invalid security certificate 11.10

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

"Secure Connection Failed" warning window appears upon launching FF.

Certificate expired 8/13/2011 11:27 PM. Current time is 10/18/2011

Note Date/Time in task bar has been changed to 10/18/2011.

This began 2 days ago.

Reproducible: Always

If you set your computer's clock to a date far in the future, and that date is past the expiration date of the certificate in question, then that is not a bug. You have simply mis-configured your computer.

I did not set my clock to a date far in the future. The clock was changed by an unknown agent/application. The warning window further states "This could be a problem with the server's configuration or it could be someone trying to impersonate the server."

Virus and Malware scans do not detect any threats.

I have since Removed TestPilot from the AddOns, and manually reset the clock to the correct date/time.

Navigating to https://testpilot.mozillalabs.com/ results in a "This Connection is Untrusted" warning, with the error code "sec_error_unknown_issuer" (The certificate is not trusted because no issuer chain was provided).

The test-pilot extension also triggers this, resulting in this dialog when starting Firefox: https://launchpadlibrarian.net/72701040/Screenshot.jpg

I think this only started happening recently (we suddenly got quite a few bug reports in Ubuntu in the last few days). It seems that the certificate is signed by an intermediate CA cert (GeoTrust SSL CA) which is not included with NSS. According to https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422, the intermediate CA cert should be installed on the server alongside your SSL cert (although, I'm merely speculating here, it could be a different issue entirely).

If I use the SSL checker at https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO9557, it points me to the missing intermediate cert. If I import this cert, then the warnings go away.

I'm not sure which product this should be reported against. I looked in the Websites product first, but there doesn't appear to be a component specific to testpilot.mozillalabs.org.

CC'ing some people

Zandr updated the ssl certs for *.mozillalabs.com and might have not updated the intermediary certs.

This is a setting in Zeus, under SSL certificates -> specific cert -> Intermediary and you can upload it there and you should be fine. (if you need help finding it, ping me on IRC)

And Chris, you're probably bang on target :)

Chris- Good catch. I did update the cert and apparently didn't get the intermediate right. I'll get that sorted shortly.

Excellent, thanks!

OK, this is fixed, Cert checks using the geotrust tool pass.

/me closes bug, puts brown bag over head, hides in shame. :)

Hi, this bug seems to be back with version 9 (latest version) of Firefox on Windows 7 and GeoTrust certificates. Getting a "no issuer chain was provided" message. Customers are complaining at secure checkout regarding this. Geotrust tech support has been alerted but they said this is something that has to be fixed in firefox, the server, or have the customer install in their browser. Unfortunately we have no control over customer, the server is a legacy server using unchained cert. Can you manually add the Geotrust RapidSSL intermediate certificate to the latest Firefox Windows version? Curiously it seems to work properly in the Mac version of Firefox as well as all other browsers tested on Mac and Windows. You can hit https://www.web-secured.com using Firefox 9 with Windows 7 to see the "no issuer chain provided" message.