1

I have installed Let's Encrypt's SSL certificate for my website using Certbot (CentOS 7). Every major web browser successfully makes https connection with my web server, except Mozilla Firefox. This is what i get as an warning in Mozilla Firefox when trying to load my web site:

vozilo.rs uses an invalid security certificate. 
The certificate is not trusted because the issuer certificate is unknown. 
The server might not be sending the appropriate intermediate certificates. 
An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

Here is SSL Shopper's report.

I've been searching past few days for a way to solve this problem, but wasn't able to found solution. What am i supposed to do in order to make Firefox to load my web site without SSL warning?

Ljubisa Livac
  • 173
  • 1
  • 7

1 Answers1

3

You should serve the intermediate cert(s) in the certificate chain.
This is what the test you linked says: "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."

Ie, the client should only be expected to have the root cert in its store of trusted certificates, you should serve the whole rest of the chain.

Look at eg the SSLLabs report, where it shows:

Chain issues:   Incomplete, Extra certs

And in the chain it has constructed, it shows:

2   Extra download  Let's Encrypt Authority X3 
Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= 
RSA 2048 bits (e 65537) / SHA256withRSA

("Extra download" being the key).

Serve both your own cert and this intermediate cert and clients with a modern trust store will be happy, with only your own cert it's more of a coin flip.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94