4

We recently went from a standard SSL certificate to a wildcard one. We use RapidSSL for our certificates. As of Firefox 23 we are getting the following untrusted connection error:

www.safelincs.co.uk uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

I looked in to this and believed it to be a missing intermediate certificate, so I went to the RapidSSL support page and downloaded the primary intermediate certificate (crt) then added the following line in to the apache config.

SSLCertificateChainFile /path/to/intermediate.crt

After restarting apache successfully I ran an SSL check. The path is as follows:

*.safelincs.co.uk -> RapidSSL CA -> GeoTrust Global CA ->Equifax

I thought that this would have fixed the problem, but I am still getting the error when I visit the web site: https://www.safelincs.co.uk.

I'm no expert, obviously, but can someone please point me in the right direction? This is only happening with Firefox 23 so far that we've noticed, but it's a big issue as that makes a large percentage of our sales customers.

Leonard Challis
  • 53
  • 4
  • 13
  • 27
  • It's a somewhat long shot, but did you clear the browser cache after changing your Apache configuration? – user Aug 20 '13 at 09:26
  • Thanks @MichaelKjörling, yes I've had other members of the team try it on their machines too, before and after upgrading from 22 to 23. Do you get the error? – Leonard Challis Aug 20 '13 at 09:27
  • No error, first visit to your site, Firefox 23.0.1 on 64-bit Windows 7 with no relevant special setup that I am aware of, `https://www.safelincs.co.uk/` appears to show just fine. The only slight disparity I see is that I don't see the Equifax root CA in the certificate hierarchy (but I didn't look around for it either). – user Aug 20 '13 at 09:31
  • When I run "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -p (with Firefox closed) and create a new profile then check it the error is there. – Leonard Challis Aug 20 '13 at 09:45
  • 1
    That's odd. Like I said, it was a bit of a long shot. Hopefully someone else will have a better idea. (You might want to put especially that last comment into the question, though.) – user Aug 20 '13 at 09:46

1 Answers1

2

I found that I had to use the root certificate too. On the RapidSSL site there was an intermediate bundle that I could put in the previously mentioned intermediate.crt and it sprung to life :)

Leonard Challis
  • 53
  • 4
  • 13
  • 27