.
retailevolvedAuthor Commented:
I tried out the SSLCertificateChainFile - this still works in IE and Safari, but not FireFox.

The old config was nginx - it actually only referenced the key and the server certificate (that included the chain certificates appended to the end). I have tried a similar configuration, but it breaks in all browsers.

Did I mention this is a cheapo GoDaddy cert? I am going to call StarField technologies and see if they can assist.

I'll post when I know more.
retailevolvedAuthor Commented:
Here's the solution:

1) It never ceases to amaze me that no matter how long I've been doing this, I still make mistakes.

2) As it turns out, during my testing, I removed Starfield Technologies as a trusted CA from Firefox. A clean install of Firefox fixed the issue. Phew! I was relieved to see that my customers were not experiencing this issue.

Apologies for wasting your time, but I learned a lot from the experts here as usual.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now