Certificate issue on a website Topic is solved

[nero355]

Hi guys,

I just found out that https://www.zwitserleven.nl/ shows a error related to the https certificate.
What could be the cause for this ?

www.zwitserleven.nl uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported. (Error code: SEC_ERROR_UNKNOWN_ISSUER)

How I found out about this : Firefox users have the same issue!

I am using Pale Moon for Ubuntu 20.04 LTS as recommended by the website : https://software.opensuse.org/download. ... e=palemoon

Thank you in advance & Keep up the good work!

[RealityRipple]

Site uses a self-signed certificate. No authority. No root. That's about like me saying "you can trust me because I just said you could".

[Moonraker]

yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.

[RealityRipple]

yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.

In Pale Moon's case, NSS inclusion and auditing rules and associated documents and regulations.

[Moonchild]

yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.

You may want to read up on certificate issuance, trust chains and trusted root certificates.

And contrary to what RealityRipple said the certificate isn't self-signed (that would be bad for an insurance provider!) but rather they have an incomplete certificate chain in their server configuration, missing one or more intermediate certificates.
To fix this they need to include the following two certificates in their server configuration:

KPN PKIoverheid Server CA 2020
Fingerprint SHA256: 592e1a2f0a34284b0e26fcb4fed22af859848eee8822adb61b42dab47a2ffdc2
Pin SHA256: Yao+RgzIlYNhXc65ch9IpKzSRFUSiL01Et8c6sN4XLU=
RSA 4096 bits (e 65537) / SHA256withRSA

Staat der Nederlanden Domein Server CA 2020
Fingerprint SHA256: 0da914fb7125f6e644eb7aa261de9eb809dc7f925b6b2a7d8a7edd8736398b5b
Pin SHA256: N9+YluTCUa/HTXc60QxjUReBLpRniAkIK2N84DhgmW4=
RSA 4096 bits (e 65537) / SHA256withRSA

While they are there they should also generate their own ECDH parameters since they are currently using public ones that makes them at risk of broken security if the public configuration key gets cracked.

[nero355]

After some further investigation that seems to be the case indeed @Moonchild

Just for my own curiosity : Can you tell me if Pale Moon uses a own library of CA's or the one included in the OS it's running on ?

Thank you in advance!

[Moonchild]

By default it uses its own trust anchors from NSS.

If required, you -can- enable reading from the Windows trust store which is usually only needed in enterprise environments, by setting security.enterprise_roots.enabled to true in about:config. Please note that if you don't need it, you should not enable this because it offers a potential attack surface for malware.