21:30 - Wednesday, 16 April 2014

Firefox Does Not Load Certificate Chain

#Topics: firefox certificate chain,firefox certificate not loading,loading certificates in firefox

I’m running lighttpd/1.4.28 (ssl) on Debian Squeeze. I just created a http://startssl.com certificate, I runs fine at all of my Browsers (Firefox, Chrome, Opera), but my users are reporting certificate-errors in Firefox. I already nailed it down to a failing of loading of the certificate chain:

Certificate at my Firefox: http://i.stack.imgur.com/moR5x.png
Certificate at others Firefox: http://i.stack.imgur.com/ZVoIu.png (Note the missing StartCOM-certificates here)

I followed this tutorial for embedding the certificate in my lighttpd: https://forum.startcom.org/viewtopic.php?t=719

The relevant parts of my lighttpd.conf look like this:

$SERVER["socket"] == ":443" {        ssl.engine = "enable"        ssl.ca-file = "/etc/lighttpd/certs/ca-bundle.pem"        ssl.pemfile = "/etc/lighttpd/certs/www.bisaboard.crt"}

ca-bundle.pem was created like this: cat ca.pem sub.class1.server.ca.pem > ca-bundle.pem
I grabbed the relevant files from here: http://www.startssl.com/certs/

www.bisaboard.crt was created like this: cat certificate.pem ssl.key > www.bisaboard.crt
Where certificate.pem is my StartSSL-Class1 Certificate and ssl.key my SSL-Root-Key.

Do you have any idea why the second Firefox does not correctly load the certificate-chain?

Your webserver doesn’t seem to present the intermediate certificates correctly, the reason it works in your own browser is probably because you’ve downloaded and installed them locally yourself.

Why don’t you just download the ca bundle they already prepared for you at http://www.startssl.com/certs/ca-bundle.crt and use that for the ssl.ca-file option?

I had a problem with exactly similar behavior: some Firefoxes were complaining about missing chain, but not all. Adding a additional certificate chain parameter (and file that contained all the certificates one after another) to the server config seemed to help. I’m running Apache Traffic Server myself.

That solution is also what SSLhopper suggests in the link in the comments: http://www.sslshopper.com/ssl-checker.html#hostname=www.bisaboard.de

I don’t know about lighttpd config, but probably there’s an extra parameter to announce the chain file for the intermediate certificates.

I had this same problem (using node.js) and the solution was to append the sub.class1.server.ca.pem file to the ssl.crt file.

Just copy the contents of sub.class1.server.ca.pem into ssl.crt making sure one is under the other with no space in between and it should work.

You can read more about it here.