3

We purchased an SSL certificate through DNSimple and installed it on our Heroku SSL endpoint. Now navigating to the app via SSL works fine on Chrome and Safari, but Firefox shows a "This connection is untrusted" error. Why would an SSL cert be untrusted by Firefox only?

Yarin
  • 173,523
  • 149
  • 402
  • 512
  • same thing happened to me – The Internet Jun 26 '14 at 20:34
  • @Yarin For fixing the issue, you might also have a look at my answer on [How to disable “This Connection is Untrusted” Certificate in FireFox?](http://stackoverflow.com/questions/21709095/how-to-disable-this-connection-is-untrusted-certificate-in-firefox/37080038#37080038) Hope this helps... – Murat Yıldız May 06 '16 at 19:41

3 Answers3

3

We figured out the problem:

The Heroku docs point to the following bundle.pem file, which DOES NOT WORK FOR FIREFOX: https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

The CORRECT bundle.pem file is at: https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt
as indicated on the RapidSSL site.

Heroku docs need to be updated. Hopefully this saves someone else some time..

UPDATE: We reported this to Heroku and they updated their docs, so this is no longer an issue.

Yarin
  • 173,523
  • 149
  • 402
  • 512
  • Those file links you pointed out are identical as I verified [here](https://www.diffchecker.com/u65qhwix). RapidSSL seems not listed in the trusted SSL certificates of Firefox v36 by default. Is that the only thing you do to fix this problem? – mr5 Feb 24 '15 at 04:52
  • @mr5 don't remember, was long time ago- but im sure I would have included any other steps we took here, so afaik that was it. – Yarin Feb 25 '15 at 05:33
1

Mozilla include a list of Certificate Authorities (CA) with their products, as do Google, Apple, Microsoft and others. If your certificate can be traced back to one of these than the browsers will trust it. If not, you have to add an exception, or import the certificate into your browser.

The list of included CAs is created at the whim of the different browser makers. Some include the root CA for your certificate, and it seems Mozilla do not.

You can get a list of CAs included by Mozilla here. Check your certificate details. If the root CA is on this list file it as a bug with Mozilla. If it's not you could try asking them if they'll include it for the next release.

0

It's a problem of rapidssl but not yours.

you should not only provide the server certificate, but should concat your server certificate and INTERMEDIATE ca certificate.

do

$ cat ca_certificate.crt >> server_.crt

and restart your nginx.

you can find the ca certificate on what site you buy certificate.

alsotang
  • 1,520
  • 1
  • 13
  • 15