Compare Revisions

Learn about the error codes SEC_ERROR_UNKNOWN_ISSUER MOZILLA_PKIX_ERROR_MITM_DETECTED and ERROR_SELF_SIGNED_CERT on HTTPS websites and how to troubleshoot.

For websites that are securely encrypted (the URL begins with "http'''s'''://"), Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a "Warning: Potential Security Risk Ahead" error page instead. Clicking the {button Advanced} button, you can view the specific error Firefox encountered. This article explains why you might see the error codes SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT on an error page and how to troubleshoot it. {note}For other error codes on the "Warning: Potential Security Risk Ahead" error page, see the [[What do the security warning codes mean?]] article. For ''Secure Connection Failed'' or ''Did Not Connect: Potential Security Issue'' error pages, see the article [[Secure connection failed and Firefox did not connect]].{/note} __TOC__ = What does this error code mean? = During a secure connection, a website must provide a certificate issued by a trusted [https://wikipedia.org/wiki/Certificate_authority certificate authority] to ensure that the user is connected to the intended target and the connection is encrypted. If you click the {button Advanced} button on a "Warning: Potential Security Risk Ahead" error page and you see the error code SEC_ERROR_UNKNOWN_ISSUER or MOZILLA_PKIX_ERROR_MITM_DETECTED, it means that the provided certificate was issued by a certificate authority that is not known by Firefox and, therefore, cannot be trusted by default. [[Image:Fx66WarningSEC_ERROR_UNKNOWN_ISSUER]] = The error occurs on multiple secure sites = If you get this problem on multiple unrelated HTTPS-sites, it indicates that something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox. The most common causes are security software scanning encrypted connections, or malware listening in and replacing legitimate website certificates with their own. In particular, the error code MOZILLA_PKIX_ERROR_MITM_DETECTED indicates that Firefox detected connection interception. == Antivirus products == Third-party antivirus software can interfere with Firefox's secure connections.{for winxp,win7,mac,linux} You could try reinstalling it, which might trigger the software into placing its certificates into the Firefox trust store again.{/for} {for win8, win10} We recommend uninstalling your third-party software and using the security software offered for Windows by Microsoft: * Windows 8 and Windows 10 - Windows Defender ([https://www.microsoft.com/windows/comprehensive-security built-in]) If you do not want to uninstall your third-party software, you could try reinstalling it, which might trigger the software into placing its certificates into the Firefox trust store again. {/for} Here are some alternative solutions you can try: === Avast/AVG === In Avast or AVG security products you can disable the interception of secure connections: # Open the dashboard of your Avast or AVG application. # Go to {menu Menu} and click on {menu Settings} > {menu Protection} > {menu Core Shields}. # Scroll down to the Configure shield settings section and click on {menu Web Shield}. # Uncheck the box next to {menu Enable HTTPS Scanning} and confirm this by clicking {button OK}. #;{note} In older versions of the product you'll find the corresponding option when you go to {menu Menu} > {menu Settings} > {menu Components} and click {button Customize} next to {menu Web Shield}{/note} See the Avast support article [https://support.avast.com/en-us/article/189/ Managing HTTPS scanning in Web Shield in Avast Antivirus] for details. More Information about this feature is available on this [https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/ Avast Blog]. === Bitdefender === In Bitdefender security products you can disable the interception of secure connections: # Open the dashboard of your Bitdefender application. # Go to {menu Protection} and in the {menu Online Threat Prevention} section click on {menu Settings}. # Toggle off the {pref Encrypted Web Scan} setting. #;{note} In older versions of the product you can find the corresponding option labelled {pref Scan SSL} when you go to {menu Modules} > {menu Web Protection}{/note} In Bitdefender Antivirus Free it's not possible to control this setting. You can try to [https://www.bitdefender.com/support/repairing-or-removing-bitdefender-free-edition-1160.html repair or remove the program] instead when you're having problems accessing secure websites. For corporate Bitdefender products, please refer to this [http://www.bitdefender.com/support/how-to-enable-ssl-https-scanning-in-cloud-security-for-endpoints-1117.html Bitdefender Support Center page]. === Bullguard === In Bullguard security products you can disable the interception of secure connections on particular major websites like Google, Yahoo and Facebook: # Open the dashboard of your Bullguard application. # Click on {menu Settings} and enable the {pref Advanced} view on the top right of the panel. # Go to {menu Antivirus} > {menu Safe browsing}. # Uncheck the {menu Show safe results} option for those websites which are showing an error message. === ESET === In ESET security products you can try to disable and re-enable {pref SSL/TLS protocol filtering} or generally disable the interception of secure connections as described in [http://support.eset.com/kb3126/ ESET’s support article]. === Kaspersky === Affected users of Kaspersky should upgrade to the most recent version of their security product, as Kaspersky 2019 and above contain mitigations for this problem. The [https://www.kaspersky.com/downloads Kaspersky Downloads page] includes "update" links that will install the latest version free of charge for users with a current subscription. Otherwise, you can also disable the interception of secure connections: # Open the dashboard of your Kaspersky application. # Click on {menu Settings} on the bottom-left. # Click {menu Additional} and then {menu Network}. # In the {menu Encrypted connections scanning} section check the {pref Do not scan encrypted connections} option and confirm this change. # Finally, reboot your system for the changes to take effect. {for win8} == Family Safety settings in Windows accounts == In Microsoft Windows accounts protected by Family Safety settings, secure connections on popular websites like Google, Facebook and YouTube might be intercepted and their certificates replaced by a certificate issued by Microsoft in order to filter and record search activity. Read this [http://windows.microsoft.com/en-us/windows/family-features-remove-uninstall-faq Microsoft FAQ page] on how to turn off these family features for accounts. In case you want to manually install the missing certificates for affected accounts, you can refer to this [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 Microsoft support article]. {/for} == Monitoring/filtering in corporate networks == Some traffic monitoring/filtering products used in corporate environments might intercept encrypted connections by replacing a website's certificate with their own, at the same time possibly triggering errors on secure HTTPS-sites. If you suspect this might be the case, please contact your IT department to ensure the correct configuration of Firefox to enable it to work properly in such an environment, as the necessary certificate might have to be placed in the Firefox trust store first. More information for IT departments on how to go about this can be found in the Mozilla Wiki page [https://wiki.mozilla.org/CA:AddRootToFirefox CA:AddRootToFirefox]. == Malware == Some forms of malware intercepting encrypted web traffic can cause this error message - refer to the article [[Troubleshoot Firefox issues caused by malware]] on how to deal with malware problems. = The error occurs on one particular site only = In case you get this problem on one particular site only, this type of error generally indicates that the web server is not configured properly. However, if you see this error on a legitimate major website like Google or Facebook or sites where financial transactions take place, you should continue with the <!--note for localisers: adapt this link, it should point to the "The error occurs on multiple secure sites" section-->[[#w_the-error-occurs-on-multiple-secure-sites|steps outlined above]]. == Certificate issued by an authority belonging to Symantec == <!--Delayed? Discontinued? see discussion https://support.mozilla.org/en-US/kb/error-codes-secure-websites/discuss/7516 --> After a number of irregularities with certificates issued by Symantec root authorities came to light, browser vendors, including Mozilla, are gradually removing trust from these certificates in their products. Firefox will no longer trust server certificates issued by Symantec, including those issued under the GeoTrust, RapidSSL, Thawte and Verisign brands.<!--In a first step, Firefox 60 will no longer trust certificates chaining up to Symantec root authorities (including all Symantec brands GeoTrust, RapidSSL, Thawte, and VeriSign) which were issued before 2016-06-01. In Firefox 63 this removal of trust will be extended to all Symantec certificates regardless of their issuing date.--> For more information, see [https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/ this Mozilla blog post]. MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED will be the primary error, but with some servers, you may see the error code SEC_ERROR_UNKNOWN_ISSUER instead.<!--https://bugzilla.mozilla.org/show_bug.cgi?id=1444427#c1 --> If you come across such a site you should contact the owner of the website to inform them of the problem. Mozilla strongly encourages operators of affected sites to take immediate action to replace these certificates. For more help, see [https://www.digicert.com/blog/digicert-helping-customers-replace-symantec-certificates this DigiCert blog post] and [https://www.digicert.com/tools DigiCert Tools]. == Missing intermediate certificate == On a site with a missing intermediate certificate you will see the following error description after you click on {button Advanced} on the error page: {note}The certificate is not trusted because the issuer certificate is unknown.<br>The server might not be sending the appropriate intermediate certificates.<br>An additional root certificate may need to be imported.{/note} The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing). <br>You can test if a site is properly configured by entering a website's address into a third-party tool like [https://www.ssllabs.com/ssltest SSL Labs' test page]. If it is returning the result "Chain issues: Incomplete", a proper intermediate certificate is missing. You should contact the owner of the website you're having troubles accessing to inform them of that problem. == Self-signed certificate == On a site with a self-signed certificate you will see the error code ERROR_SELF_SIGNED_CERT and the following error description, after you click on {button Advanced} on the error page: {note}The certificate is not trusted because it is self-signed.{/note} A self-signed certificate that wasn't issued by a recognized certificate authority is not trusted by default. Self-signed certificates can make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites. == Bypassing the warning == {warning}'''Warning:''' You should never add a certificate exception for a legitimate major website or sites where financial transactions take place – in this case an invalid certificate can be an indication that your connection is compromised by a third party.{/warning} If the website allows it, you can bypass the warning in order to visit the site, even thought its certificate is not being trusted by default: # On the warning page, click {button Advanced}. # Click {button Accept the Risk and Continue}. You can bypass the warning and proceed to visit the website, even if its certificate isn't trusted by default, provided the website permits it.