Firefox 42 sec_error_unknown_issuer | lighttpd


#1

Hello,

Everything is working fine under Chrome, Chromium, Edge, Safari, but i have problem with Firefox, i’ve tried 41 and 42, both have the same error: “sec_error_unknown_issuer”.
I have tested config at ssllabs.com, it’s available here:
https://www.ssllabs.com/ssltest/analyze.html?d=samorobki.pl

Server got B grade, so it’s fine i think.
Web server is lighttpd, ssl config:

$SERVER[“socket”] == “:443” {
ssl.engine = "enable"
ssl.ca = "/etc/letsencrypt/live/samorobki.pl/chain.pem"
ssl.pemfile = “/etc/letsencrypt/live/samorobki.pl/certkey.pem” // cert + key in one file
ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+$
ssl.honor-cipher-order = "enable"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = “secp384r1”

}

I tried to put chain+cert+key into one file but there were no difference.


#2

I just tried samorobki.pl here and firefox 41.0.2 failed as you said. I then tried one of mine area51.onl and the same firefox accepted the cert.

So to me there’s something missing on your side? NB: I’m using Apache2 which is why I’m thinking that as FF41 is accepting it.


#3

If there will be no simple solution, then i’ll have to migrate to nginx.


#4

Hi @vein86, the SSL Labs report is explaining that the server is not serving the complete chain correctly, which explains why some clients would get this error. Are you sure that the chain.pem file you’re using is the one that was created by the client? Are you sure that the ssl.ca option is the right place to configure the cert chain in lighttpd? Is it possible that it should be ssl.ca-file instead of ssl.ca, for example?


#5

Tested with firefox 42, running nginx, no error. (Firefox is not the real issue I think)
@vein86 could you try that :

ssl.ca = "/etc/letsencrypt/live/samorobki.pl/fullchain.pem"

#6

Hey, Great advice @schoen :slight_smile: problem was in ssl.ca instead of ssl.ca-file :slight_smile: Now everything works fine :smile:


#7

BTW I can recommend: https://whatsmychaincert.com/ :wink:


#8

@vein86

I tested your website samorobki.pl on a Mac, OSX 10.10.5 and Firefox version 42.
Google Chrome and Safari are OK.

But, Firefox does not trust the connection:
www.samorobki.pl uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)

Did you change your settings ?

UPDATE.
Sorry … I turned off the antivirus software Avast Mac Security that “protects !!!” browsers like Safari, Chrome and Firefox.
After I turned off the antivirus “web” protection your website worked GREAT !!


#9

I was able to figure this out: Lighttpd usable chained file

Basically you need to combine your cert and private key. You also need to set ssl.ca-file to point to the chain.pem.