How to troubleshoot security error codes on secure websites
On websites which are supposed to be secure (the URL begins with "https://"), Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a "Your connection is not secure" error page instead.
This article explains why you might see the error code "SEC_ERROR_UNKNOWN_ISSUER", "MOZILLA_PKIX_ERROR_MITM_DETECTED" or "ERROR_SELF_SIGNED_CERT" on the error page and how to troubleshoot it.
- For other error codes on the "Your connection is not secure" error page, see the What do the security warning codes mean? article.
Table of Contents
- 1 What does this error code mean?
- 2 The error occurs on multiple secure sites
- 3 The error occurs on one particular site only
What does this error code mean?
During a secure connection a website needs to provide a certificate issued by a trusted certificate authority in order to ensure that the user is connected to the intended target and the connection is encrypted. If you get a "Your connection is not secure" error page and see the error code "SEC_ERROR_UNKNOWN_ISSUER" or "MOZILLA_PKIX_ERROR_MITM_DETECTED" after you click on , it means that the certificate provided was issued by a certificate authority that is not known by Firefox and therefore cannot be trusted by default.
The error occurs on multiple secure sites
In case you get this problem on multiple unrelated HTTPS-sites, it indicates that something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox. This is indicated by "MOZILLA_PKIX_ERROR_MITM_DETECTED" if Firefox is able to detect that the connection is intercepted by a proxy. The most common causes are security software scanning encrypted connections or malware listening in, replacing legitimate website certificates with their own.
Generally, if your security product contains a feature to scan encrypted connections, you could try to reinstall the security product, which might trigger the software to place its certificates into the Firefox trust store again. Try the following solutions for particular security products:
In Avast security products you can disable the interception of secure connections:
- Open the dashboard of your Avast application.
- Go to > > and click next to .
- Uncheck the box next to and confirm this by clicking .
See the Avast support article Managing HTTPS scanning in Web Shield in Avast Antivirus for details. More Information about this feature is available on this Avast Blog.
In Bitdefender security products you can disable the interception of secure connections:
- Open the dashboard of your Bitdefender application.
- For the 2016 version of the Bitdefender security product, click on
For the 2015 version of Bitdefender, click on . .
- Click on .
- Toggle off the Scan SSL setting.
For corporate Bitdefender products, please refer to this Bitdefender Support Center page.
In Bullguard security products you can disable the interception of secure connections on particular major websites like Google, Yahoo and Facebook:
- Open the dashboard of your Bullguard application.
- Click on > .
- Uncheck the option for those websites which are showing an error message.
In ESET security products you can try to disable and re-enable SSL/TLS protocol filtering or generally disable the interception of secure connections as described in ESET’s support article.
In Kaspersky security products you can disable the interception of secure connections:
- Open the dashboard of your Kaspersky application.
- Click on on the bottom-left.
- Click and then .
- If you use a 2016 version of Kaspersky: In the Do not scan encrypted connections option and confirm this change.
Alternatively you can click on in order to try to trigger a reinstallation of Kaspersky's certificate. In the dialog that opens click on and follow the on-screen instructions.
If you use a 2015 version of Kaspersky: uncheck the Scan encrypted connections option. section check the
- Finally, reboot your system for the changes to take effect.
Users of an earlier version of Kaspersky with a current subscription are entitled to an upgrade to the latest product version, which is available for download and installation on the Kaspersky product updates page. Afterwards follow the steps from above.
Family Safety settings in Windows accounts
In Microsoft Windows accounts protected by Family Safety settings, secure connections on popular websites like Google, Facebook and YouTube might be intercepted and their certificates replaced by a certificate issued by Microsoft in order to filter and record search activity.
Read this Microsoft FAQ page on how to turn off these family features for accounts. In case you want to manually install the missing certificates for affected accounts, you can refer to this Microsoft support article.
Monitoring/filtering in corporate networks
Some traffic monitoring/filtering products used in corporate environments might intercept encrypted connections by replacing a website's certificate with their own, at the same time possibly triggering errors on secure HTTPS-sites.
If you suspect this might be the case, please contact your IT department to ensure the correct configuration of Firefox to enable it working properly in such an environment, as the necessary certificate might have to be placed in the Firefox trust store first. More information for IT departments on how to go about this can be found in the Mozilla Wiki page CA:AddRootToFirefox.
Some forms of malware intercepting encrypted web traffic can cause this error message - refer to the article Troubleshoot Firefox issues caused by malware on how to deal with malware problems.
The error occurs on one particular site only
In case you get this problem on one particular site only, this type of error generally indicates that the web server is not configured properly. However, if you see this error on a legitimate major website like Google or Facebook or sites where financial transactions take place, you should continue with the steps outlined above.
Certificate issued by a authority belonging to Symantec
After a number of irregularities with certificates issued by Symantec root authorities came to light, browser vendors including Mozilla are gradually removing trust from these certificates in their products. In a first step, Firefox 60 will no longer trust certificates chaining up to Symantec root authorities (including all Symantec brands GeoTrust, RapidSSL, Thawte, and VeriSign) which were issued before 2016-06-01. In Firefox 63 this removal of trust will be extended to all Symantec certificates regardless of their issuing date.
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED will be the primary error but with some servers, you may see the error code SEC_ERROR_UNKNOWN_ISSUER instead. In any case, if you come across such a site you should contact the owner of the website to inform them of that problem. We strongly encourage operators of affected sites to take immediate action to replace these certificates.
For more information on this issue, see Mozilla's blog post Distrust of Symantec TLS Certificates.
Missing intermediate certificate
On a site with a missing intermediate certificate you will see the following error description after you click onon the "Your connection is not secure" error page:
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing).
You can test if a site is properly configured by entering a website's address into a third-party tool like SSL Labs' test page. If it is returning the result "Chain issues: Incomplete", a proper intermediate certificate is missing. You should contact the owner of the website you're having troubles accessing to inform them of that problem.
On a site with a self-signed certificate you will see the error code ERROR_SELF_SIGNED_CERT and the following error description, after you click onon the "Your connection is not secure" error page:
A self-signed certificate that wasn't issued by a recognized certificate authority is not trusted by default. Self-signed certificates can make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites.
Bypassing the warning
If the website allows it, you can add an exception in order to visit the site, in spite its certificate is not being trusted by default:
- On the warning page, click .
- Click . The Add Security Exception dialog will appear.
- Read the text describing the problems with the website. You can click in order to closer inspect the untrusted certificate as well.
- Click if you are sure you want to trust the site.