Firefox is not importing signed intermediate certificate automatically
I have installed a certificate and an intermediate certificate on a website. It works in all browsers, except "some" Firefox's.
On my mac in Firefox 3.6.8, if I look in my root certificate list, I can see a Geotrust Global CA - but not a Geotrust DV SSL CA.
Geotrust Global CA is the root CA. Geotrust DV SSL CA is my intermediate certificate - signed by Geotrust Global CA.
If I use openssl s_client to test the ssl connection to the server, I am given both the sites certificate and the intermediate certificate.
Back to my Firefox, when I visit the website, it is displayed without any trouble or warning. If I look in the Certificate liste, Geotrust DV SSL CA is now automagically imported. Which is just fine and by design (as far as I understand).
But a customer of mine is also running mac and Firefox 3.6.8 - same version as me. I looked at his certificate list, initially it looks the same, he has Geotrust Global CA but not Geotrust DV SSL CA. But when he visits the exact same website, a warning is displayed that his browser doesn't trust the issuer of the certificate.
I wonder, is there an option or anything that could make my customers and my Firefox behave differently? ( same platform, same version )
All Replies (14)
Firefox automatically installs intermediate certificates if you visit a website that sends them. Your above posted steps suggest that the server doesn't send all the needed intermediate certificates.
You can use a website like this to check that:
http://www.networking4all.com/en/support/tools/site+check/
The server *does* send all needed certificates - I have checked this with both openssl c_client - and now with your link to networking4all.
On networking4all it says: "The SSL Certificate for {DOMAIN} is signed by GeoTrust DV SSL CA wich is signed by GeoTrust Global CA" - and in the bottom all 3 certificates in the chain is shown.
Furthermore, my own Firefox imports the intermediate certificate just fine. But a couple of my customers, which is running Firefox, does not. And instead issues a warning about unknown_issuer. Same OS, same browser and version.
That leaves me back to my question: "I wonder, is there an option or anything that could make my customers Firefox behave differently from ie. my Firefox?" - hence theirs are *not* importing and accepting the intermediate .. and mine is.
( The certificate works fine in all other major browsers, chrome, ie, safari etc. )
Gewysig op
I am having this issue also.
It is in relation to: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423
All check tools show the server functioning correctly.
I had a similar problem and it turned out to be our Cisco switch in front of our servers. We have an ACE load balancer that needed the intermediate cert installed as a "Chain Group Paremeter" and then associated with our site. Hopefully this helps somebody elese because there isn't a lot out there on the net about this.
This must be a bug with Firefox. It only happens on *some* installations on windows machines - and no other browsers. We have the same issue on a couple of our sites and they all check out just fine when running them through validation checks such as http://www.networking4all.com/en/support/tools/site+check/ or an open ssl client.
If this was a general cert issue then it wouldn't check out when running validators and it would also not work on other browsers. The odd one out here is Firefox. Hopefully they will fix it on the next release.
If the server sends all the certificates and there are still problems then it is possible that visitors have an older version of an intermediate certificate installed that is causing problems. In such a case it helps if you remove the intermediate certificate and let Firefox store a new version. Deleting or removing cert8.db in the Firefox Profile Folder has the same effect, but that does remove all stored intermediate and other user certificates and that may be too much.
I've looked at browsers that are having the problem and they don't have any of the intermediate certs downloaded. So clearing them out won't help. The issue is that FF is now downloading them in the first place.
In any case, a business can't have their customers go through a process like above - especially if they don't call tech support to begin with and just leave the site (and never come back). FF would need to sort it out for them by seeing if the CA is expired and then attempting to download a current one.
Yes, Firefox appears to have some SSL caching issue.
Recently re-installed a RapidSSL certificate, and began having these issues. They recently updated their root I believe. And now some Firefox installs throw up root verification errors, while others don't.
Chrome and IE work fine. Maybe I should look into other SSL certificates, but this is definitely a Firefox issue.
Gewysig op
Did you check your website via the Geotrust SSL checker?
The server needs to send the full certificate chain and in case of a RapidSSL certificate that includes the RapidSSL root certificate that links to the issuer of that (GeoTrust) certificate.
If Firefox has stored an older version of the certificate then you can remove that from the certificate manager and install (import) the updated version yourself if a website doesn't send it.
- Tools > Options > Advanced : Encryption: Certificates - View Certificates : Authorities
I have started getting Error 61 "You have not chosen to trust GeoTrust DV SSL CA the issuer of the certificate..." when I try to use citrix metaframe. I noticed that GeoTrust revoked GeoTrust Global CA. Could that be part of the problem? It's very frustrating.
That is a problem with Citrix and not with Firefox.
You need to add that (root) certificate to the Citrix database.
I have the same issue on one Firefox (3.6.17 ) browser. I have verified the server is correctly serving ALL certificates - including the correct GeoTrust intermediate cert using:
http://www.sslshopper.com/ssl-checker.html https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557
- and -
http://www.networking4all.com/en/support/tools/site+check
The networking4all test page will show how the certificates are chained, and will show if the correct certs are available.
This appears to be a problem with Firefox.
Has anyone found a solution?
Can you please post a link to the site that gives problems?
It is possible that you have an older intermediate certificate installed.
You can check that in the Certificate Manager and remove it to make Firefox store the certificate send by the server.
Also make sure that the date and time on your computer are correct.
I haven't read all of the reply posts, but if someone hasn't already mentioned this, this worked for me
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
-br3wski3