SEC_ERROR_UNKNOWN_ISSUER in Firefox

oliver-zhou · March 15, 2017, 7:58am

Please fill out the fields below so we can help you better.

I ran this command:
In firefox, I tried to load hirevisor.com with a letsencrypt certificate unsuccessfully. Firefox reports : SEC_ERROR_UNKNOWN_ISSUER

After I refreshed, the issue went away on Firefox, but then I tested it with the latest Tor Browser based off Firefox, where this issue came up again. The issue never exhibits on Chrome, Safari, or Opera. My normal Firefox install never exhibits this issue again.

It produced this output:
SEC_ERROR_UNKNOWN_ISSUER
Something similar to this :

The owner of hirevisor.com has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.

My operating system is (include version):
macOS 10.12.3 (16D32)

My web server is (include version):
Google AppEngine instance.
App Engine version: 1.9.48

My hosting provider, if applicable, is:
Google AppEngine

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - Google Cloud App Engine

oliver-zhou · March 15, 2017, 8:50am

Narrowed down to the SSL Certificate, when I try to visit my website at https://hirevisor-149019.appspot.com/ (the underlying App Engine application that hirevisor.com redirects too) there are no issues with the SSL Certificate for the appspot.com version of my site)

tialaramex · March 15, 2017, 9:18am

While I wait for analysis to finish, I’ll go with my hunch: Incomplete chain.

You’ve got some configuration somewhere that either needs to be fed the complete chain (fullchain.pem instead of cert.pem) from Let’s Encrypt, or it needs a separate configuration entry for a chain of “additional” or “intermediate” certificates which will be in chain.pem in addition to the cert.pem setting you have already. Most likely the former.

https://www.ssllabs.com/ssltest/analyze.html?d=hirevisor.com&s=2001%3A4860%3A4802%3A34%3A0%3A0%3A0%3A15&latest

Some browsers will patch up the difference, from other sites they’ve visited, or by going off to fetch the missing certificates. But if you fix your configuration it will Just Work™ so that’s what you need to do.

oliver-zhou · March 15, 2017, 9:54am

Thanks, thats what my research was leading me to as well. Copy/Paste of
Custom Certs on Google Appengine seems perhaps lose the intermediate cert
when there are multiple certs pasted in according to anacadotal evidence on
various threads, even though the Google Appengine Custom SSL docs don’t
mention that you have to upload the file versus pasting in the cert.

system · April 14, 2017, 9:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SEC_ERROR_UNKNOWN_ISSUER on Ubuntu server and Apache 2.4 Server	10	7881	May 4, 2016
Site gets SEC_ERROR_UNKNOWN_ISSUER on Firefox, similar issue on Microsoft Edge Help	15	104	September 26, 2024
Firefox 42 sec_error_unknown_issuer \| lighttpd Server	8	8366	December 5, 2015
"This certificate was signed by an untrusted issuer" Server	1	2839	November 4, 2015
"This certificate was signed by an unknown authority" Server	9	14320	May 8, 2016

SEC_ERROR_UNKNOWN_ISSUER in Firefox

Related topics