Firefox does not show information about certificate chain


#1

I am using Apache 2.2.22. I have configured Apache manually to use the certificate under /etc/letsencrypt/live/⟨domain⟩/cert.pem and the certificate chain under /etc/letsencrypt/live/⟨domain⟩/chain.pem. If I access my website with Firefox 50.0, Firefox shows me no errors. However, if I show the details of the certificate in Firefox, it shows me only the information about the certificate for my domain, not the information about the certificates in the chain. Why is this?


#2

Did you add the cert manually at some point? Is there a screenshot?


#3

What do you mean by adding the certificate manually? I got it automatically put under /etc/letsencrypt/live by running certbot-auto certonly --standalone, but as I wrote above, I configured Apache manually to use the certificate (and its chain). Configuring Apache basically consisted of adding the following lines:

SSLCertificateFile      /etc/letsencrypt/live/<domain>/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/<domain>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<domain>/chain.pem

#4

@TCM was probably talking about manually adding the certificate to your Firefox installation (as trusted).

Can you describe what exactly you’re referring to when you say that Firefox doesn’t show information about the certificates in the chain - maybe a screenshot of what you see for your site vs. what you see on a “working” site?

The certificate UI in Firefox is different than the one in, say, Chrome; the certificate hierarchy isn’t visible in the first view you see when you inspect the certificate. You’ll have to check the “Certificate Hierarchy” section in the “Details” tab of the Certificate Viewer. That’s perfectly normal.


#5

The point is that the “Certificate hierarchy” section only shows me one line with the domain name of the website. This is actually also the case for https://community.letsencrypt.org/. For https://wikipedia.org/, on the other hand, I see three lines: “GlobalSign Root CA”, “GlobalSign Organization Validation CA - SHA256 - G2”, and “*.wikipedia.org”.


#6

That’s strange, and most likely due to something in your Firefox installation. I’d check if any of these server certificates (or anything else that’s Let’s Encrypt-related) shows up in the certificate list under Preferences > Advanced > Certificates > View Certificates, probably under Servers.


#7

It seems to me that Firefox 50.0 has a bug. When I tried again today, I was shown the full chain for both https://community.letsencrypt.org/ as well as my own website. There where three certificates shown in the hierarchy: “DST Root CA X3”, “Let’s Encrypt Authority X3”, and the certificate for the respective domain. Clicking on the first and the third certificate showed me the respective information, but clicking on the second did not change the certificate view.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.