Firefox sec_error_unknown_issuer

Posted on 2010-01-06
Medium Priority
Last Modified: 2013-12-07
Can anyone tell me why Firefox browser issues the sec_error_unknown_issuer for url: https://www.customrater.com/hello.html    Server team tells me Entrust certificate and the chain certificate are in place for server.  No errors from other browsers such as IE . . . just Firefox.
Question by:jreinhartas400
  • 3
  • 2
LVL 13

Expert Comment

ID: 26190906
You can still see the error in IE, although IE displays the page.

The problem is with the chain certificate.  Firstly double and triple check the chain certificate is installed correctly.  If your 100% sure, log a ticket with Entrust and they will most likely send you a new chain certificate that is trusted.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 26191112
The root certificate is trusted in both IE and FF, so this tells me that the web server does not have the intermediate cert installed on it to push to clients.  For IE, the intermediate cert is included in the Trusted Intermediates store, so it is already aware of it.  FF3 does not contain this since they normally only track the root certificate.

As a workaround, you could export the cert from IE from the Trusted Intermediate store and install that into Mozilla to make sure you are getting a valid copy of the certificate, or download it from the AIA location from Entrust themselves:

To install to FF3 client:
Tools - Options - Advanced - Encryption - View Certificates - Authorities -Import - select the intermediate cert.

If you are the admin for this site, install that cert on the web server so others do not have to mess with this and get the warning message.  If you are not, you may want to contact that site to ask that their admin do this.

Author Comment

ID: 26192109
I will again check with the server admin for the site to ensure the chain certificate is installed.  They tell me the certificate is actually installed on the load balancer which sets in front of the two physical Web servers.   This was done to eliminate having to purchase two certificates.  Not sure if it contributes to the issue or not.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 31

Expert Comment

ID: 26192939
That's fine as long as it doesn't violate the licensing for the cert vendor - most are okay with doing that but some don't like it.  They would need the whole chain installed on that load balancer then.

As a side note, if this is going to be sensitive information like PII or PCI, then hopefully they are using an internal certificate on the servers so they can encrypt the last hop between the server and the balancer, otherwise they may be in violation of policy/standards if the last hop is not encrypted.

Author Comment

ID: 26193076
One last question. . . what is meant by ". . the whole chain installed. . . "?
LVL 31

Expert Comment

ID: 26201498
Often there is more than one CA certificate, especially from commercial vendors.  There may be 2 or 3 (I've seen up to 5) CA's in the issuing chain before it gets to the "end entity" (e.g. SSL server, email user, etc.) certificate.

The following is somewhat common:
Root CA
  -- Issuing CA
     -- Your Server

In IE, there are two different CA trust stores - the root store and the intermediate store.  So the Root CA would be in the root store of the server and clients, but the Issuing CA intermediate (aka subordinate) is not necessarily there since there may be multiple intermediate CA's under the same root (e.g. if a root certificate provider offers resellers the ability to resell certificates under its root).  MS used to include intermediates but has stopped adding more to their program because the list just got too big - those that were already accepted are maintained but there will be no new members to that group like there are for the root certificates.

So each tier signs the next tier, and the client needs to validate that "chain" up to the top (the root) - if it cannot get the intermediate certs or does not trust the root then the chain gets broken during signature validation.  In order to fix this, the client could install that intermediate cert, but that would be cumbersome, so it is typically the web server's responsibility to have the root and all intermediate certificates in the chain installed so it can provide them to the client.  The digital signatures make it so the source is not as important since the signature is what is being validated - either it was issued from the root or it was not.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question