Sec_error_unknown_issuer

mike1950r · January 4, 2021, 11:23pm

Hi,

if i connect to my site via ssl i get error message,
when i use firefox,
get no error when using internet-explorer.

translate error message from german:

Do not trust the certificate
cause the issuer is unknown.

sometimes we can connect no problems,
sometimes we get always this error message.

we have been working with your certificates for years without any error.

thanks if anybody has an idea,
what could be the problem.

if i verify our certificate with:
"certbot certificates"

everything is fine installed like it should be.

cheers mike

_az · January 4, 2021, 11:27pm

Is your webserver Apache httpd?

Litbelb · January 4, 2021, 11:49pm

Is there a load balancer in place here?

rg305 · January 5, 2021, 3:43am

This may be completely unrelated...
But I found it to be a very strange response:

curl -6 mail.mididoc.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://mail.mididoc.com:8080">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at mail.mididoc.com Port 80</address>
</body></html>

Whereas, IPv4, nor HTTP responded at all; and port 8080 seems to be closed to all access.

mike1950r · January 5, 2021, 4:14pm

Hi everybody,

i found the reason.
In fact it was a firefox problem.
the certificate database was not updated, ("cert8.db")
don't know the reason.
may be to late connection to update, who knows ...

anyway, since the database is uptodate now, everything is working as it should.
so the issue can be closed now as resolved.

cheers mike

Ps.
To answer the questions:
Yes we have apache for the sites,
but the ssl is only for webmin.
also webmin access is limited to our ip for security reasons.

thanks to all. is resolved.

jvanasco · January 5, 2021, 4:36pm

@mike1950r Check to see what your certificate chain is. Your ACME client may have installed a chain going directly to "ISRG Root X1" on the last renewals, and not the (soon to be expired) cross signed intermediates by "IdenTrust DST Root X3".

mike1950r · January 5, 2021, 9:30pm

hi jvanasco,

thanks for your tip.

These are the details (in german)

cheers mike

jvanasco · January 5, 2021, 9:55pm

Wow, that's odd. The "DST Root" is quite old and in virtually all operating systems and browsers; the "ISRG Root" didn't start getting included into Firefox's trust store until about 4 years ago. Perhaps firefox was corrupted somehow and the certificate database needed to be rebuilt?

Litbelb · January 6, 2021, 12:02am

Firefox seems to be quite strict in terms of SSL. I’m not sure why.

mike1950r · January 6, 2021, 2:38pm

hi jvanasco,

i confirm certificate database needed to be rebuilt.

i deleted the cert8.db
started firefox, wanted to enter my ssl site
got error message about the certificate
inserted the exception rule
now entered my ssl site
exit my site
removed the exception
and from then on my ssl site was accepted as secure

very strange issue and handling.

cheers mike

jvanasco · January 6, 2021, 6:47pm

Firefox ships with it's own Certificate Trust store, and doesn't use the operating system storage. They go into details on their decision here: https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

Chrome has announced they are adopting this model in the near future.