SSL certificate issue on firefox


(@SenpaiMass) #1

this happens only on firefox. Chrome accepts the certificate flawlessly

i am using Star SSL
any solution to this ??


(Jens Maier) #2

Sorry, I can’t reproduce that error. My Firefox and Chrome both accept your StartSSL certificate.

Try to get more information from Firefox. What does it say under the Technical Details?


(Gerhard Schlager) #3

The SSL Server Test shows that the intermediate certificate is missing. You need to concat your certificate and the intermediate certificate. Take a look at this post.


(Jens Maier) #4

Wait, what? How’d the intermediare certificate find its way into my Firefox’s certificate store? Certificates shouldn’t get cached, right?


(Gerhard Schlager) #5

Most, if not all, browsers cache intermediate certificates. Firefox does it. Chrome does it. I haven’t tested it with IE, but it probably does too.

That shouldn’t be a problem. You are already trusting the CA, so you trust all intermediate certificates as well. So, caching them makes sense.


(Michael Brown) #6

There’s nothing wrong at all with caching certificates.

It’s not as though your browser will automatically trust them - it’ll just use them to fill the gap in the certification chain.


(Jens Maier) #7

I know how X.509 works, but I’m wondering why Firefox would store the intermediary certificate in its permanent certificate store. This is not something I’d have expected and, TBH, would rather disable. :confused:


(Michael Brown) #8

Why? How is this behaviour a negative?


(Jens Maier) #9

Eh, I do have a few plausible reasons, but to be honest I’m just nit-picking. I feel a bit as if Firefox cheated me, hiding the otherwise obvious mistake that Alankrit_Choudh was asking about. :sweat_smile:


(Michael Brown) #10

You bastard - somewhere there’s a Firefox developer sobbing into his cornflakes:

“When I implemented certificate caching I was just trying to make the experience BETTER for the user, but I all I have are these complaints! Nobody appreciates what I did!” :cry:

Seriously though, overall I think: It’s Firefox’s job to make the user’s experience better, but if you’re the one implementing SSL your validation tool shouldn’t be Firefox/any browser - it should be SSLabs et al.

But I digress.


(Jens Maier) #11

Well, I didn’t know SSLlabs before and openssl s_client -status was just a few keystrokes too far away at the time. :stuck_out_tongue: Plus, I’ve had problems with StartSSL certificates before, when it took several days until a newly issued certificate would show up as valid in their OCSP responder…