SSL sec_error in 'standalone' web app, full browser ok

490 views Asked by At

I have set up a local webserver in a virtual machine for testing firefox web apps. That server has also been setup as certificate authority to avoid the 'risk messages' for local testing, and i signed a certificate for the webserver.

So, calling the web app in firefox displays no more warnings.

Installing the web app as 'standalone' still displays an alert (messagebox):

The certificate is not trusted because no certificate issuer chain was provided. (Error code: SEC_ERROR_UNKNOWN_ISSUER) (translated by google translator)

Dem Zertifikat wird nicht vertraut, weil keine Zertifikatsausstellerkette angegeben wurde. (Fehlercode: sec_error_unknown_issuer) (german message)

I am using Apache2.2 and Openssl on debian_wheezy_64 and i think i have done everything allright, can't figure out what the standalone web app is missing with that ssl error message.

Update: As it seems that the standalone web app environment does not know anything about the firefox browser certificates(chain), i configured the webserver (mod_ssl virtualhost) to provide a direct chain to the (self)root ca:

SSLCertificateChainFile /path_to/ca.crt

Now the problem is, that because maybe the standalone environment does not know the certificate authorities added to firefox, the sec_error know says

The certificate is not trusted because the issuer certificate is not trusted

I think it makes sense (or no sense...) if the standalone environment has an own certificate management, so the question is, how to tell the standalone environment that i trust the (self)root ca.

1

There are 1 answers

3
antiduh On

You need to configure the standalone environment with a default trusted certificate chain - "The certificate is not trusted because no certificate issuer chain was provided"

When you install Firefox, it comes preconfigured with a set of certificates that it trusts by default. Any certificates whose signature chain terminates at the top with one of these preconfigured certificates will be automatically trusted. For instance, I use opera on windows and by default it trusts a whole host of certificate authorities: Screenshot of opera's default trusted CA's

You probably need to configure your standalone environment with a list of default trusted certificate authorities.