Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Error code: SEC_ERROR_UNKNOWN_ISSUER and no add exception

  • 4 replies
  • 11 have this problem
  • 33 views
  • Last reply by cor-el

more options

Certificate chain is listed as follows:

https://www.google.com/ncr Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true Certificate chain: -----BEGIN CERTIFICATE----- MIIC6jCCAlOgAwIBAgIIagtY0vGNFK8wDQYJKoZIhvcNAQELBQAwgecxCzAJBgNV BAYTAlVTMRcwFQYDVQQIEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UEBxMWVmVyaVNp Z24gVHJ1c3QgTmV0d29yazE1MDMGA1UEChMsVGVybXMgb2YgdXNlIGF0IGh0dHBz Oi8vd3d3LnZlcmlzaWduLmNvbS9ycGExNTAzBgNVBAsTLFRlcm1zIG9mIHVzZSBh dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMTAwLgYDVQQDEydWZXJpU2ln biBDbGFzcyAxIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EwHhcNMTcwNTMxMTY1NzIz WhcNMTcwODIzMTYzMjAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZv cm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIElu YzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMXfrW3+jDZUkrk902UQ1Ccugib11kDdy9d+Ahn7AI1/RhRaQQT4d8oW 5N4Hbakxsi5M33u/1mGMSmn6MVbr/f4V5VoCGIUGzbVyLb6Ju6BJvgln/nJ5A6Va HWaUz6D8Mv2rk07c+o2nWy1MtNhZMO0Mj77YXLEAUsOmE0g7lwsdAgMBAAGjHTAb MBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAHv2 Z0PTJ0QfWoec9h0IC4oIDcvxK94EyjUY3zTgAh2yy6WGByf0iqBHtZT/r2gKPSZS JTLrjYZZIx7Mrf+rhMDgVrryvlfn/ALhVJ1GmX31nnGtNymCalTSyhLXJ7gUPcsV igf5Xz/Hya+77K/XW7VwVtBznWw8aTZZZThXERaL -----END CERTIFICATE-----

All Replies (4)

more options

I feel this problem is caused by the high-version firefox, the version I used is 53.0.3 (64-bit). But anybody knows how to solve the problem ?

BTW, it may be also caused by the operate system. I use Ubuntu 16.04 (64 bit)

Modified by hmcao_novae

more options

That certificate is a Google certificate issued VeriSign. It does have a short validation range of only a few months. Are you using some proxy or VPN?

Issuer 	CN = VeriSign Class 1 Extended Validation CA,OU = Terms of use at https://www.verisign.com/rpa,O = Terms of use at https://www.verisign.com/rpa,L = VeriSign Trust Network,ST = VeriSign\, Inc.,C = US
Subject 	CN = www.google.com,O = Google Inc,L = Mountain View,ST = California,C = US
Valid From 	31 May 2017, 4:57 p.m.
Valid To 	23 Aug 2017, 4:32 p.m.

I get a certificate chain that ends in a GeoTrust built-in root certificate when I open this Google NCR page.


Try to rename the cert8.db file (cert8.db.old) and delete cert_override.txt in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.

If that has helped to solve the problem then you can remove the renamed cert8.db.old file.

Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use.

more options

cor-el said

That certificate is a Google certificate issued VeriSign. It does have a short validation range of only a few months. Are you using some proxy or VPN?
Issuer 	CN = VeriSign Class 1 Extended Validation CA,OU = Terms of use at https://www.verisign.com/rpa,O = Terms of use at https://www.verisign.com/rpa,L = VeriSign Trust Network,ST = VeriSign\, Inc.,C = US
Subject 	CN = www.google.com,O = Google Inc,L = Mountain View,ST = California,C = US
Valid From 	31 May 2017, 4:57 p.m.
Valid To 	23 Aug 2017, 4:32 p.m.

I get a certificate chain that ends in a GeoTrust built-in root certificate when I open this Google NCR page.


Try to rename the cert8.db file (cert8.db.old) and delete cert_override.txt in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.

If that has helped to solve the problem then you can remove the renamed cert8.db.old file.

Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use.

I am using proxy, not VPN. I just did as what you suggested, but it is still not working. the certificate chain of this time is listed as follows: https://www.google.com/ncr Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true Certificate chain: -----BEGIN CERTIFICATE----- MIIC6jCCAlOgAwIBAgIIagtY0vGNFK8wDQYJKoZIhvcNAQELBQAwgecxCzAJBgNV BAYTAlVTMRcwFQYDVQQIEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UEBxMWVmVyaVNp Z24gVHJ1c3QgTmV0d29yazE1MDMGA1UEChMsVGVybXMgb2YgdXNlIGF0IGh0dHBz Oi8vd3d3LnZlcmlzaWduLmNvbS9ycGExNTAzBgNVBAsTLFRlcm1zIG9mIHVzZSBh dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMTAwLgYDVQQDEydWZXJpU2ln biBDbGFzcyAxIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EwHhcNMTcwNTMxMTY1NzIz WhcNMTcwODIzMTYzMjAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZv cm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIElu YzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMXfrW3+jDZUkrk902UQ1Ccugib11kDdy9d+Ahn7AI1/RhRaQQT4d8oW 5N4Hbakxsi5M33u/1mGMSmn6MVbr/f4V5VoCGIUGzbVyLb6Ju6BJvgln/nJ5A6Va HWaUz6D8Mv2rk07c+o2nWy1MtNhZMO0Mj77YXLEAUsOmE0g7lwsdAgMBAAGjHTAb MBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBCwUAA4GBAHv2 Z0PTJ0QfWoec9h0IC4oIDcvxK94EyjUY3zTgAh2yy6WGByf0iqBHtZT/r2gKPSZS JTLrjYZZIx7Mrf+rhMDgVrryvlfn/ALhVJ1GmX31nnGtNymCalTSyhLXJ7gUPcsV igf5Xz/Hya+77K/XW7VwVtBznWw8aTZZZThXERaL -----END CERTIFICATE-----

Modified by hmcao_novae

more options

This looks like the same certificate like you posted above. What looks weird to me is the limited range of valid before and after of the google certificate. You wouldn't expect a website to renew the certificate every view months.

Do you get this certificate error with every Google website?

If not then you can compare the certificate with one that works.

You can decode the certificate on a website like this: