Thawte CA no longer trusted
On OSX Firefox vesion 39 has removed the Thawte CA "thawte Extended Validation SHA256 SSL CA" cert causing thawte.com and several other websites to fail with "sec_error_unknown_issuer" error. Can be corrected by exporting the CA Cert from another system and importing. Can we get this cert reinstalled into firefox so as to not break SSL for no reason?
All Replies (5)
On my system, the missing cert is an intermediate certificate and Firefox trusts its signing certificate (see screen shot).
If the Firefox installation experiencing this problem was refreshed (which removes the cert8.db file) then that cert would have been removed, but when you browse a site whose cert is signed by that intermediate certificate, the site should send it to Firefox and then Firefox will save it in cert8.db again.
If the problem is that the site not sending intermediate certificates, the site configuration should be updated. Do you want to post the URL? Or you could check it here: https://www.ssllabs.com/ssltest/
Ti ṣàtúnṣe
I first noticed a problem when visiting thawte.com. By simply comparing the available CA certs I saw that that CA was missing and https://www.sslshopper.com/ssl-checker.html#hostname=thawte.com verified that it was indeed the needed cert (see original screenshot). By simply export the cert from my linux box over to my Mac I was able to fix the problem (see other screenshot). A coworker had never installed firefox previously, did a completely fresh install and saw the same error. The same export/import fixed his error. Is there a way to get firefox to repackage that Intermediate cert in the CA bundle?
Firefox never ships with intermediate certificates. Websites are supposed to send them to the browser, and then Firefox will validate them up to the trusted root. After that they appear as "Software Security Device" certificates.
After removing the cert from Firefox and reloading the page (Ctrl+Shift+r), I now get the same error you do. Since SSL Labs and the site you tested on both report that the server is indeed sending the intermediate certificate, there appears to be some glitch in Firefox processing that. I cannot figure out what the problem is from just using Firefox normally.
I downloaded and tested in PortableApps Firefox 38.0.5 and 37.0.2 and got the same issue, so I don't think it's a new problem in Firefox 39.0. Instead, perhaps there was a change in how the intermediate certificate is delivered (since it worked for me at some point in the past)??
Do you want to file a bug so people with better tools can follow up on it: https://bugzilla.mozilla.org/
Bug filed.
Bug 1185058 - Firefox is not properly trusting certain Thawte Certs
Ti ṣàtúnṣe
disable ocsp query in the option on the security tab in firefox...
rearange your time and date.
enable it in 1 day, it will re synchronize your date with the security certificate via the ocsp module
if you can go to a secure google page go to the thawte page and let me know what happen.