Cert not work in firefox

I created letsencrypt cert for my Apache server.
It works on IE11, Chrome, but not work in Firefox 38.3.0, it shows Error:
The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)
i check the cert, my domain is the root, there’s no “Let’s Encrypt Authority X1” or " DST Root CA X3" in the turst chain,
but if i access https://helloworld.letsencrypt.org first, then go to my web site, it works, all trust chain shows normally.
what’s the problem? Am I miss something?

update Firefox version ?

Firefox 42, same error.

what OS you using on the Firefox installed system ?

Win7 x64, Debian 7.8 same error.

Make sure you’re also sending the whole trust chain (the intermediate certificates) on the responses. That would be chain.pem (just the intermediates) or fullchain.pem (your cert plus the intermediates). For Apache, I’d use the chain.pem file with the directive “SSLCertificateChainFile” like so:

SSLCertificateChainFile "/etc/letsencrypt/live/DOMAIN/chain.pem"

2 Likes

current apache(2.2.22) vhost config:
SSLCertificateFile "/etc/letsencrypt/live/mydomain/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/mydomain/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/mydomain/chain.pem"

That looks okay based on my notes. If you’re still having issues, try running on the SSL Server Test to see if anything gets flagged as an issue. Also, you’re welcome to post your domain here and someone will probably be able to look too.

1 Like

SSL Server Test :
The server does not support Forward Secrecy with the reference browsers.
This server’s certificate chain is incomplete. Grade capped to B.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Chain issues: Incomplete
Certification Paths
Path #1: Trusted
1 Sent by server xxxx
RSA 2048 bits (e 65537) / SHA256withRSA
2 Extra download Let’s Encrypt Authority X1
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store DST Root CA X3 Self-signed
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate

Protocol Details:
Forward Secrecy With some browsers (more info)

It seem to be chain Incomplete, but i dont’ know how to fix it.

Well, the configuration looks okay based on what you sent. You can try to do a full stop and start to make sure the configuration files are read fresh. Beyond that, it’s more of an Apache HTTPd troubleshooting issue than Let’s Encrypt specific, as far as I can tell.

Just found a solution:

  1. wget chain file from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem to “/etc/letsencrypt/archive/yourdomain/”
  2. edit Apache config file:/etc/apache2/mods-available/ssl.conf
    Add chain config:
    SSLCertificateChainFile “/etc/letsencrypt/archive/yourdomain/lets-encrypt-x1-cross-signed.pem”

firefox error disappeared, seem to work normally now.

4 Likes

@eswn I am running on tomcat and having the same problem. I followed @melo’s solution here: How to use the certificate for Tomcat to get letsencrypt certificate working great in Chrome. My question is what do I do to get this chain file you linked to added to my java keystore. I tried just importing it into my keystore and the import fails for alias tomcat but the import succeeds for alias root. But I try the updated keystore for the latter case in my production environment and it still does not resolve the firefox problem. What needs to happen to get letsencrypt working for tomcat and firefox?

I had this problem in IIS 8.5 after renewing my LE certs in March 2016. The first thing I had to do was install the LE intermediate cert to the server’s Intermediate Store (as explained here). Then, despite having all the necessary intermediates installed on the server, I had to remove the old LE intermediate cert and then restart IIS. I used the tool at SSLShopper to verify that this was indeed the problem – IIS was sending the X1 intermediate instead of the X3, even though both were installed on the machine. Since my SSL cert was signed with the X3 cert, Firefox would complain that the intermediate provided (X1) did not complete the chain.

1 Like

Thanks. Linking the chain file fixed it for me:) - Had the same problem.