Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Подробнее

Thawte CA no longer trusted

  • 5 ответов
  • 3 имеют эту проблему
  • 10 просмотров
  • Последний ответ от theshine

more options

On OSX Firefox vesion 39 has removed the Thawte CA "thawte Extended Validation SHA256 SSL CA" cert causing thawte.com and several other websites to fail with "sec_error_unknown_issuer" error. Can be corrected by exporting the CA Cert from another system and importing. Can we get this cert reinstalled into firefox so as to not break SSL for no reason?

On OSX Firefox vesion 39 has removed the Thawte CA "thawte Extended Validation SHA256 SSL CA" cert causing thawte.com and several other websites to fail with "sec_error_unknown_issuer" error. Can be corrected by exporting the CA Cert from another system and importing. Can we get this cert reinstalled into firefox so as to not break SSL for no reason?

Все ответы (5)

more options

On my system, the missing cert is an intermediate certificate and Firefox trusts its signing certificate (see screen shot).

If the Firefox installation experiencing this problem was refreshed (which removes the cert8.db file) then that cert would have been removed, but when you browse a site whose cert is signed by that intermediate certificate, the site should send it to Firefox and then Firefox will save it in cert8.db again.

If the problem is that the site not sending intermediate certificates, the site configuration should be updated. Do you want to post the URL? Or you could check it here: https://www.ssllabs.com/ssltest/

Изменено jscher2000 - Support Volunteer

more options

I first noticed a problem when visiting thawte.com. By simply comparing the available CA certs I saw that that CA was missing and https://www.sslshopper.com/ssl-checker.html#hostname=thawte.com verified that it was indeed the needed cert (see original screenshot). By simply export the cert from my linux box over to my Mac I was able to fix the problem (see other screenshot). A coworker had never installed firefox previously, did a completely fresh install and saw the same error. The same export/import fixed his error. Is there a way to get firefox to repackage that Intermediate cert in the CA bundle?

more options

Firefox never ships with intermediate certificates. Websites are supposed to send them to the browser, and then Firefox will validate them up to the trusted root. After that they appear as "Software Security Device" certificates.

After removing the cert from Firefox and reloading the page (Ctrl+Shift+r), I now get the same error you do. Since SSL Labs and the site you tested on both report that the server is indeed sending the intermediate certificate, there appears to be some glitch in Firefox processing that. I cannot figure out what the problem is from just using Firefox normally.

I downloaded and tested in PortableApps Firefox 38.0.5 and 37.0.2 and got the same issue, so I don't think it's a new problem in Firefox 39.0. Instead, perhaps there was a change in how the intermediate certificate is delivered (since it worked for me at some point in the past)??

Do you want to file a bug so people with better tools can follow up on it: https://bugzilla.mozilla.org/

more options

Bug filed.

Bug 1185058 - Firefox is not properly trusting certain Thawte Certs

Изменено NoahSUMO

more options

disable ocsp query in the option on the security tab in firefox...

rearange your time and date.

enable it in 1 day, it will re synchronize your date with the security certificate via the ocsp module

if you can go to a secure google page go to the thawte page and let me know what happen.