| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| kb:incomplete_cert_chain [2017/11/12 19:53] – external edit 127.0.0.1 | kb:incomplete_cert_chain [2023/10/08 22:57] (current) – [[domain] uses an invalid security certificate. The certificate is not trusted because […]] dstillman |
|---|
| <html><p id="zotero-5-update-warning" style="color: red; font-weight: bold">We’re | ===== "[domain] uses an invalid security certificate. The certificate is not trusted because […]" ===== |
| in the process of updating the documentation for | |
| <a href="https://www.zotero.org/blog/zotero-5-0">Zotero 5.0</a>. Some documentation | |
| may be outdated in the meantime. Thanks for your understanding.</p></html> | |
| |
| | If a Zotero error report shows an error similar to the above for your institution's **proxy** or **WebDAV server** or a site you're trying to save from, there are two possibilities: |
| |
| === "[Proxy or WebDAV URL] uses an invalid security certificate. The certificate is not trusted because […]" === | - You're connecting to a server with a "self-signed certificate". For a proxy or WebDAV server, you would need to [[cert override|whitelist the certificate]] in Zotero. This is uncommon for public servers. |
| | - The server is misconfigured and will need to be fixed by your IT department or the IT department of the site operator. See the technical details below for more information. |
| |
| == Summary == | If you're using an institutional proxy or WebDAV server and are unsure which is the case, point your IT department to this page along with the URL from the error report. |
| |
| If a Zotero error report shows an error similar to the above for your institution's **proxy** or **WebDAV server**, the server is likely misconfigured and will need to be fixed by your IT department. Point them to this page along with the URL from the error report. | If you're getting a certificate error for a zotero.org or s3.amazonaws.com URL — for example, while syncing — that's [[SSL certificate error|a different issue]]. |
| |
| If you're getting a certificate error for a zotero.org or amazonaws.com URL — for example, while syncing — that's [[[[SSL certificate error|a different issue]]. | ==== Technical Details: Missing Intermediate Certificate ==== |
| |
| == Technical Details == | If the server isn't using a self-signed certificate (i.e., if it's chained to a root certificate that's trusted in browser stores), this error generally occurs because the server isn't serving the necessary "intermediate certificate" for secure connections, and Zotero (like Firefox, on which it is based) won't download it on its own. Without an intermediate certificate, it's impossible to determine whether the connection is secure, and the connection fails. |
| |
| This error generally occurs because the proxy or WebDAV server isn't serving the necessary "intermediate certificate" for secure connections, and Zotero (like Firefox, on which it is based) won't download it on its own. Without an intermediate certificate, it's impossible to determine whether the connection (which might include login details) is secure, and the connection fails. | To verify that this is the case, submit the URL from the error report to the [[https://www.ssllabs.com/ssltest/|SSL Labs server test]] and view the results. If you see "Chain issues: Incomplete" in orange under "Additional Certificates (if supplied)", you're experiencing this issue. The report will then also say "Extra download" (instead of "Sent by server" or "In trust store") for one or more certificates listed under "Certification Paths". Alternatively, one or more bundled intermediate certificates may be listed as expired. The missing intermediate certificate(s) should be provided along with the site's primary certificate when HTTPS clients connect. |
| |
| To verify that this is the case, submit the URL from the error report to https://www.ssllabs.com/ssltest/ and view the results. If you see "Chain issues: Incomplete" in orange under "Additional Certificates (if supplied)", you're experiencing this issue. The report will then also say "Extra download" (instead of "Sent by server" or "In trust store") for one or more certificates listed under "Certification Paths". | Note that loading the same HTTPS URL in a browser may still work. In that case, either the browser is downloading intermediate certificates automatically (as Chrome does) or you previously loaded another site (perhaps even another from your institution) that included the intermediate certificate, which the browser cached and is using even on sites that don't serve it properly. Sites should always serve their intermediate certificates, however, and are misconfigured if they don't. If you create a new profile in Firefox, you should get a certificate error trying to load the same URL, which is essentially the situation Zotero is in. |
| |
| If you're able to load the same URL in a browser (making sure to use "https:%%//%%"), either the browser is downloading intermediate certificates automatically or you previously loaded another site of your institution's (or another institution's) that included the intermediate certificate, which the browser cached and is using even on sites that don't serve it properly. Generally speaking, though, sites should always serve their intermediate certificates and are broken if they don't. In the case of Firefox, if you create a new Firefox profile, you should get a certificate error trying to load the same URL, which is essentially the situation Zotero is in. | {{tag>kb sync}} |
| | |
| {{tag>kb}} | |
Upgrade Storage