Hi, I had trouble visiting these two websites in Firefox, Epiphany and verifying with OpenSSL.
- Births Deaths and Marriages (Government of South Australia) https://bdm.cbs.sa.gov.au/bdmsaonline/dbweb.asp?dbcgm=1&prprc=oac - Hostplus Superannuation Fund https://hostplus.com.au/ It appears the issue according to ssllabs[0][1] is that the intermediate certificate is not provided to you when you visit the website. If you've visited another website with that certificate these sites will work for you as the intermediary certificates will be cached. Chrome and Internet Explorer will automatically download the certificate from the AIA URL, something that Firefox apparently won't do[2]. I was able to reproduce this issue on Debian 8, 9, Tails and Firefox on Windows 10. On Archlinux I was able to install this certificate trivially ie[3]: $ wget -c http://cacerts.thawte.com/ThawteRSACA2018.crt http://cacerts.geotrust.com/GeoTrustRSACA2018.crt $ sudo trust -v anchor GeoTrustRSACA2018.crt $ sudo trust -v anchor ThawteRSACA2018.crt They were then added: /etc/ca-certificates/trust-source ├── anchors ├── blacklist ├── GeoTrust_RSA_CA_2018.p11-kit └── Thawte_RSA_CA_2018.p11-kit Using OpenSSL I was then able to perform verification, (this in turn allowed wget, curl to also work): $ openssl s_client -connect hostplus.com.au:443 -showcerts $ openssl s_client -connect bdm.cbs.sa.gov.au:443 -showcerts I was also now able to visit the websites with a new Firefox profile, without getting the SEC_ERROR_UNKNOWN_ISSUER error. I decided to try this on Debian. $ sudo apt-get install p11-kit $ wget -c http://cacerts.thawte.com/ThawteRSACA2018.crt http://cacerts.geotrust.com/GeoTrustRSACA2018.crt $ sudo trust -v anchor GeoTrustRSACA2018.crt (p11-kit:1102) files_to_attrs: parsed file: GeoTrustRSACA2018.crt p11-kit: no configured writable location to store anchors $ sudo trust -v anchor ThawteRSACA2018.crt (p11-kit:1104) files_to_attrs: parsed file: ThawteRSACA2018.crt p11-kit: no configured writable location to store anchors 1) Why doesn't this work? 2) Is it related to [4][5][6]? 3) Can I fix it? The other way I had seen to do it was: $ sudo cp -vR *.crt /usr/local/share/ca-certificates 'GeoTrustRSACA2018.crt' -> '/usr/local/share/ca-certificates/GeoTrustRSACA2018.crt' 'ThawteRSACA2018.crt' -> '/usr/local/share/ca-certificates/ThawteRSACA2018.crt $ sudo update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs... done. Updating certificates in /etc/ssl/certs... rehash: warning: skipping GeoTrustRSACA2018.pem,it does not contain exactly one certificate or CRL rehash: warning: skipping ThawteRSACA2018.pem,it does not contain exactly one certificate or CRL 130 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. However the sites do not seem to work in Firefox. I did wonder if that was whether Firefox could read that store or if it only used it's own one based on this link[7] - however that is pretty old. That is no reason however why it doesn't work with OpenSSL. Verify return code: 21 (unable to verify the first certificate) [0]: https://www.ssllabs.com/ssltest/analyze.html?d=bdm.cbs.sa.gov.au [1]: https://www.ssllabs.com/ssltest/analyze.html?d=hostplus.com.au [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=399324 [3]: https://wiki.archlinux.org/index.php/Ca-certificates#Trust_a_certificate_authority_system-wide [4]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752485 [5]: https://lists.freedesktop.org/archives/p11-glue/2017-July/000673.html [6]: https://github.com/p11-glue/p11-kit/issues/115 [7]: http://blog.xelnor.net/firefox-systemcerts/ -- Tyler (tya99) rsa4096/0x9C9954F88E388859
