ابحث في الدعم

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

SEC_ERROR_UNKNOWN_ISSUER on support.mozilla.org (and mail.google.com and others) after a day without restarting Firefox

  • 10 ردود
  • 1 has this problem
  • 55 views
  • آخر ردّ كتبه illwieckz

more options

Hi, I get the infamous SEC_ERROR_UNKNWON_ISSUER error on mail.google.com, support.mozilla.org and others but the weird thing is that certificates look legit. In fact any employee of my company is having it since months and across various versions.

I have checked the antivirus but it does not look like it's the cause. I'm currently running Firefox 61.0.1 on Windows 10 17134. The only special thing in that network is that there is a proxy cache but it does not do any nasty thing on https, and the weird thing is that Firefox on Linux doesn't get the error. On Windows I also tried to not configure proxy in Firefox and using system's one but it fixes nothing. I also tried to delete the SiteSecurityServiceState.txt file but it fixes nothing.

Basically, users can browse the web correctly, then around 18:00 or 19:00 on UTC+2 (but perhaps it's just about a specific amount of time after they started Firefox hours ago in the morning) large https websites (gmail and others) stop to work. For some unknown reason our own website using letsencrypt certificate still works.

If users turn Firefox off and on again it solves the problem and users are workarounding this bug every day since months this way but I'm looking for a real and definitive fix.

I copy paste there some certificates I get when I click the SEC_ERROR_UNKNWON_ISSUER link:

$ cat mozilla.txt https://support.mozilla.org/1/firefox/61.0.1/WINNT/fr/security-error

L'autorité de délivrance du certificat du pair n'est pas reconnue.

HTTP Strict Transport Security : false HTTP Public Key Pinning : false

Chaîne de certificat :


BEGIN CERTIFICATE-----

MIIFTzCCBDegAwIBAgIQBaAso7BaHqmKyAaA+pSPWDANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcwOTIwMDAwMDAwWhcN MTgxMDMxMTIwMDAwWjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91 bmRhdGlvbjEPMA0GA1UECxMGV2ViT3BzMRwwGgYDVQQDExNzdXBwb3J0Lm1vemls bGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2cJwyaf36XRh MtD76cDQtNXnJ5RCXs4KarfXWT2LaLpJU49jxpQWCeSPMllC0iAzktH/JVaCa0eo l3iF/X6CO6HBmtiuhcsQXh7cQPsgoqhZe+bCjlu013U6+TZiIEZLrhh3sGDayXjp V/txcGIcthpLp5CehqNBP0lPdopyCkxuokmPUDVtQ1IeiEiz3S6Hwls9vVwUJ+37 ltkLz4uJpZYq6DM1bekBQrW0MhN3g4FPlOwt7wsvw9SaDL+lLMCEG1Pw6C182uo2 28tZ3j0aBQGGFw4YMQxHsnBI6RpHwBRyV0mFLCWnucxRJhKv7x7kuyt6ZNUna8Nz oRyyq6LFxwIDAQABo4IB7zCCAeswHwYDVR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0 LOHG2eIwHQYDVR0OBBYEFKNcAPirCasC5wR4TwpVz9cQH1ReMDMGA1UdEQQsMCqC E3N1cHBvcnQubW96aWxsYS5vcmeCE3N1cHBvcnQubW96aWxsYS5jb20wDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8E ZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWcx LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1n MS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0 cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEE cDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJT ZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOC AQEA227lk4KbJItr/otzDrL9ZFD6Er9b0TgLRoq6I5QsDwg9wBKOjo5WeR75i6To NWYIaMDK/6oC8IjGgy/eEA/Ly99Tb6ixRq0RpZOFsWwmCmd40OlMw7vwGcSb+thm uFzdMqL7BdHjCjB8KTAcAudDkab1panZ9CpJA18y35FoB5zMIi4lDqXgdp06lXW7 wYEI2ilJVwHwb29GLOZ3au3PVfHvrXh2nC/5EjbuWGJNmQf0AK1Ygk/pCeHZ1q9E gDK+1DSag+DTEgYv+M0n410gOzqp1Lkw3LSSYNetq8+QUQ4NS0+4nr50d4j5PXkN 8HNdBltVMB8GRqmRYoMnBoeHQQ==


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz


END CERTIFICATE-----

$ cat google.txt https://mail.google.com/

L'autorité de délivrance du certificat du pair n'est pas reconnue.

HTTP Strict Transport Security : true HTTP Public Key Pinning : true

Chaîne de certificat :


BEGIN CERTIFICATE-----

MIID2zCCAsOgAwIBAgIIVro9yNA9sHQwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA2MTkxMTQwMzZaFw0x ODA4MjgxMTMyMDBaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRgw FgYDVQQDDA9tYWlsLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC AAT0XjScG/tliOjKq3jdBWv56pVTNiPT2NaUMs2T8GKVdrIt2qKVuVU9YVRdKcSJ yV2CyZ6r4hvw6swvWTljzpGmo4IBZTCCAWEwEwYDVR0lBAwwCgYIKwYBBQUHAwEw DgYDVR0PAQH/BAQDAgeAMCwGA1UdEQQlMCOCD21haWwuZ29vZ2xlLmNvbYIQaW5i b3guZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6 Ly9wa2kuZ29vZy9nc3IyL0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDov L29jc3AucGtpLmdvb2cvR1RTR0lBRzMwHQYDVR0OBBYEFAt+K6lBPmEhYbZJvigT baHoFdyaMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOg fqZ+ukswIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8E KjAoMCagJKAihiBodHRwOi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkq hkiG9w0BAQsFAAOCAQEAe098Y9G9kWmHCghsxWTtc+GeCPQzFfztP4OHjJPJFqJn g4h/uHpFcn2Zu7UeMhTh6nZneF8kXg0LXYOCkLRdqM9ZxJ68/ZultKP9QYzgO1iW FICeNxKkYzBWVGrBiZJIMT7DevPuR1X4ZP4oa9PR1hFjrpjO3fdhDOa6i8capYyu XzY9aAuyeFp1lgO65zXa0Y5sdGBFBrJJkCbtwTCHd6vzRDLUttyrOSdUO+7gCO3d GSaf3AdV+yp8zEQNNNVDCnbqp3hhkZdKrQX9JQt1fwlnK3zeBsh2q9+nFfTF3d7g y+HUFr64j82gUncptKZCSse2SLt97M5nl8n2+emk6Q==


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK 71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9 RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy 7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV c7o835DLAFshEWfC7TIe3g==


END CERTIFICATE-----

Any idea where to look for?

Modified by illwieckz

All Replies (10)

more options

Note that the french sentence says something like "the certificate authority is not recognized" or something like that. But both certificate, authority and chain look legit:

$ openssl x509 -in mozilla.txt -text -noout Certificate:

   Data:
       Version: 3 (0x2)
       Serial Number:
           05:a0:2c:a3:b0:5a:1e:a9:8a:c8:06:80:fa:94:8f:58
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
       Validity
           Not Before: Sep 20 00:00:00 2017 GMT
           Not After : Oct 31 12:00:00 2018 GMT
       Subject: C = US, ST = California, L = Mountain View, O = Mozilla Foundation, OU = WebOps, CN = support.mozilla.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:d9:c2:70:c9:a7:f7:e9:74:61:32:d0:fb:e9:c0:
                   d0:b4:d5:e7:27:94:42:5e:ce:0a:6a:b7:d7:59:3d:
                   8b:68:ba:49:53:8f:63:c6:94:16:09:e4:8f:32:59:
                   42:d2:20:33:92:d1:ff:25:56:82:6b:47:a8:97:78:
                   85:fd:7e:82:3b:a1:c1:9a:d8:ae:85:cb:10:5e:1e:
                   dc:40:fb:20:a2:a8:59:7b:e6:c2:8e:5b:b4:d7:75:
                   3a:f9:36:62:20:46:4b:ae:18:77:b0:60:da:c9:78:
                   e9:57:fb:71:70:62:1c:b6:1a:4b:a7:90:9e:86:a3:
                   41:3f:49:4f:76:8a:72:0a:4c:6e:a2:49:8f:50:35:
                   6d:43:52:1e:88:48:b3:dd:2e:87:c2:5b:3d:bd:5c:
                   14:27:ed:fb:96:d9:0b:cf:8b:89:a5:96:2a:e8:33:
                   35:6d:e9:01:42:b5:b4:32:13:77:83:81:4f:94:ec:
                   2d:ef:0b:2f:c3:d4:9a:0c:bf:a5:2c:c0:84:1b:53:
                   f0:e8:2d:7c:da:ea:36:db:cb:59:de:3d:1a:05:01:
                   86:17:0e:18:31:0c:47:b2:70:48:e9:1a:47:c0:14:
                   72:57:49:85:2c:25:a7:b9:cc:51:26:12:af:ef:1e:
                   e4:bb:2b:7a:64:d5:27:6b:c3:73:a1:1c:b2:ab:a2:
                   c5:c7
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Authority Key Identifier:
               keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
           X509v3 Subject Key Identifier:
               A3:5C:00:F8:AB:09:AB:02:E7:04:78:4F:0A:55:CF:D7:10:1F:54:5E
           X509v3 Subject Alternative Name:
               DNS:support.mozilla.org, DNS:support.mozilla.com
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication
           X509v3 CRL Distribution Points:
               Full Name:
                 URI:http://crl3.digicert.com/ssca-sha2-g1.crl
               Full Name:
                 URI:http://crl4.digicert.com/ssca-sha2-g1.crl
           X509v3 Certificate Policies:
               Policy: 2.16.840.1.114412.1.1
                 CPS: https://www.digicert.com/CPS
               Policy: 2.23.140.1.2.2
           Authority Information Access:
               OCSP - URI:http://ocsp.digicert.com
               CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
           X509v3 Basic Constraints: critical
               CA:FALSE
   Signature Algorithm: sha256WithRSAEncryption
        db:6e:e5:93:82:9b:24:8b:6b:fe:8b:73:0e:b2:fd:64:50:fa:
        12:bf:5b:d1:38:0b:46:8a:ba:23:94:2c:0f:08:3d:c0:12:8e:
        8e:8e:56:79:1e:f9:8b:a4:e8:35:66:08:68:c0:ca:ff:aa:02:
        f0:88:c6:83:2f:de:10:0f:cb:cb:df:53:6f:a8:b1:46:ad:11:
        a5:93:85:b1:6c:26:0a:67:78:d0:e9:4c:c3:bb:f0:19:c4:9b:
        fa:d8:66:b8:5c:dd:32:a2:fb:05:d1:e3:0a:30:7c:29:30:1c:
        02:e7:43:91:a6:f5:a5:a9:d9:f4:2a:49:03:5f:32:df:91:68:
        07:9c:cc:22:2e:25:0e:a5:e0:76:9d:3a:95:75:bb:c1:81:08:
        da:29:49:57:01:f0:6f:6f:46:2c:e6:77:6a:ed:cf:55:f1:ef:
        ad:78:76:9c:2f:f9:12:36:ee:58:62:4d:99:07:f4:00:ad:58:
        82:4f:e9:09:e1:d9:d6:af:44:80:32:be:d4:34:9a:83:e0:d3:
        12:06:2f:f8:cd:27:e3:5d:20:3b:3a:a9:d4:b9:30:dc:b4:92:
        60:d7:ad:ab:cf:90:51:0e:0d:4b:4f:b8:9e:be:74:77:88:f9:
        3d:79:0d:f0:73:5d:06:5b:55:30:1f:06:46:a9:91:62:83:27:
        06:87:87:41

$ openssl x509 -in google.txt -text -noout Certificate:

   Data:
       Version: 3 (0x2)
       Serial Number: 6249375365626441844 (0x56ba3dc8d03db074)
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = Google Trust Services, CN = Google Internet Authority G3
       Validity
           Not Before: Jun 19 11:40:36 2018 GMT
           Not After : Aug 28 11:32:00 2018 GMT
       Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = mail.google.com
       Subject Public Key Info:
           Public Key Algorithm: id-ecPublicKey
               Public-Key: (256 bit)
               pub:
                   04:f4:5e:34:9c:1b:fb:65:88:e8:ca:ab:78:dd:05:
                   6b:f9:ea:95:53:36:23:d3:d8:d6:94:32:cd:93:f0:
                   62:95:76:b2:2d:da:a2:95:b9:55:3d:61:54:5d:29:
                   c4:89:c9:5d:82:c9:9e:ab:e2:1b:f0:ea:cc:2f:59:
                   39:63:ce:91:a6
               ASN1 OID: prime256v1
               NIST CURVE: P-256
       X509v3 extensions:
           X509v3 Extended Key Usage:
               TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature
           X509v3 Subject Alternative Name:
               DNS:mail.google.com, DNS:inbox.google.com
           Authority Information Access:
               CA Issuers - URI:http://pki.goog/gsr2/GTSGIAG3.crt
               OCSP - URI:http://ocsp.pki.goog/GTSGIAG3
           X509v3 Subject Key Identifier:
               0B:7E:2B:A9:41:3E:61:21:61:B6:49:BE:28:13:6D:A1:E8:15:DC:9A
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Authority Key Identifier:
               keyid:77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B
           X509v3 Certificate Policies:
               Policy: 1.3.6.1.4.1.11129.2.5.3
               Policy: 2.23.140.1.2.2
           X509v3 CRL Distribution Points:
               Full Name:
                 URI:http://crl.pki.goog/GTSGIAG3.crl
   Signature Algorithm: sha256WithRSAEncryption
        7b:4f:7c:63:d1:bd:91:69:87:0a:08:6c:c5:64:ed:73:e1:9e:
        08:f4:33:15:fc:ed:3f:83:87:8c:93:c9:16:a2:67:83:88:7f:
        b8:7a:45:72:7d:99:bb:b5:1e:32:14:e1:ea:76:67:78:5f:24:
        5e:0d:0b:5d:83:82:90:b4:5d:a8:cf:59:c4:9e:bc:fd:9b:a5:
        b4:a3:fd:41:8c:e0:3b:58:96:14:80:9e:37:12:a4:63:30:56:
        54:6a:c1:89:92:48:31:3e:c3:7a:f3:ee:47:55:f8:64:fe:28:
        6b:d3:d1:d6:11:63:ae:98:ce:dd:f7:61:0c:e6:ba:8b:c7:1a:
        a5:8c:ae:5f:36:3d:68:0b:b2:78:5a:75:96:03:ba:e7:35:da:
        d1:8e:6c:74:60:45:06:b2:49:90:26:ed:c1:30:87:77:ab:f3:
        44:32:d4:b6:dc:ab:39:27:54:3b:ee:e0:08:ed:dd:19:26:9f:
        dc:07:55:fb:2a:7c:cc:44:0d:34:d5:43:0a:76:ea:a7:78:61:
        91:97:4a:ad:05:fd:25:0b:75:7f:09:67:2b:7c:de:06:c8:76:
        ab:df:a7:15:f4:c5:dd:de:e0:cb:e1:d4:16:be:b8:8f:cd:a0:
        52:77:29:b4:a6:42:4a:c7:b6:48:bb:7d:ec:ce:67:97:c9:f6:
        f9:e9:a4:e9
more options

Try to rename the cert9.db (cert9.db.old) file and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has stored.

If that has helped to solve the problem then you can remove the renamed cert9.db.old file.

Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use. Otherwise you can undo the rename.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

more options

Hi cor-el, how can I check that it fixes the issue since closing Firefox also fixes the issue ?

more options

I also report there is no cert8.db there.

more options

deleting cert9.db (there is no cert8.db) and restarting Firefox does not fix the issue, one day later the issue comes back.

more options

Do the Windows computers have any special deployment modifications?

Is security.enterprise_roots.enabled modified (i.e is true) on the about:config page?

more options

The security.enterprise_roots.enabled key is not modified and is set to false (default). We don't have enterprise root certificates. Our proxy does not decypher ssl connections.

These are the keys we deployed:

"app.update.auto", false "app.update.enabled", false "browser.cache.disk.capacity", 100000 "browser.search.update", true "browser.shell.checkDefaultBrowser", false "network.proxy.ftp", "proxy" "network.proxy.ftp_port", 3128 "network.proxy.http", "proxy" "network.proxy.http_port", 3128 "network.proxy.share_proxy_settings", true "network.proxy.socks", "proxy" "network.proxy.socks_port", 3128 "network.proxy.ssl", "proxy" "network.proxy.ssl_port", 3128 "network.proxy.type", 1 "privacy.donottrackheader.enabled", true "privacy.trackingprotection.pbmode.enabled", true "browser.disableResetPrompt", true

You can notice:

  • a custom proxy but as said before, using the system proxy instead of the firefox one changes nothing and since the same version of firefox running on linux using the same proxy does not have the issue, it's probably not related to the proxy itself;
  • disableResetPrompt is activated to prevent people losing their proxy configuration on unattended reset and by the way the profile I use to drive the tests was reseted recently;
  • a custom value for the user cache but in fact firefox increases it itself and modifying it changes nothing;
  • the autoupdate is disabled because we have an internal process to deploy software;
  • we deploy no other keys.

An useful information about our specific setup is that %AppData% (the user profile itself) is stored on a network drive when %LocalAppData% (cache things) is on a physical drive local to the machine running firefox.

Modified by illwieckz

more options

Is anything scheduled to happen around that time in the Windows Task Scheduler?

more options

we haven't added any custom scheduled tasks by hand at all and I haven't seen any system one at that time

more options

Any other idea? What can I do to troubleshoot this issue?