Bug 732144
| Summary: | Firefox 64bit accepts Comodo cert without intermediate certs | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Moe (jebba) <moe> | ||||||||||||||
| Component: | firefox | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||
| Severity: | high | Docs Contact: | |||||||||||||||
| Priority: | unspecified | ||||||||||||||||
| Version: | 15 | CC: | cesarb, gecko-bugs-nobody | ||||||||||||||
| Target Milestone: | --- | Keywords: | Triaged | ||||||||||||||
| Target Release: | --- | ||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||
| OS: | Linux | ||||||||||||||||
| Whiteboard: | |||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||
| Last Closed: | 2011-12-29 18:37:42 UTC | Type: | --- | ||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
| Embargoed: | |||||||||||||||||
| Attachments: |
|
||||||||||||||||
Created attachment 519121 [details]
sec_error_unknown_issuer
Created attachment 519122 [details]
Certificate is not trusted....
Created attachment 519123 [details]
Could not verify this certificate...
Created attachment 519124 [details]
They're High, Assurance Secure Server
Created attachment 519125 [details]
directNIC pro
Did you try with a fresh profile? Firefox caches intermediate certificates. Sorry, unable to test this. I will close this out. I thought perhaps it would set off some bells of someone who knows more, but seeing as it didn't, hopefully it is innocuous. |
Created attachment 519120 [details] This Connection is Untrusted Description of problem: With great hesitation I file this (as I may be reading the situation incorrectly), but here goes: I have a Debian Squeeze server running Apache. It comes with a number of certs installed in /etc/ssl. I got a Comodo certificate from directNIC, installed it on the server, and was able to access my https site fine on x86_64 Fedora 15 with Firefox 5 and Firefox 6. I did not install any of the intermediate certs since my first test worked, so I presumed the intermediate certs were already there by default. Weeks later I went to another Fedora machine and it was giving "This connection is untrusted" when I hit the same site. Quite baffled I tried it on all the machines we have here. All of the i686 boxes gave the warning, none of the x86_64 gave the warning. More specifically, the error was "sec_error_unknown_issuer". I'll attach screenshots. Version-Release number of selected component (if applicable): firefox-6.0-1.fc15.x86_64 ca-certificates-2011.70-2.fc15.noarch firefox-6.0-1.fc15.i686 ca-certificates-2011.70-2.fc15.noarch firefox-5.0-2.fc15.i686 ca-certificates-2011.70-2.fc15.noarch How reproducible: Well...Here's one way... Steps to Reproduce: 1. Install Debian Squeeze. ;) 2. Get a Comodo "Instant SSL Pro" certificate from directNIC.com or whomever. 3. Install the new cert for the domain in /etc/ssl/keys or wherever and set up apache to point at it. Don't install the ca-bundle.crt (with intermediate certs) that comes with the new certificate. Actual results: Works fine on x86_64, gives warning on i686. Expected results: It should give a "sec_error_unknown_issuer" warning on x86_64. Additional info: Yikes. Comodo has been known to have problems, so this is double ungood, if I'm reading the screen correctly... Lets hope not. ;)