Sec_error_unknown_issuer

Hi,

if i connect to my site via ssl i get error message,
when i use firefox,
get no error when using internet-explorer.

translate error message from german:

Do not trust the certificate
cause the issuer is unknown.

sometimes we can connect no problems,
sometimes we get always this error message.

we have been working with your certificates for years without any error.

thanks if anybody has an idea,
what could be the problem.

if i verify our certificate with:
"certbot certificates"

everything is fine installed like it should be.

cheers mike

1 Like

Is your webserver Apache httpd?

Is there a load balancer in place here?

This may be completely unrelated...
But I found it to be a very strange response:

curl -6 mail.mididoc.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://mail.mididoc.com:8080">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at mail.mididoc.com Port 80</address>
</body></html>

Whereas, IPv4, nor HTTP responded at all; and port 8080 seems to be closed to all access.

Hi everybody,

i found the reason.
In fact it was a firefox problem.
the certificate database was not updated, ("cert8.db")
don't know the reason.
may be to late connection to update, who knows ...

anyway, since the database is uptodate now, everything is working as it should.
so the issue can be closed now as resolved.

cheers mike

Ps.
To answer the questions:
Yes we have apache for the sites,
but the ssl is only for webmin.
also webmin access is limited to our ip for security reasons.

thanks to all. is resolved.

1 Like

@mike1950r Check to see what your certificate chain is. Your ACME client may have installed a chain going directly to "ISRG Root X1" on the last renewals, and not the (soon to be expired) cross signed intermediates by "IdenTrust DST Root X3".

1 Like

hi jvanasco,

thanks for your tip.

These are the details (in german)

cheers mike

1 Like

Wow, that's odd. The "DST Root" is quite old and in virtually all operating systems and browsers; the "ISRG Root" didn't start getting included into Firefox's trust store until about 4 years ago. Perhaps firefox was corrupted somehow and the certificate database needed to be rebuilt?

1 Like

Firefox seems to be quite strict in terms of SSL. Iā€™m not sure why.

1 Like

hi jvanasco,

i confirm certificate database needed to be rebuilt.

i deleted the cert8.db
started firefox, wanted to enter my ssl site
got error message about the certificate
inserted the exception rule
now entered my ssl site
exit my site
removed the exception
and from then on my ssl site was accepted as secure

very strange issue and handling.

cheers mike

Firefox ships with it's own Certificate Trust store, and doesn't use the operating system storage. They go into details on their decision here: https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

Chrome has announced they are adopting this model in the near future.