New Runbox SSL certificate not recognized by Firefox

cwrea · 16 Nov 2013, 06:01 AM

Today, just now, when trying to connect to Runbox web securely via my PC on Firefox 24.0 and my Mac on Firefox 25.0, I'm getting the following error from each browser:

"This Connection is Untrusted
[...]
> Technical Details
runbox.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)"

Subsequently, I noticed that Runbox changed its certificate very recently, since the current certificate's issue date shows three days ago (Nov. 12, 2013).

It's been my experience, as a web developer, that some web browsers might come with the required Certificate Authority (CA) already recognized (pre-installed with the browser, or downloaded in an update), whereas other browsers require the web server to not only present its own certificate, but also the certificates of intermediate authorities that lead up to a known root, in case the browser doesn't recognize the intermediate(s). This set of certificates is the "issuer chain" that is referred to in the error message above. It's easy to forget to install the full chain and only install the one certificate for the server itself, especially if you don't test with all the browsers.

Is Runbox's server configured to offer up the certificate chain, or only its own certificate? Did Runbox test with a current version of Firefox to see if the newly-issued certificate would be recognized by that browser?

Thank you.

cwrea · 16 Nov 2013, 06:16 AM

Looks like it isn't just me having an issue. The Qualys SSL Labs link that Runbox posted in its own blog post on "Runbox now supports Forward Secrecy" is also reporting issues with the issuer chain:

See https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

[...]

Certificates provided 1 (1470 bytes)

Chain issues Incomplete

[...]

Though I'm surprised Qualys would still report an "A" rating despite such server misconfiguration.

Geir · 16 Nov 2013, 06:19 AM

We installed a new Extended Validation just now and unfortunately we had omitted an intermediate certificate. Sorry about that -- please refresh the page and you should no longer get an error.

- Geir

cwrea · 16 Nov 2013, 06:20 AM

I can confirm it is now working. Thank you for the quick turnaround.

Geir · 16 Nov 2013, 06:31 AM

Thanks for the reminder about intermediate certificates -- we have been back and forth with GlobalSign a few times and of course we only forgot the intermediate certificate when we had finally made everything else work as it should.

- Geir

16 Nov 2013, 06:01 AM	#1
cwrea Member Join Date: Oct 2005 Location: Mississauga, Ontario, Canada Posts: 30	New Runbox SSL certificate not recognized by Firefox Today, just now, when trying to connect to Runbox web securely via my PC on Firefox 24.0 and my Mac on Firefox 25.0, I'm getting the following error from each browser: "This Connection is Untrusted [...] > Technical Details runbox.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)" Subsequently, I noticed that Runbox changed its certificate very recently, since the current certificate's issue date shows three days ago (Nov. 12, 2013). It's been my experience, as a web developer, that some web browsers might come with the required Certificate Authority (CA) already recognized (pre-installed with the browser, or downloaded in an update), whereas other browsers require the web server to not only present its own certificate, but also the certificates of intermediate authorities that lead up to a known root, in case the browser doesn't recognize the intermediate(s). This set of certificates is the "issuer chain" that is referred to in the error message above. It's easy to forget to install the full chain and only install the one certificate for the server itself, especially if you don't test with all the browsers. Is Runbox's server configured to offer up the certificate chain, or only its own certificate? Did Runbox test with a current version of Firefox to see if the newly-issued certificate would be recognized by that browser? Thank you.

16 Nov 2013, 06:16 AM	#2
cwrea Member Join Date: Oct 2005 Location: Mississauga, Ontario, Canada Posts: 30	Looks like it isn't just me having an issue. The Qualys SSL Labs link that Runbox posted in its own blog post on "Runbox now supports Forward Secrecy" is also reporting issues with the issuer chain: See https://www.ssllabs.com/ssltest/anal...l?d=runbox.com [...] Certificates provided 1 (1470 bytes) Chain issues Incomplete [...] Though I'm surprised Qualys would still report an "A" rating despite such server misconfiguration.

16 Nov 2013, 06:20 AM	#4
cwrea Member Join Date: Oct 2005 Location: Mississauga, Ontario, Canada Posts: 30	Working now! Thanks. I can confirm it is now working. Thank you for the quick turnaround.

16 Nov 2013, 06:19 AM	#3
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	We installed a new Extended Validation just now and unfortunately we had omitted an intermediate certificate. Sorry about that -- please refresh the page and you should no longer get an error. - Geir

16 Nov 2013, 06:31 AM	#5
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	Thanks for the reminder about intermediate certificates -- we have been back and forth with GlobalSign a few times and of course we only forgot the intermediate certificate when we had finally made everything else work as it should. - Geir