问题
We have installed the certificate chain on our Load balancer. When we visit the site in chrome, we don't get any issue and the chain in visible.
But, in certain versions of Firefox the certificate chain is not displayed and hence we get the "The connecting is untrusted error".
What could be causing this, we have cleared the cache. But the certificate is not getting displayed with the chain.
回答1:
This is typically the case if the chain is not send (fully) by the server (or in this case the load balancer). Chrome looks for this missing chain certificates by itself while Firefox does not. But Firefox caches intermediate certificates from earlier connections to other sites so if the right sites were visited before then the missing certificates are already known by Firefox and will be used to complete the trust chain. But if you would use a fresh Firefox profile no certificates are cached and thus you get the validation error.
Browsers are not a good tool to check what is actually sent by the server. A better tool is openssl s_client. If the site is public accessible you might also check it against SSLabs which also shows if the chain sent by the server is incomplete and which certificates are missing from the chain.
来源:https://stackoverflow.com/questions/34082585/certificate-chain-not-visible-in-firefox