How can I eliminate the SEC_ERROR_UNKNOWN_ISSUER errors I get at multiple websites?
I just installed FF 63 on a 64-bit Windows 7 machine, and I'm getting SEC_ERROR_UNKNOWN_ISSUER errors at many, but not all, websites. Reaching the same websites via the same URLs using Chrome works fine.
All discussions of this problem seem to lead to https://support.mozilla.org/en-US/kb/error-codes-secure-websites?redirectlocale=en-US&redirectslug=troubleshoot-SEC_ERROR_UNKNOWN_ISSUER, but it's not helpful. My antivirus is Bitdefender Free, which appears to have no option for disabling the interception of secure connections.
Running FF in safe mode behaves the same as in "normal" mode: I get SEC_ERROR_UNKNOWN_ISSUER errors at many (but not all) websites.
Help? As things stand now, FF is pretty close to useless for me.
Избрано решение
I got the following information from Bitdefender, which resolved the problem for me:
In order to resolve this issue please follow these steps:
- open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed
Restart Firefox. A restart of the computer may also be required.
Прочетете този отговор в контекста 👍 2Всички отговори (12)
Hi LangfristigerFFUser, Bitdefender might be the culprit for this problem. We could try to confirm that by checking one of the certificates Firefox objects to if you're not sure.
They offer these instructions, but they are not for your version?
Here are two workarounds to get Firefox to trust all of the fake certificates Bitdefender or another "man in the middle" will generate:
Option #1: Import the Signing Certificate
If you import the program's signing certificate into Firefox's certificate store, then all of its fake certificates will be trusted.
(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.
- This may appear in IE's Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/chrome
- The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location
Example screenshots: https://support.mozilla.org/questions/1199797#answer-1064849
(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificate(s) into the Firefox Authorities tab:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the security software's certificate.
(See Fourth and fifth screenshots in the above-linked post.)
When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.
It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.
Option #2: Trust all Signing Certificates in the Windows Cert Store
(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(B) In the search box above the list, type or paste enterp and pause while the list is filtered
(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true
I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again. I guess you'll know if you visit an HTTPS address and Firefox no longer objects.
The disadvantage of this method is that any security compromise of the system certificate store will affect Firefox, too. This may be a lesser concern on a business system; it's more of an issue on a home system.
Do either of those work for you?
You can check if there is more detail available about the issuer of the certificate.
- click the "Advanced" button show more detail
- click the blue error text (SEC_ERROR_UNKNOWN_ISSUER) to show the certificate chain
- click "Copy text to clipboard" and paste the base64 certificate chain text in a reply
If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate.
- open the Servers tab in the Certificate Manager
- Options/Preferences -> Privacy & Security
Certificates: View Certificates -> Servers: "Add Exception"
- Options/Preferences -> Privacy & Security
- paste the URL of the website (https://xxx.xxx) in it's Location field
Let Firefox retrieve the certificate -> "Get Certificate"
- click the "View" button and inspect the certificate
You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.
See also:
Here's the certificate chain for one of the URLs that give rise to the problem. I have no idea how to interpret this information.
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: true HTTP Public Key Pinning: false
Certificate chain:
BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIJAI2UMgV6VVsZMA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLmF2ZnJlZTAwMDAwMDEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTgw NDI0MTgyNjE5WhcNMjAwNDI0MTgyNjE5WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y cG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UE AxMVYW5zd2Vycy5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAs9eNNQyGbqLiBGxsijOzgPjzqNB//0kQTq5a6aZL/bPCEn58Ls0e frzTodvIekB83V9Ktlv8RikIaPuOv8bPNtSarzGhmE0mfcerMFIEqwcuRRQc2//d 04l0cvwGZaYIeRvRS4wvxxzrFhcyiZu4s+E3XvotW++ZaKA6dyDQq4vIQVfNQwUI P3Q+YLBUT4MGTYVPMARNoekpT2zw9U7YnGP+euBvsYGDEM1y5xYiH87SbmsfpkZJ rnARq83d61Lm5J7JT79ph3f9pBXwQRBoyzeBeMLIs5hjZ/n2FdEj+ISAbH6jRMRG 9UpTlcRw7wfKY9o1GEJxySQCVeBvx7mm+wIDAQABo4GRMIGOMDYGA1UdHwQvMC0w K6ApoCeGJWh0dHA6Ly8xMjcuMTI3LjEyNy4xMjc6MzkzOS9lZjUwYy5jcnQwVAYD VR0RBE0wS4IZdWF0LWFuc3dlcnMubWljcm9zb2Z0LmNvbYIXY29tbXVuaXR5Lm9m ZmljZTM2NS5jb22CFWFuc3dlcnMubWljcm9zb2Z0LmNvbTANBgkqhkiG9w0BAQsF AAOCAQEACXNIjoDzVO2r0jpbFvoP72YAd6+Cdr/Y/tB5ZNAntjmcBPCeK7q9V8xy gVYhbMGi48vgOt1J4c2l8xNYpkxrOroWpQ1Hd7AwUltDGnwT3xE10dBbULVMjDxc XaUSelZ4/2X2hDXcte7qbbfduISCvKOI2JkCRyfQ/ndv94EtxQO+LF1K+82N4AMh UWjsue/56rCa7W4VCuo4F0tDIPQMBdr+ic0T3JejtOPa/NSrDnQgWokJet/E3sGq dY8HG5OAvebWEJ/a4u/ns+ItX6bi0YeV61dBESjXWX6j8FkJhYDFlvRyTuNImJWE fRis8l35ZX8Ma7W8MBYywcLwBdPP5A==
END CERTIFICATE-----
BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIJANJMYPRGumcLMA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLmF2ZnJlZTAwMDAwMDEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTAw MTAxMDgwMDAwWhcNMjgxMDA1MjIzOTM5WjBgMS0wKwYDVQQDDCRCaXRkZWZlbmRl ciBQZXJzb25hbCBDQS5hdmZyZWUwMDAwMDAxDDAKBgNVBAsMA0lEUzEUMBIGA1UE CgwLQml0ZGVmZW5kZXIxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAs9eNNQyGbqLiBGxsijOzgPjzqNB//0kQTq5a6aZL/bPCEn58 Ls0efrzTodvIekB83V9Ktlv8RikIaPuOv8bPNtSarzGhmE0mfcerMFIEqwcuRRQc 2//d04l0cvwGZaYIeRvRS4wvxxzrFhcyiZu4s+E3XvotW++ZaKA6dyDQq4vIQVfN QwUIP3Q+YLBUT4MGTYVPMARNoekpT2zw9U7YnGP+euBvsYGDEM1y5xYiH87Sbmsf pkZJrnARq83d61Lm5J7JT79ph3f9pBXwQRBoyzeBeMLIs5hjZ/n2FdEj+ISAbH6j RMRG9UpTlcRw7wfKY9o1GEJxySQCVeBvx7mm+wIDAQABoyMwITAPBgNVHRMBAf8E BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAU6zIyQg8 h9IBLupG77vEkhKRfdVTUWBXXYACjgH8qgqWwgDHXRorgZ0CFVZtR8d58y+WkWKa sHYe5SniBzBzI6WsKVHHIoFCdvnOa1E8ph/l/DK7kKHwY0uc9BugLenhqB4DyHEm 2r1IGRmuXPjeoGME02fb76cyZgDiGxvAcSH4KV7jKVa+99g4/QVvRuHFwTElv4uo w1M61Q+wie8+H9fgl9ocSmb1kb6G0tl7WRM+n6ikOAvRoJ2T5rmdDPZhUU9xJ1mL JN67GNfnqTuWQW6/c6N4oiZDEGxbXAkRemA5Dt2djiwLOzcBaj7jMan5r8nq5cHZ /GeEeKYAPGKt1Q==
END CERTIFICATE-----
This certificate is issued by Bitdefender, so you need to check this software.
- Subject C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=answers.microsoft.com
- Issuer CN=Bitdefender Personal CA.avfree000000, OU=IDS, O=Bitdefender, C=US
How can you tell that it's issued by Bitdefender?
In the meantime, I've opened a ticket with Bitdefender, because there does not seem to be a way to disable SSL scanning in the version I'm using. (It's the free version, so I don't think it does SSL scanning, anyway.)
A full Malwarebytes scan of my machine comes up clean.
Hi LangfristigerFFUser, about this part --
How can you tell that it's issued by Bitdefender?
-- There are pages online that will decode the certificate to show what the fields say. For example, I use:
https://certlogik.com/decoder/
If you page everything between the BEGIN and END lines there, and submit it, then there will be a line for Issuer which has the information from the certificate that signed the fake site certificate.
Избрано решение
I got the following information from Bitdefender, which resolved the problem for me:
In order to resolve this issue please follow these steps:
- open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed
Restart Firefox. A restart of the computer may also be required.
Променено на
Great, thank you for reporting back on those steps.
LangfristigerFFUser said
I got the following information from Bitdefender, which resolved the problem for me: In order to resolve this issue please follow these steps: - open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed Restart Firefox. A restart of the computer may also be required.
It works! Thank you.
Thanks for those instructions, they worked for me, although the location of mitm_cache was slightly different.
I'm on Windows 10 and I found it by searching for it in my Bitdefender folder. It was in C:\Program Files\Bitdefender\Bitdefender Security\mitm_cache
LangfristigerFFUser said
I got the following information from Bitdefender, which resolved the problem for me: In order to resolve this issue please follow these steps: - open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed Restart Firefox. A restart of the computer may also be required.
Nope, that doesn't exist.
C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache
Not only that, there's nothing about Bitdefender in Authorities to delete.
Hi Clarino1, you probably have a Bitdefender folder in one of these locations:
- C:\Program Files\Bitdefender [some product name]
- C:\Program Files (x86)\Bitdefender [some product name]
What can you find?
Also, you would only need to remove a certificate from Firefox's Certificate Manager, Authorities tab, if you had previously imported a Bitdefender certificate and it has expired or no longer matches the product you're using.