SEC_ERROR_UNKNOWN_ISSUER in Firefox


#1

Please fill out the fields below so we can help you better.

My domain is:
hirevisor.com

I ran this command:
In firefox, I tried to load hirevisor.com with a letsencrypt certificate unsuccessfully. Firefox reports : SEC_ERROR_UNKNOWN_ISSUER

After I refreshed, the issue went away on Firefox, but then I tested it with the latest Tor Browser based off Firefox, where this issue came up again. The issue never exhibits on Chrome, Safari, or Opera. My normal Firefox install never exhibits this issue again.

It produced this output:
SEC_ERROR_UNKNOWN_ISSUER
Something similar to this :

The owner of hirevisor.com has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.

My operating system is (include version):
macOS 10.12.3 (16D32)

My web server is (include version):
Google AppEngine instance.
App Engine version: 1.9.48

My hosting provider, if applicable, is:
Google AppEngine

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - Google Cloud App Engine


#2

Narrowed down to the SSL Certificate, when I try to visit my website at https://hirevisor-149019.appspot.com/ (the underlying App Engine application that hirevisor.com redirects too) there are no issues with the SSL Certificate for the appspot.com version of my site)


#3

While I wait for analysis to finish, I’ll go with my hunch: Incomplete chain.

You’ve got some configuration somewhere that either needs to be fed the complete chain (fullchain.pem instead of cert.pem) from Let’s Encrypt, or it needs a separate configuration entry for a chain of “additional” or “intermediate” certificates which will be in chain.pem in addition to the cert.pem setting you have already. Most likely the former.

https://www.ssllabs.com/ssltest/analyze.html?d=hirevisor.com&s=2001%3A4860%3A4802%3A34%3A0%3A0%3A0%3A15&latest

Some browsers will patch up the difference, from other sites they’ve visited, or by going off to fetch the missing certificates. But if you fix your configuration it will Just Work™ so that’s what you need to do.


#4

Thanks, thats what my research was leading me to as well. Copy/Paste of
Custom Certs on Google Appengine seems perhaps lose the intermediate cert
when there are multiple certs pasted in according to anacadotal evidence on
various threads, even though the Google Appengine Custom SSL docs don’t
mention that you have to upload the file versus pasting in the cert.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.