Certificate failing in Firefox but work in Chrome & Safari

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
scandiawooddesigns.ca

I ran this command:
I ran WP Encrypt plugin on my wordpress site.

It produced this output:
Your current SSL certificate expires on: 05-03-2021

My web server is (include version):
I run on bravehost.net and don't know this detail

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): No.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WP Encrypt (via wordpress and the bravehost panel)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I have no idea. I have been trying to get this wordpress site working for https but I was informed today that Firefox throws an untrusted error as the issuer is unknown (which is Let's Encrypt, which is strange as they should be known). Please help. I'm a bit of a noob on this topic but am computer savvy.

The certificate chain is incomplete:
SSL Server Test: scandiawooddesigns.ca (Powered by Qualys SSL Labs)
There seems to be something misconfigured with that WP Encrypt panel option.
It seems to be using the cert.pem file instead of the fullchain.pem.
You should contact Bravehost about this.

Perfect. I think that all makes sense to me. It's likely a setting that I'm doing wrong.
WP Encrypt gives three files a ca bundle, a cert file, and a key file. Bravehost asks for a certificate and a key for upload in their SSL interface, there's also space for an optional password. I went with the cert file and the key file (no password). Should I be using the ca bundle and the key file?

The key is the key - that has to be used.
So, you only have two other files... and the cert file isn't it!
What other option do you have?
I mean, yes, that other file must be the correct choice then.

Wait!
Unless you have to use all of them... ? ? ?
Please show the CA bundle file - it is only public information.
[never show the key file]

Okay so bravehost asks for a certificate file and a private key.
When I upload the cabundle file (cabundle.crt) along with the private key (key.pem) bravehost leads to a 500server error. Here's the cabundle.crt file:

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

When I upload the cert.crt file (similar looking contents to the cabundle but has a few extra lines) then I have the results I started with.

Ok that one is the missing piece.
You need to combine the two files:
cert file + CA bundle file
You can do this with any text editor - like notepad
Or with simple a DOS command:
copy file1 + file2 file3
[copies file1 plus file2 into file3]

This is the cert you showed:

image419×522 10.8 KB

image419×522 5.91 KB

Okay that does it. Seems to pass the scan you've posted above and now Firefox likes the site. Thank you for your help!

This issue is appearing now because Firefox had the old X3 cert in it's trust store, so it didn't previously have to be part of the certificate chain. Thunderbird is similarly affected : Note regarding transition to R3 intermediate with Firefox or Thunderbird

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.