I get an SSL_ERROR_BAD_CERT_DOMAIN error on Google. When I click advanced it says the cert is for *.facebook.com, a completely different site. What's happening?
As titled, I get an SSL_ERROR_BAD_CERT_DOMAIN error whenever I try and access google.com, either through the address bar typing in a search query, or when I type google.com etc. Here is the full error message:
www.google.com uses an invalid security certificate. The certificate is only valid for the following names: *.facebook.com, *.xx.fbcdn.net, *.fbsbx.com, *.xz.fbcdn.net, *.facebook.net, *.xy.fbcdn.net, *.messenger.com, fb.com, *.fbcdn.net, *.fb.com, *.m.facebook.com, messenger.com, facebook.com Error code: SSL_ERROR_BAD_CERT_DOMAIN
I have disabled SSL scanning on my antivirus, my clock is correct (it is synced to time.microsoft.com online), and I have tried deleting my cert9.db file in case it is corrupt. It's still happening, as recent as a few moments ago.
All Replies (11)
That is really strange. Is Google the only site that is affected?
Are you using a public internet access point? If so, try going to an insecure address like http://example.com/ to see whether the hotspot is somehow linked to Facebook and you need to sign in to use the internet. I'm not sure I would trust that, actually.
jscher2000 said
That is really strange. Is Google the only site that is affected? Are you using a public internet access point? If so, try going to an insecure address like http://example.com/ to see whether the hotspot is somehow linked to Facebook and you need to sign in to use the internet. I'm not sure I would trust that, actually.
No, this is the router in my home. I'm in the UK, so there's no funny content blocking or anything on the ISP side either.
And yes, Google is the only site affected. I've been forced to use bing whenever it happens (the problem is intermittent).
Modified by mikeocd
Does it mention the issuer of the certificate?
Can you provide more detail about the issuer of the certificate?
- click the "Advanced" button show more detail
- click the blue SEC_ERROR_UNKNOWN_ISSUER message to show the certificate chain
- click "Copy text to clipboard" and paste the base64 certificate chain text in a reply
If clicking the SEC_ERROR_UNKNOWN_ISSUER text doesn't provide the certificate chain then try these steps to inspect the certificate.
- open the Server tab in the Certificate Manager
- Options/Preferences -> Privacy & Security -> Certificates: View Certificates -> Servers: "Add Exception"
- paste the URL of the website (https://xxx.xxx) in it's Location field.
Let Firefox retrieve the certificate -> "Get Certificate"
- click the "View" button and inspect the certificate
You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.
I hate to sound like an old episode of The IT Crowd, but have you tried turning the router off and on again?
cor-el said
[snip] SEC_ERROR_UNKNOWN_ISSUER
I'll have to wait until it happens again (it's working now), but to be clear, this problem does not produce a SEC_ERROR_UNKNOWN_ISSUER message.
jscher2000 said
I hate to sound like an old episode of The IT Crowd, but have you tried turning the router off and on again?
Many times, yes
Modified by mikeocd
Hi I do not think you mentioned the name of your A/V program or Firewall : There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.
- https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
- https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
- https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
- https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
- http://kb.mozillazine.org/Error_loading_websites
Please let us know if this solved your issue or if need further assistance.
Pkshadow said
Hi I do not think you mentioned the name of your A/V program or Firewall : There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.Please let us know if this solved your issue or if need further assistance.
- https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
- https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
- https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
- https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
- http://kb.mozillazine.org/Error_loading_websites
Thanks for your response — I use Bitdefender, but, as I said in the original post, SSL scanning is off, so this shouldn't be an issue.
Furthermore, it's only google.com where this issue occurs, and I strongly doubt it'd throw up errors for Facebook if it was my antivirus.
You can do a malware scan just to be sure.
cor-el said
Does it mention the issuer of the certificate? Can you provide more detail about the issuer of the certificate?If clicking the SEC_ERROR_UNKNOWN_ISSUER text doesn't provide the certificate chain then try these steps to inspect the certificate.
- click the "Advanced" button show more detail
- click the blue SEC_ERROR_UNKNOWN_ISSUER message to show the certificate chain
- click "Copy text to clipboard" and paste the base64 certificate chain text in a reply
Let Firefox retrieve the certificate -> "Get Certificate"
- open the Server tab in the Certificate Manager
- Options/Preferences -> Privacy & Security -> Certificates: View Certificates -> Servers: "Add Exception"
- paste the URL of the website (https://xxx.xxx) in it's Location field.
You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.
- click the "View" button and inspect the certificate
This error went away for a while, but it's back now. I haven't changed anything, either. Quick note: I cannot do the add exception thing as Firefox says it cannot connect. Later on, when I tried to do it again, it said that it provided a valid certificate and google worked again.
I can, at least, paste the certificate details from when the error showed up as directed in the above post, however. If anyone can make sense of the below, I'd appreciate it!:
Unable to communicate securely with peer: requested domain name does not match the server's certificate.
HTTP Strict Transport Security: true HTTP Public Key Pinning: true
Certificate chain:
BEGIN CERTIFICATE-----
MIIGsjCCBZqgAwIBAgIQCzw7YBoY9Z7itrsFYF7ywDANBgkqhkiG9w0BAQsFADBw MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz dXJhbmNlIFNlcnZlciBDQTAeFw0xNzEyMTUwMDAwMDBaFw0xOTAzMjIxMjAwMDBa MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIA87IjqqM6JBX puN20BXCVsDjoP9wnF2rSV60qC130oLTrgfOQ3Uk1dv1R6LFCx4gs2pJUu6iDKBS /b+BXOUbo4IEGDCCBBQwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw HQYDVR0OBBYEFMD9dPV9y8Yn8QPTYqJF14QcFSEIMIHHBgNVHREEgb8wgbyCDiou ZmFjZWJvb2suY29tgg4qLnh4LmZiY2RuLm5ldIILKi5mYnNieC5jb22CDioueHou ZmJjZG4ubmV0gg4qLmZhY2Vib29rLm5ldIIOKi54eS5mYmNkbi5uZXSCDyoubWVz c2VuZ2VyLmNvbYIGZmIuY29tggsqLmZiY2RuLm5ldIIIKi5mYi5jb22CECoubS5m YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb22CDGZhY2Vib29rLmNvbTAOBgNVHQ8B Af8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRu MGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZl ci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhh LXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEF BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMG CCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu Y29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln aUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY BPkb37jjd80OyA3cEAAAAWBXnEHoAAAEAwBHMEUCIBC3Rn4i2bhLyR344u3vl7be vxoi+WPJBhGT+j1gJmg5AiEAwQ3rzH1mmMSYNYKtVNDZMo+l6e8Z35t+X9NDR7Du gWAAdwCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWBXnEL7AAAE AwBIMEYCIQCRjvvPARW3J1ENmo2Nz1cxisa1BcbDuqvSrfuXkz8btAIhAPmllqgF 8JjlVHUChiFzghsKVBeTxRagi55tgsAciaoZAHUAu9nfvB+KcbWTlCOXqpJ7RzhX lQqrUugakJZkNo4e0YUAAAFgV5xCUgAABAMARjBEAiBY6qdNgMoQAqVTl3zRrTmy +X/1f/esBUczsb3MWdZ1ZgIgXdxZNTrDBgyTzxgbVRObkqU3tZZdaiwsw4WI0xI0 BtQwDQYJKoZIhvcNAQELBQADggEBAGu0uxZD+IRXXlFWLPvknRkXA7J08NyVKG70 M2vDi2xF2YB8qlZgoxW8YiiV86IpwtOhYLZinSO0iCBDQmTf627LTPfuDcF6qOuO WFTvj1IbplPvGWIu5tNBiFWNQxFAIL2Rf+5vmIe+YezUHTLGGqwRtFa2ImS17IMk YjZ90LYXXO5qb1RKkFJtAvEBTbJsv8kr+J6Rx+YNJy17LnBX+MbWiyBbvUQoM3sY MmcWmcaQmECz9ZHWYjZeufSHbHKG6KDYLU8x6DyhgtxK2rsoIMlNnJkNHaLjw+b8 7VCYa+EMWppvVuNyXOk9Jkbx7Q3SEoodT77kkHUX0bF2OkZy6cc=
END CERTIFICATE-----
BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn 4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF 0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae cPUeybQ=
END CERTIFICATE-----
Facebook cert again. How is that happening?
Can you connect in a private window? That should bypass page and DNS caches used in normal windows. However most add-ons still run in private windows and proxy settings would still apply.
Speaking of which, you can check that here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type proxy and Firefox should filter to the "Settings" button, which you can click.
The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy".
Any difference?
Try to rename/remove cert9.db and cert8.db in the Firefox profile folder with Firefox closed.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox