X
Tap here to go to the mobile version of the site.

Support Forum

Firefox cannot open some sites (sec_error_unknown_issuer)

Posted

On a Windows 7 machine, I installed Firefox (40.0.3). When I try to open https://www.google.ch, I get the following error: sec_error_unknown_issuer. There is NO button "I understand the Risks" -- I cannot add an exception. Other sites, like youtube (using https) load without errors. I already deleted the cert8.db file, and the date and time of the machine are also correct.

On a Windows 7 machine, I installed Firefox (40.0.3). When I try to open https://www.google.ch, I get the following error: sec_error_unknown_issuer. There is NO button "I understand the Risks" -- I cannot add an exception. Other sites, like youtube (using https) load without errors. I already deleted the cert8.db file, and the date and time of the machine are also correct.

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 15.8.20082
  • Google Update
  • Intel web components for Intel® Identity Protection Technology
  • Intel web components updater - Installs and updates the Intel web components
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.60.2 for Mozilla browsers
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • NPWLPG
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 18.0 r0
  • 5.1.40728.0
  • VLC media player Web Plugin

Application

  • Firefox 40.0.3
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
  • Support URL: https://support.mozilla.org/1/firefox/40.0.3/WINNT/de/

Extensions

  • DigitalPersona Extension 5.0.0.5082 (otis@digitalpersona.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics
  • adapterDescription2:
  • adapterDeviceID: 0x0152
  • adapterDeviceID2:
  • adapterDrivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterSubsysID: 3397103c
  • adapterSubsysID2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.17461
  • driverDate: 5-16-2014
  • driverDate2:
  • driverVersion: 10.18.10.3621
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • supportsHardwareH264: True
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics Direct3D11 vs_5_0 ps_5_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: Yes
Chandan_Baba 35 solutions 369 answers

If no issuer chain was provided then certificate is not trusted then it throws an error like sec_error_unknown_issuer then see if you can install this intermediate certificate from another source. You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates. Click the link at the bottom of the error page: "I Understand the Risks" Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate". Click the "View..." button and inspect the certificate and check who is the issuer of the certificate. You can see more Details like intermediate certificates that are used in the Details pane. If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab". Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate. Note that it is not recommended to add a permanent exception in cases like this, so only use it to inspect the certificate.

If no issuer chain was provided then certificate is not trusted then it throws an error like '''sec_error_unknown_issuer''' then see if you can install this intermediate certificate from another source. You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates. Click the link at the bottom of the error page: "I Understand the Risks" Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate". Click the "View..." button and inspect the certificate and check who is the issuer of the certificate. You can see more Details like intermediate certificates that are used in the Details pane. If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab". Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate. Note that it is not recommended to add a permanent exception in cases like this, so only use it to inspect the certificate.
cor-el
  • Top 10 Contributor
  • Moderator
17346 solutions 156791 answers
If you have Avast then try to disable HTTPS scanning in Avast Web Shield. *http://www.ghacks.net/2014/10/31/avasts-https-scanning-interferes-with-firefox-and-other-programs/ *https://forum.avast.com/index.php?topic=176073.0

Question owner

Thanks a lot for your replies. No, there is AVG installed. I also tried to load google using a different machine (running Ubuntu, without antivirus software). I found that this issue also arises there. Further, it is independent of the browser (Chrome and IE also complain about the certificate). Any idea of how to fix this?

Thanks a lot for your replies. No, there is AVG installed. I also tried to load google using a different machine (running Ubuntu, without antivirus software). I found that this issue also arises there. Further, it is independent of the browser (Chrome and IE also complain about the certificate). Any idea of how to fix this?
cor-el
  • Top 10 Contributor
  • Moderator
17346 solutions 156791 answers

Who is the issuer of the certificate?

If you can't inspect the certificate via "I Understand the Risks" then try this:

Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:

  • chrome://pippki/content/exceptionDialog.xul

In the location field of this window type or paste the URL of the website.

  • retrieve the certificate via the "Get certificate" button
  • click the "View..." button to inspect the certificate in the Certificate Viewer

You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.

Who is the issuer of the certificate? If you can't inspect the certificate via "I Understand the Risks" then try this: Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate: *chrome://pippki/content/exceptionDialog.xul In the location field of this window type or paste the URL of the website. *retrieve the certificate via the "Get certificate" button *click the "View..." button to inspect the certificate in the Certificate Viewer You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.
jscher2000
  • Top 10 Contributor
8580 solutions 70167 answers

For me, google.ch uses the same certificate as google.com and youtube.com (for efficiency, Google created a certificate that applies to dozens of domains). You said you can access YouTube. Can you access google.com?

Since this problem affects all browsers, you might have an easier time checking the Issuer and Certificate Hierarchy/Path information in Chrome or IE than in Firefox. Click the slashed-padlock on the address bar, then click the Connection mini-tab, then Certificate Information. What do you find there? I have attached what I see for comparison.

For me, google.ch uses the same certificate as google.com ''and'' youtube.com (for efficiency, Google created a certificate that applies to dozens of domains). You said you can access YouTube. Can you access google.com? Since this problem affects all browsers, you might have an easier time checking the Issuer and Certificate Hierarchy/Path information in Chrome or IE than in Firefox. Click the slashed-padlock on the address bar, then click the Connection mini-tab, then Certificate Information. What do you find there? I have attached what I see for comparison.
Anticisco Freeman 5 solutions 49 answers

On a Windows 8 machine, I updated Firefox to 43.0.1. When I try to open https://google.com (mail.google.com), I get the following error: sec_error_unknown_issuer. There is NO button "I understand the Risks". Other sites: youtube (using https) load without errors. I already deleted the cert8.db file, and the date and time of the machine are also correct. In IE-browser google.com load without errors. Added certificate google.com/mail.google.com: "Add Exception" -> "Get Certificate" - error :( What me do?

On a Windows 8 machine, I updated Firefox to 43.0.1. When I try to open https://google.com (mail.google.com), I get the following error: sec_error_unknown_issuer. There is NO button "I understand the Risks". Other sites: youtube (using https) load without errors. I already deleted the cert8.db file, and the date and time of the machine are also correct. In IE-browser google.com load without errors. Added certificate google.com/mail.google.com: "Add Exception" -> "Get Certificate" - error :( What me do?

Modified by Anticisco Freeman

cor-el
  • Top 10 Contributor
  • Moderator
17346 solutions 156791 answers

Hi Anticisco

There is security software like Avast and Kaspersky and BitDefender and ESET that intercepts secure connections and sends their own certificate or that incorporates special web shielding features that can block content.

If you can't inspect the certificate via "I Understand the Risks" then try this:

Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:

  • chrome://pippki/content/exceptionDialog.xul

In the location field of this window type or paste the URL of the website.

  • retrieve the certificate via the "Get certificate" button
  • click the "View..." button to inspect the certificate in the Certificate Viewer

You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.

Hi Anticisco There is security software like Avast and Kaspersky and BitDefender and ESET that intercepts secure connections and sends their own certificate or that incorporates special web shielding features that can block content. If you can't inspect the certificate via "I Understand the Risks" then try this: Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate: *chrome://pippki/content/exceptionDialog.xul In the location field of this window type or paste the URL of the website. *retrieve the certificate via the "Get certificate" button *click the "View..." button to inspect the certificate in the Certificate Viewer You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.
Anticisco Freeman 5 solutions 49 answers

cor-el, Antivirus: System Center 2012 EndPoint Protection. Unfortunately, the test certificate Mozilla has not been able to finish (30 minutes working). However, in the "Server" present certificates mail.google.com / google.com before date of 04.14.2016 certificate mail.google.com

cor-el, Antivirus: System Center 2012 EndPoint Protection. Unfortunately, the test certificate Mozilla has not been able to finish (30 minutes working). However, in the "Server" present certificates mail.google.com / google.com before date of 04.14.2016 [http://rghost.ru/7Rff98Jb7 certificate mail.google.com]
cor-el
  • Top 10 Contributor
  • Moderator
17346 solutions 156791 answers

Helpful Reply

You need to paste the URL of the website (https://www.google.com) that you want to check in the location filed of the "Add Security Exception" window (chrome://pippki/content/exceptionDialog.xul window). Your first screenshot shows that you already opened this page and paste the chrome URL another time.

You need to paste the URL of the website (https://www.google.com) that you want to check in the location filed of the "Add Security Exception" window (chrome://pippki/content/exceptionDialog.xul window). Your first screenshot shows that you already opened this page and paste the chrome URL another time.
Anticisco Freeman 5 solutions 49 answers

Signature Algorithm Certificate: PKCS # 1 SHA1 With RSA Encryption Issuing Centre: CN = Generic Root CA | C = EN The main limitations of the certificate: Not a CA.

Even after manual installation of the certificate, an error:

  • sec_error_cert_signature_algorithm_disabled

(SHA1 oldest algorithm - info from patchnotes MF) The problem was solved after reinstalling the browser to 43.0.4 Thanks for answers %)

Signature Algorithm Certificate: PKCS # 1 SHA1 With RSA Encryption Issuing Centre: CN = Generic Root CA | C = EN The main limitations of the certificate: Not a CA. Even after manual installation of the certificate, an error: * sec_error_cert_signature_algorithm_disabled (SHA1 oldest algorithm - info from patchnotes MF) The problem was solved after reinstalling the browser to 43.0.4 Thanks for answers %)

Modified by Anticisco Freeman

cor-el
  • Top 10 Contributor
  • Moderator
17346 solutions 156791 answers

The certificate is not issued by Google as would normally be the case, but is issued by Generic Root CA. So you possibly use a proxy or you have software installed that intercepts this secure connection and sends the Generic Root CA instead to Firefox. A Google search for Generic Root CA doesn't come up with something useful, so I don't know what software or malware this is about.

Boot the computer in Windows Safe Mode with network support (press F8 on the boot screen) to see if that helps.

You can use the MSConfig program or the Autoruns utility to see what software is getting started (be cautious with disabling services).


Do a malware check with several malware scanning programs on the Windows computer.

Please scan with all programs because each program detects different malware. All these programs have free versions.

Make sure that you update each program to get the latest version of their databases before doing a scan.

You can also do a check for a rootkit infection with TDSSKiller.

See also:

The certificate is not issued by Google as would normally be the case, but is issued by Generic Root CA. So you possibly use a proxy or you have software installed that intercepts this secure connection and sends the Generic Root CA instead to Firefox. A Google search for Generic Root CA doesn't come up with something useful, so I don't know what software or malware this is about. Boot the computer in Windows Safe Mode with network support (press F8 on the boot screen) to see if that helps. *http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/ *http://www.7tutorials.com/4-ways-boot-safe-mode-windows-10 You can use the MSConfig program or the Autoruns utility to see what software is getting started (be cautious with disabling services). *http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ---- Do a malware check with several malware scanning programs on the Windows computer. *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware Please scan with all programs because each program detects different malware. All these programs have free versions. Make sure that you update each program to get the latest version of their databases before doing a scan. *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml *SuperAntispyware:<br>http://www.superantispyware.com/ *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan You can also do a check for a rootkit infection with TDSSKiller. *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446 See also: *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked