sec_error_unknown_issuer but only with Firefox and IE6

apache-2.2 ssl ssl-certificate firefox

I had the same problem - bought a basic SSL certificate (from Network Solutions), installed it under nginx, and it worked fine in both Opera and IE - but not Firefox 3.6.12. This is how I solved the problem. Note that I have root/shell access to my VPS, I don't know if you do (at least this might point your providers in the right direction).

The first step in finding the solution was using Qualys (as per this other answer). It told me that the chain was incomplete.

Second, I used OpenSSL for testing/debugging. Assuming you have shell access, you can do the command (q or CTRL-C to disconnect):

openssl s_client -connect mysite.com:443

and you will probably see the error "unable to get local issuer certificate". This is also a way to test when it's working, in the shell, without running Firefox.

SSL Certificate Chains

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file

Nginx configuration

In my case, I had gotten three files from Network Solutions - mysite.com.crt, AddTrustExternalCARoot.crt, and NetworkSolutionsDVServerCA.crt. There was no bundle file, but it's possible to create one from the other certificates. After some trial-and-error, I found what I needed was:

$ cat mysite.com.crt NetworkSolutionsDVServerCA.crt > mysite.com.chain.crt

The final step was to reconfigure my nginx server with the new file: 

server {
    listen       443;
    ssl          on;
    ssl_certificate        /etc/ssl/certs/mysite.com.chain.crt;
    ssl_certificate_key    /etc/ssl/private/mysite.com.key;

    server_name  mysite.com;
    # and so on
}

After getting the right certificates in the bundle, and restarting nginx, openssl reported no errors, Firefox got the page with no problem, and Qualys reported the chain was valid.

Apache configuration

Since you're running Apache, then you (or your providers) need to configure it for SSL with the correct file locations, one of which is the missing intermediate chain file:

<VirtualHost 192.168.0.1:443>
    DocumentRoot /var/www/html2
    ServerName www.yourdomain.com
    SSLEngine on
    SSLCertificateFile /path/to/your_domain_name.crt
    SSLCertificateKeyFile /path/to/your_private.key
    SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Try the following tests on your domain:

Qualys: https://www.ssllabs.com/ssldb/index.html

DigiCert: http://www.digicert.com/help/

I've found both very handy for pinning down random SSL certificate issues.

Related

How can I move a process to a core or dedicate a process to a processor?
Nagios command not transmitting all arguments
Whats to stop someone from setting an A record for my domain?
Is there a way to completely disable outbound opportunistic TLS support in SendMail?
How to configure bind9 to be a local DNS only with no internet access?
File Permissions created by Apache
Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)
If account is disabled while logged in can it remain logged in?
ssmtp - Mail command not found
Does adding more drives to a RAID 10 Array increase performance?
Could SpinRite possibly be messing up my laptop hard drives?
Mount shared folder (vbox) as another user