Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
kb:incomplete_cert_chain [2019/05/16 01:18] dstillmankb:incomplete_cert_chain [2020/12/29 15:17] dstillman
Line 14: Line 14:
 If the server isn't using a self-signed certificate (i.e., it's chained to a root certificate that's trusted in browser stores), this error generally occurs because the proxy or WebDAV server isn't serving the necessary "intermediate certificate" for secure connections, and Zotero (like Firefox, on which it is based) won't download it on its own. Without an intermediate certificate, it's impossible to determine whether the connection (which might include login details) is secure, and the connection fails. If the server isn't using a self-signed certificate (i.e., it's chained to a root certificate that's trusted in browser stores), this error generally occurs because the proxy or WebDAV server isn't serving the necessary "intermediate certificate" for secure connections, and Zotero (like Firefox, on which it is based) won't download it on its own. Without an intermediate certificate, it's impossible to determine whether the connection (which might include login details) is secure, and the connection fails.
  
-To verify that this is the case, submit the URL from the error report to https://www.ssllabs.com/ssltest/ and view the results. If you see "Chain issues: Incomplete" in orange under "Additional Certificates (if supplied)", you're experiencing this issue. The report will then also say "Extra download" (instead of "Sent by server" or "In trust store") for one or more certificates listed under "Certification Paths".+To verify that this is the case, submit the URL from the error report to https://www.ssllabs.com/ssltest/ and view the results. If you see "Chain issues: Incomplete" in orange under "Additional Certificates (if supplied)", you're experiencing this issue. The report will then also say "Extra download" (instead of "Sent by server" or "In trust store") for one or more certificates listed under "Certification Paths". Alternatively, one or more bundled intermediate certificates may be listed as expired.
  
-If you're able to load the same HTTPS URL in a browser, either the browser is downloading intermediate certificates automatically (as Chrome does) or you previously loaded another site of your institution's (or another institution's) that included the intermediate certificate, which the browser cached and is using even on sites that don't serve it properly. Sites should always serve their intermediate certificates and are misconfigured if they don't. In the case of Firefox, if you create a new Firefox profile, you should get a certificate error trying to load the same URL, which is essentially the same situation Zotero is in.+If you're able to load the same HTTPS URL in a browser, either the browser is downloading intermediate certificates automatically (as Chrome does) or you previously loaded another site of your institution's (or another institution's) that included the intermediate certificate, which the browser cached and is using even on sites that don't serve it properly. Sites should always serve their intermediate certificates and are misconfigured if they don't. In the case of Firefox, if you create a new Firefox profile, you should get a certificate error trying to load the same URL, which is essentially the situation Zotero is in.
  
 {{tag>kb sync}} {{tag>kb sync}}
kb/incomplete_cert_chain.txt · Last modified: 2023/10/08 22:57 by dstillman