Firefox ver 7x: SSL_ERROR_UNKNOWN_CA_ALERT error when trying to visit CAcert.org

Symptoms

Firefox version 70 and above refuses to display CAcert sites, such as https://www.cacert.org or https://wiki.cacert.org - it does not offer a client certificate selection. An error SSL_ERROR_UNKNOWN_CA_ALERT is displayed on the error page. Other browsers display these sites with no problems.

Cause

CAcert has changed its root certificates. Therefore, it may happen that your legacy client certificate was signed with a previous Class 1, # 000000, or Class 3, # 0A418A root certificate. Your client certificate contains the number of the signing root certificate that has already been replaced with a new one (class number 1: 00000F, class 3: 00000E).

Certificate Manager

Since version 70, Firefox checks these bindings for all of your client certificates, and (probably by mistake) once it finds a certificate with a signing root certificate number that no longer exists in its internal store, it reports the error and refuses to display the site even if some client certificates have already been signed with a new root certificate.

Solution

Open Certificate Manager: Options - Privacy & Security - Certificates (at the bottom of the page) - View Certificates button. Select Your certificates tab. Browse all certificates issued by CAcert (recommended: from the oldest one).

View your certificate. If the General tab shows that the certificate could not be verified at the top of the page and the Root Chain is missing from the Details tab in the upper frame of the Certificate Hierarchy, you will need to delete your client certificate.

A view of a certificate that is OK:

General tab Details tab

After deleting all these "orphans", close Certificate Manager and close Firefox. The CAcert sites will be displayed after the next launch.


FAQ/Firefox-CAcert (last edited 2019-11-24 09:35:59 by AlesKastner)