How to FIX SEC_ERROR_UNKNOWN_ISSUER
On websites that need to be secured (the address starts with "https: //"), Firefox must verify that the certificate provided by the website is valid. If the certificate cannot be verified, Firefox will stop connecting to the website and display instead of a page with the "Warning: Potential Security Risk" error. This article explains why you can see the error code "SEC_ERROR_UNKNOWN_ISSUER", "MOZILLA_PKIX_ERROR_MITM_DETECTED" or "ERROR_SELF_SIGNED_CERT" on websites and how to fix it.
What does this error code mean?
During a secure connection, the website must submit a certificate issued by a trusted certificate authority in order for Firefox to verify that the user is connected to the required website and the connection is encrypted. If you click the Advanced button on the page with the error "Warning: potential security risk" and see the error code "SEC_ERROR_UNKNOWN_ISSUER" or "MOZILLA_PKIX_ERROR_MITM_DETECTED", this means that the certificate was issued by a certification authority that is not known to Firefox and therefore cannot be trusted default.
Third-party antivirus software may interfere with secure Firefox connections. We recommend that you remove your third-party software and use the security software offered by Microsoft for Windows instead:
- Windows 7 - Microsoft Security Essentials;
- Windows 8 and Windows 10 - Windows Defender (integrated);
If you do not want to remove your third-party software, you can try reinstalling it, which may cause the software to place its certificates in the trusted Firefox repository again.
Monitoring/filtering in corporate networks
Some traffic monitoring/filtering products used in corporate environments can intercept encrypted connections, replacing the website certificate with their own, which may cause errors on secure HTTPS sites. If you suspect this is your case, please contact your IT department to find out how to properly configure Firefox to work correctly in such an environment, since the necessary certificate may need to be placed in the trusted repository first Firefox certificates. More information on what needs to be done for IT can be found on the Mozilla Wiki CA: AddRootToFirefox page.
Some types of malware that intercept encrypted web traffic can cause a similar error message - see the article Troubleshooting Firefox caused by malware to find out how to resolve malware problems.
The error appears only on a specific site.
If you encounter this problem only on a specific site, this type of error usually indicates that the webserver is not configured correctly. However, if you see this error on genuine large sites such as Google or Facebook, or sites where financial transactions are conducted, you must follow the steps outlined above.
Missing intermediate certificate
On a site with a missing intermediate certificate, you will see the following error description after clicking Advanced on the error page:
- There is no trust in the certificate because the certificate of its publisher is unknown;
- The server may not have sent the corresponding intermediate certificates;
- You may need to import an additional root certificate;
- The website certificate may not have been issued by a trusted certificate authority, or a complete chain of certificates has not been provided to a trusted certificate authority (there is no so-called "intermediate certificate");
- You can verify that the site is configured correctly by entering the website address into a third-party tool, for example, on the SSL Labs test page. If it returns the result "Chain issues: Incomplete", then there is no proper intermediate certificate. You should contact the owners of the website you are experiencing access problems to inform them of this problem.
Self Signed Certificate
On a site with a self-signed certificate, you will see the error code ERROR_SELF_SIGNED_CERT and the subsequent description of the error after you click Advanced on the error page:
- There is no trust in the certificate, as it is self-signed;
- A self-signed certificate issued by an unrecognized certificate authority is not trusted by default. Self-signed certificates can protect your data from listening, but they do not say anything about who is the recipient of the data. This is common for intranet sites that are not accessible to the general public, and you can bypass the warning for such sites.
The error appears on many secure sites
If you encounter this problem on a multitude of unrelated HTTPS sites, this indicates that something on your system or network intercepts your connection and injects certificates in a way that Firefox does not trust. In most cases, anti-virus software scans encrypted connections or listens for malware, replacing legitimate website certificates with their own. In particular, it displays as the error code "MOZILLA_PKIX_ERROR_MITM_DETECTED" if Firefox can detect that the connection is being intercepted.
If rebooting and antivirus scanning did not help, then you must manually delete the Mozilla Firefox security certificate file called cert8.db. This file may be damaged and for this reason the error described by me may occur. To remove cert8.db you need to do the following:
- Go into your Firefox, click on the settings icon (icon with three horizontal lines at the top right);
- Click the button with a question mark (Help) at the very bottom of the settings window;
- Click on "Information to solve the problem";
- In the application information, click on "Show folder" of your profile;
- After the folder opens, return to the browser, click on the settings icon again, and then click on the "Exit" button in the lower right;
- n the folder that opens earlier, locate the certdb file and delete it.
- Launch your Firefox again, during the launch process the certdb file will be automatically created again.
Warning: You should never add a certificate exception to well-known websites or sites dealing with financial transactions - in this case, an invalid certificate may be an indicator that your connection is compromised by a third party.
- Visitors: Follow the steps described, contact website owner, if they do not help.
- Webmasters: Check your webserver, make sure trusted SSL certificate installed with proper Intermediate certificates.