Letsencrypt certificate not secure in Firefox only

I have a valid letsencrypt certificate for my NS 7.3 server installed and default.
I show a secure connection in Chrome, IE, Edge, but in Firefox I get the following error;

office.mydomain.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

Looking at the certificate in Firefox shows,

Could not verify this certificate because the issuer is unknown
Issued To:
Orginazation (O)   
Orginazation Unit (OU)   

Issued By:
Orginazation Unit (OU)   

I used the Server Certificate section of the NS web interface to request the LE cert.

What’s the output of:

openssl x509 -in /etc/pki/tls/certs/localhost.crt -issuer -noout

or the results of the webpage https://crt.sh/?q=office.mydomain.com (for your domain)


BTW, I think you would also be interested in https://cipherli.st/ and:

issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

Criteria Identity = ‘office.mydomain.com

Certificates
crt.sh ID Logged At ⇧ Not Before Issuer Name
98492303 2017-03-02 2017-03-02 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

Perhaps, you could try to generate a new (stronger) certificate/key using certbot:

I get the following error running that command;

The requested apache plugin does not appear to be installed

Do you know if doing it manually like this, saying I do get it to work, will show the new cert in the NS web interface?

yes, you have to instal the apache plugin of certbot manually: yum install python-certbot-apache

and I would recommend to add the option --staple-ocsp for better compatibility to Nethserver…

I’ve encountered this with owncloud. I had to flush the cache in firefox then navigate back to owncoud. In my case it was where I was using firefox to configure the server prior to installing my certbot cert which held the self signed cert which caused the error once the proper cert was installed.

1 Like

I had thought of that, so cleared cache, and I also used In-Private and still had untrusted certificate, tried another PC, same thing, but must have been on on that computer before cert as well, as I just tried a PC I knew wasn’t logged into server before, and bam, good certificate!
Firefox must not delete all of cache somehow, or something, and In-Private doesn’t work the same as Chrome, but at least I know now my cert is good, thanks.

2 Likes

Glad to hear you isolated the problem. A couple of things you can check for permanent fix is to make sure the clock on the pc(s) you’re using firefox on has the correct time as per your server. Also clear browsing data, history and cookies, auto fill data, pretty much everything to a date prior to you logging onto the server to configure it. I think i cleared mine for the previous 30 days when i went through this to get mine working.

1 Like