[No issue] Secure connection failed on a secure website (salutelazio.it) Bugzilla 1718744

[Nickoriginal]

Steps to reproduce

1. Visit the official website of the Italian Lazio Regional Health System: https://www.salutelazio.it

Expected behavior

Firefox for Android and ESR should show that the connection is secure, as it is shown on Google Chrome (both mobile and desktop), Firefox 89.0.2 and some Firefox for Android revisions.

2021-06-30_12-52-42_001.mp4

2021-06-30_13-28-43_001.mp4

Actual behavior

A "Secure Connection Failed" page is showed.

2021-06-30_12-55-34_001.mp4

Device information

• Device vendor / model and Android version: Samsung Galaxy A20s (ARM64, Android 10 (beta and nightly), Samsung Galaxy J2 Prime (ARMV7, Android 6.0.1 (stable), Acer Aspire 5742Z (Windows 10 20H2, x86, ESR)

• Firefox version:
  Nightly 2021-06-29T17:37:50.207
  91.0a1 (Build #2015819211)
  AC: 91.0.20210629143047, 8904b55efe
  GV: 91.0a1-20210629092640
  AS: 79.0.0

  Beta 90.0.0-beta.6 (Build #2015818371)
  AC: 90.0.11, 536cb9fe13
  GV: 90.0-20210624190035
  AS: 77.0.2

  Stable 89.1.1 (Build #2015812945)
  AC: 75.0.22, 5204f4025
  GV: 89.0-20210527174632
  AS: 74.0.1

  ESR 78.11.0

Big thanks to @quaqo for discovering and resolving this issue!

┆Issue is synchronized with this Jira Task

[Nickoriginal]

mozilla-mobile/focus-android#4954

[mcarare]

This is reproducible on GeckoView Example app, with ERROR_SECURITY_BAD_CERT error.

[mcarare]

Moved to bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1718744

Change performed by the Move to Bugzilla add-on.

[Nickoriginal]

No issue because in https://salutelazio.it/ missing intermediate certificate in a chain due to server misconfiguration. It is a site's web compatibility bug.
mozilla-mobile/focus-android#4954 (comment)

[quaqo]

Thanks again to @Nickoriginal for helping me debug this and find the real issue.

[Nickoriginal]

I installed a fresh copy of Firefox ESR 78, no "GlobalSign RSA OV SSL CA 2018" intermediate in about:certificate.

I visited https://salutelazio.it/ and got SEC_ERROR_UNKNOWN_ISSUER.

I visit another website with full intermediate chain for "GlobalSign RSA OV SSL CA 2018" such as:

https://www.telenet.be/

In about:certificate I got "GlobalSign RSA OV SSL CA 2018" and https://salutelazio.it/ was secure.

Here's demonstration how certificate error can be fixed on mobile browsers too using your advice. Apply it:

2021-06-30_19-21-52_001.mp4

[Nickoriginal]

My browsers on Android (Firefox Stable) and desktop (Firefox 89 and Chrome) and @quaqo's browsers on Android (Firefox Nightly and Stable) were not affected because they're already visited sites with presented intermediate certificate, in our case - "GlobalSign RSA OV SSL CA 2018".

[quaqo]

I can't reproduce the "fix" on Focus thou (for obvious reasons, I think it clears everything on close). But on my other device (Huawei Honor) as reported here it works... And I checked there's no certificate at system level.

I guess let's not go too deep as it is the webmaster's fault here.

[Nickoriginal]

@mcarare, it's time to close Bugzilla 1718744.

[Nickoriginal]

Preloading the intermediate certificates as described in bug 1520297 would also resolve this one automatically, while now it is tracked as INVALID.