Closed wifiprintguy closed 8 years ago
michaelrsweet
commented
8 years ago Sigh... I switched us to "Lets Encrypt" SSL certs when I did the VM upgrade, and Mozilla is one of the major sponsors of that project...
What version of Firefox are you using?
wifiprintguy
commented
8 years ago 47.0. on my MBP - running OS X 10.11.5. Something close to that on my Ubuntu 16.04 system, but I don't have it with me right now.
I'll try it on a clean system as well - it is weird that SeaMonkey was fine with it but Firefox is not...I just tried SeaMonkey 2.40 on a PC that I don't use often, and it complained as well about it being an insecure connection. The CA list in that SeaMonkey on the PC is lacking the Lets Encrypt Authority X3 and Lets Encrypt Authority X1 as well. I don't recall installing those on my Mac, and they are listed as residing in my "Software Security Device" (the certificate store file used by Mozilla browsers, equivalent to Keychain files). And looking at the SeaMonkey privacy policy document (http://www.seamonkey-project.org/legal/privacy) I don't see anywhere that they get CA updates so I'm guessing they were installed via an earlier install or that I accepted that CA cert somehow in the course of using the SeaMonkey browser with the website...
wifiprintguy
commented
8 years ago What is also interesting is that on my OS X laptop, there is no "Let's Encrypt Authority X3" in the "System Roots" keychain. But there is a DST Root CA X3, and the "Let's Encrypt Authority X3" is an intermediate for that. So the OS X / Safari certificate evaluation logic is fine if the root CA is present but the intermediate is not.
The "DST Root CA X3" CA is installed in SeaMonkey and Firefox, but the Mozilla codebase seems to want the direct parent (the intermediate CA) or else it fails the certificate.
jhcloos
commented
8 years ago Comparing with a working site secured via lets encrypt, www.pwg.org only sends its own cert (sn: 0368183bd96e6a75fe97a2e561653afee758), but not any intermediate certs.
My (working) site also sends the C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 cert (sn: 0a0141420000015385736a0b85eca708) which is signed by: Issuer: O=Digital Signature Trust Co.,CN=DST Root CA X3.
Adding a SSLCertificateChainFile directive to the apache site config should fix it. Mine looks like:
SSLCertificateFile /etc/letsencrypt/live/${HOSTNAME}/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/${HOSTNAME}/chain.pem
(with the actual hostname of course).
James Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6
michaelrsweet
commented
8 years ago Try it now - I was passing the concatenated cert + chain file to Apache (which used to work) but with current Apache (since the upgrade) it stopped working. Added the separate chain file...
wifiprintguy
commented
8 years ago Sorry for the delay. Looks good - no more site security problem notices in Firefox (47.0.1)
When I try to load the pwg.org login page in Firefox (on either Ubuntu 16.04 or OS X 10.11.5) the page is blocked and the user sees a page like the "Firefox connection is not secure page loading blocked for TLS for www.pwg.org" picture.
If I dig into this, it seems that we are using a certificate authority that doesn't seem to have a CA cert that is distributed with Firefox. Here is the list of the CAs in Firefox 47.0:
And here is the Page Info dialog from Firefox, which doesn't provide a "View Certificate" button like Seamonkey does:
And here is the Certificate Info page from SeaMonkey, which has it but I don't quite know why / how I got it:
I'm not sure what to do here other than to either choose a different CA or get Firefox to support our CA so that we don't look dodgy.