When testing the SSL certificate for example.com across various platforms, we observed inconsistent behavior with older Firefox versions (<36). While modern browsers and Firefox 36+ handle the certificate correctly, legacy Firefox versions fail due to an incomplete certificate chain.
The problem stems from Firefox's unique certificate storage approach. Unlike other browsers that automatically fetch missing intermediates, Firefox <36 relies solely on its built-in certificate store. This becomes problematic when:
- The server isn't sending all required intermediate certificates
- The certificate chain isn't properly configured in Apache
- Firefox's trust store doesn't contain the necessary intermediates
To fix this, you need to configure Apache to serve the complete certificate chain. Here's how to properly set up your SSL configuration:
# Apache virtual host configuration
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate_certificate.crt
Use OpenSSL to inspect your current certificate chain:
openssl s_client -showcerts -connect example.com:443 -servername example.com
This will display the complete chain being served. Compare it with what your CA provides as the full chain.
For a typical setup with Let's Encrypt certificates:
# For Let's Encrypt certificates
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
After implementing the fix, verify using:
- SSL Labs test (https://www.ssllabs.com/ssltest/)
- Manual verification with older Firefox versions
- Command line checks using OpenSSL
Remember that while fixing for legacy browsers is important, you should also:
- Monitor visitor statistics to determine if supporting very old browsers is justified
- Consider implementing HTTP/2 for modern browsers
- Regularly update your SSL/TLS configuration for optimal security
When dealing with SSL certificate chain issues specifically affecting older Firefox versions (<36), the problem typically stems from missing intermediate certificates. Modern browsers often have cached intermediate certs or can fetch them automatically, but older Firefox versions require the complete chain to be served by the web server.
First, let's verify your current certificate chain using OpenSSL:
openssl s_client -connect example.com:443 -showcerts
This command will display all certificates in the chain. You should see three components:
- Server certificate (your domain)
- Intermediate certificate(s)
- Root certificate
For Apache, you need to concatenate all certificates (except the root) in the correct order in your SSL configuration:
SSLCertificateFile /path/to/your_domain.crt SSLCertificateChainFile /path/to/intermediate.crt # For Apache 2.4.8+ # OR for older Apache versions: SSLCertificateFile /path/to/your_domain.crt SSLCACertificateFile /path/to/ca-bundle.crt
The proper certificate chain file should contain intermediate certificates in order from your certificate to the root (excluding the root itself). Here's how to create it:
cat your_domain.crt intermediate1.crt intermediate2.crt > ca-bundle.crt
After implementing these changes, verify with:
openssl s_client -connect example.com:443 -CAfile /path/to/ca-bundle.crt
Look for "Verify return code: 0 (ok)" in the output.
Older Firefox versions have stricter requirements. The most reliable approach is to:
- Include all intermediates in your chain file
- Ensure the root certificate is trusted in Firefox's certificate store
- Use the Server Name Indication (SNI) extension if supporting multiple domains
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
# For modern Apache (2.4.8+):
# SSLCertificateFile /etc/ssl/certs/example.com-with-chain.crt
</VirtualHost>