The certificate is not trusted because no issuer chain was provided

Could anyone explain the meaning of this error message in plain English?

Should I add an exception or I should not continue on this website?

Technical details: the URL is here, the browser is Firefox 14.0.1 on Ubuntu 12.04 LTS.

Konqueror 4.8.2 says for the same link:
The certificate authority's certificate is invalid
The root certificate authority's certificate is not trusted for this purpose


UPDATE: I did not do anything with my browser and now it magically works, no error message. A mystery.

Solution 1:

It looks like you are missing an intermediate CA (Certificate Authority).

Certificates are only trusted because they are signed by a trusted certificate authority (the issuer), which is in turn signed by another trusted CA, up to those listed as explicitly trusted by whatever is verifying them (a root CA). Browsers (and OSes) come with a list of root CAs. See here for more details. Wikipedia also has a very nice explanation of just about every aspect.

The website certificate appears to specify AlphaSSL as its issuer, which in turn specifies GlobalSign Root CA. So that's the chain - the website's certificate does not mention GlobalSign Root CA anywhere so if either of the two in the chain is missing, Firefox will complain.

Screenshot of certificate


Could you verify GlobalSign/AlphaSSL exists in your Firefox certificate authorities list?

  1. Open the Certificate Manager (Tools => Options => Advanced => Encryption => View Certificates)

  2. Check on the Authorities tab for the AlphaSSL CA - G2. It should be under GlobalSign nv-sa.

    Also check for GlobalSign Root CA.

    Screenshot of certificate manager

  3. Select GlobalSign Root CA, click Edit Trust, and verify that it is allowed to identify websites. At least for me, AlphaSSL did not have that permission.


If the root CAs is missing, try resetting your certificate store. Basically, delete (or rename) cert8.db, secmode.db and cert_override.txt from your profile folder.

If the intermediate certificate is missing, well, it's the responsibility of the server operator to serve the intermediate certificate along with the root. You should contact them and let them know. If you want, you can grab the intermediate certificate elsewhere - these sites sometimes works for some people because they have a cached intermediate that's already trusted.


You might also want to try clearing your cache in Firefox.


This might also be an issue with the CA being missing from your system stores, which would explain why Konqueror is also affected. I know that, at least on Windows, Firefox ignores the system's certificate store. I'm not familiar with how Ubuntu (or Firefox on Ubuntu) manages certificates, but the issue is the same: you appear to be missing a CA. You'll need to add it.

Alternatively, you could add the site's certificate to the exceptions list. Since you are missing a CA, there's a chance other sites will display a similar error - the only reason not to add the CA is if you don't trust them. This site's certificate seems to be valid, at least according to my system (though CAs can revoke certificates). Of course, unless you can somehow verify a certificate as valid, do not add an exception.

Solution 2:

Some secure web-sites with certificates from trusted authorities have incorrect configuration such that they don't include a chain of intermediate certificates of trust when serving their own certificate.

If you have a system/browser that has seen its share of valid certificates, such intermediaries may already be cached, and you won't be getting any error messages, even if their web-server configuration is still wrong as above.

However, if you're using a freshly installed browser on a fresh system, and such intermediaries weren't cached yet, and the certificate presented by the web-server is missing an appropriate chain of intermediaries, then you get an error message.

Here's an official explanation by a Mozilla developer in a Mozilla.org mailing list:

http://www.mail-archive.com/[email protected]/msg02155.html

Bottom line: it is the fault of the web-site, even if it only happens in your freshly installed browser, and works fine elsewhere.


How they've fixed it in plain English:

They bought their certificate from a reseller of trust, and their web-server must have only been serving one certificate — their own — which your browser doesn't trust directly, since they bought it from a reseller you've never heard of.

Now, instead of serving just one certificate, they serve two right at the same time — their own ("*.upc.biz") and that of some certificate reseller ("AlphaSSL CA - G2"), and the certificate of such reseller completes the trust, since you now see that someone whom you trust ("GlobalSign Root CA") has vouched for such reseller of trust.

You can see more details about exact names involved here:

http://www.digicert.com/help/?host=web.upc.biz

Some other web-sites buy their certificates directly from a trusted authority, and not from a reseller, so, they only need to serve their own certificate, and everything will still be tip-top.

For example, linode.com bought their certificate directly from Equifax, which Mozilla trusts directly, so there's no need for Linode to include any copies of any certificates other than their own.

Solution 3:

Could anyone explain the meaning of this error message in plain English?

upc.biz wants you to type in personal details

To reassure you that upc.biz is a website being run by UPC, upc.biz has presented you with a certificate saying "you can trust upc.biz, I vouch for them" signed Joe Smith.

You have no idea who Joe Smith is. You have a list of signatures of people that Microsoft The Mozilla project say you can probably trust to introduce you to other people who are probably who they say they are, Joe smith isn't in that list of signatures (Certifying Authorities).

The certificate is therefore worthless


You can test this by cutting your full upc.biz URL and pasting it in to the certificate tester at http://www.digicert.com/help/ - though that is aimed at people who set up certificates in sites like upc.biz, not at people who access those sites.


Also, http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html is a good read.