X
Tap here to go to the mobile version of the site.

Support Forum

Error code: SEC_ERROR_UNKNOWN_ISSUER

Posted

Good morning,

I have Firefox 63.0 (64-bit) for ArchLinux. The main article on the firefox website says:

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED will be the primary error but with some servers, you may see the error code SEC_ERROR_UNKNOWN_ISSUER instead. In any case, if you come across such a site you should contact the owner of the website to inform them of that problem. We strongly encourage operators of affected sites to take immediate action to replace these certificates.

However the websites that I am having this issue on are large websites like LinkedIn and Reddit, so I'm fairly certain it isn't an issue on the websites side.1

Good morning, I have Firefox 63.0 (64-bit) for ArchLinux. The main article on the firefox website says: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED will be the primary error but with some servers, you may see the error code SEC_ERROR_UNKNOWN_ISSUER instead. In any case, if you come across such a site you should contact the owner of the website to inform them of that problem. We strongly encourage operators of affected sites to take immediate action to replace these certificates. However the websites that I am having this issue on are large websites like LinkedIn and Reddit, so I'm fairly certain it isn't an issue on the websites side.1
jscher2000
  • Top 10 Contributor
8586 solutions 70240 answers

Hi jtiki, which error code(s) are you getting? The two you mentioned usually have quite different causes. If Firefox doesn't display the error code immediately, click the "Advanced" button to view more details.

And jumping ahead a bit: How to troubleshoot security error codes on secure websites

Hi jtiki, which error code(s) are you getting? The two you mentioned usually have quite different causes. If Firefox doesn't display the error code immediately, click the "Advanced" button to view more details. And jumping ahead a bit: [[How to troubleshoot security error codes on secure websites]]

Question owner

jscher2000 said

Hi jtiki, which error code(s) are you getting? The two you mentioned usually have quite different causes. If Firefox doesn't display the error code immediately, click the "Advanced" button to view more details. And jumping ahead a bit: How to troubleshoot security error codes on secure websites


The issue/error is the same for both sites:

www.reddit.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

I disabled all of my add-ons and restarted the browser too, just to be certain that those were not causing any issues.

''jscher2000 [[#answer-1168157|said]]'' <blockquote> Hi jtiki, which error code(s) are you getting? The two you mentioned usually have quite different causes. If Firefox doesn't display the error code immediately, click the "Advanced" button to view more details. And jumping ahead a bit: [[How to troubleshoot security error codes on secure websites]] </blockquote> The issue/error is the same for both sites: www.reddit.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER I disabled all of my add-ons and restarted the browser too, just to be certain that those were not causing any issues.
jscher2000
  • Top 10 Contributor
8586 solutions 70240 answers

A common reason for that code is a "man in the middle" such as security software or a proxy server. The man in the middle needs to generate fake website certificates in order to decrypt and read your browsing requests/responses. The article I linked earlier mentions some of the common products that cause this issue. I don't know how applicable it is to Linux.

You also can usually gain some insight by examining the certificate that Firefox doesn't trust. Click the SEC_ERROR_UNKNOWN_ISSUER -- it's usually styled as a link -- to open a panel showing the coded certificate (large block of gibberish). You can use a site like the following to decode it and view the "Issuer" information, which often points to the culprit.

https://certlogik.com/decoder/

A common reason for that code is a "man in the middle" such as security software or a proxy server. The man in the middle needs to generate fake website certificates in order to decrypt and read your browsing requests/responses. The article I linked earlier mentions some of the common products that cause this issue. I don't know how applicable it is to Linux. You also can usually gain some insight by examining the certificate that Firefox doesn't trust. Click the SEC_ERROR_UNKNOWN_ISSUER -- it's usually styled as a link -- to open a panel showing the coded certificate (large block of gibberish). You can use a site like the following to decode it and view the "Issuer" information, which often points to the culprit. https://certlogik.com/decoder/

Question owner

I plugged the cert information into the website you linked and attached some screenshots. It looks the like certificate is valid as far as I can tell, the one thing I did notice is that each certs are issued by "CN = DigiCert SHA2 Secure Server CA,O = DigiCert Inc,C = US". DigitCert is a well known and trusted cert company too if I recall, so I don't think it's that.

As far as software goes I don't believe anything is getting in the way. I turned off my firewall temporarily to make sure it wasn't that and I don't use any other software like proxy, etc.

I plugged the cert information into the website you linked and attached some screenshots. It looks the like certificate is valid as far as I can tell, the one thing I did notice is that each certs are issued by "CN = DigiCert SHA2 Secure Server CA,O = DigiCert Inc,C = US". DigitCert is a well known and trusted cert company too if I recall, so I don't think it's that. As far as software goes I don't believe anything is getting in the way. I turned off my firewall temporarily to make sure it wasn't that and I don't use any other software like proxy, etc.
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156833 answers

Try to rename cert9.db (cert9OLD.db) and cert8.db (cert8OLD.db) when present in the Firefox profile folder.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Try to rename cert9.db (cert9OLD.db) and cert8.db (cert8OLD.db) when present in the Firefox profile folder. You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the <b>about:profiles</b> page. *Help -> Troubleshooting Information -> Profile Directory:<br>Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder *http://kb.mozillazine.org/Profile_folder_-_Firefox

Modified by cor-el

Question owner

Alright I found the directory mentioned in this location /home/{user}/.mozilla/firefox/hpbvc9b8.default

I was able to find cert9.db and rename it, but couldn't find any cert8.db. I made sure to check every folder under ~/.mozilla/firefox/ for core8.db, but nothing came up. I restarted the browser and attempted to go to https://www.linkedin.com/ with no change.

Alright I found the directory mentioned in this location /home/{user}/.mozilla/firefox/hpbvc9b8.default I was able to find cert9.db and rename it, but couldn't find any cert8.db. I made sure to check every folder under ~/.mozilla/firefox/ for core8.db, but nothing came up. I restarted the browser and attempted to go to https://www.linkedin.com/ with no change.
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156833 answers

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED can mean that Firefox detects a certificate that has been compromised and is disabled. This shouldn't happen with respected websites like reddit

certificate-issued-by-a-authority-belonging-to-symantec

You can check the connection settings.

  • Options/Preferences -> General -> Network: Connection -> Settings

If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.

See "Firefox connection settings":


You can check if there is more detail available about the issuer of the certificate.

  • click the "Advanced" button show more detail
  • click the blue error text to show the certificate chain
  • click "Copy text to clipboard" and paste the base64 certificate chain text in a reply

If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate.

  • open the Servers tab in the Certificate Manager
    • Options/Preferences -> Privacy & Security
      Certificates: View Certificates -> Servers: "Add Exception"
  • paste the URL of the website (https://xxx.xxx) in it's Location field

Let Firefox retrieve the certificate -> "Get Certificate"

  • click the "View" button and inspect the certificate

You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED can mean that Firefox detects a certificate that has been compromised and is disabled. This shouldn't happen with respected websites like reddit *https://wiki.mozilla.org/CA/Upcoming_Distrust_Actions certificate-issued-by-a-authority-belonging-to-symantec *https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER You can check the connection settings. *Options/Preferences -> General -> Network: Connection -> Settings If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly. See "Firefox connection settings": *https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can ---- You can check if there is more detail available about the issuer of the certificate. *click the "Advanced" button show more detail *click the blue error text to show the certificate chain *click "Copy text to clipboard" and paste the base64 certificate chain text in a reply If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate. *open the Servers tab in the Certificate Manager **Options/Preferences -> Privacy & Security<br>Certificates: View Certificates -> Servers: "Add Exception" *paste the URL of the website (https://xxx.xxx) in it's Location field Let Firefox retrieve the certificate -> "Get Certificate" *click the "View" button and inspect the certificate You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.

Question owner

Reddit


https://www.reddit.com/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: true HTTP Public Key Pinning: false

Certificate chain:


BEGIN CERTIFICATE-----

MIIHQzCCBiugAwIBAgIQB1sC352kFlEvZM5wcfyMBzANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwODE3MDAwMDAwWhcN MjAwOTAyMTIwMDAwWjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEChMLUmVkZGl0IEluYy4x FTATBgNVBAMMDCoucmVkZGl0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAM/pmlSjpBriKS1FgXKzqItMziu7otc9nmls8zLRaKwDHRpwVfiGWkLc kOfvhn79U2zqwDilJ7TKepbjXgpa7mUgs5bX5DqZPXhyfV1hFD66RRQi2wVbvdbJ dBGL3VrKZVJRIIpTtc3Q169FIslNKbc9eGq1nwO/REhI5dxDCHAoHwLpp+XfbjkB JGzlgKIBdBHed67KFVUKFvh1RVanVJUNG6IkAXXnPZSigwfA2wBH3QguOc1YxswP B4cOH5sdZeAJQ6j9rSxNqjZthoV43La5nsVYxRtreJ8ooV5ZX/dsL7BBBkWfF/ac VSU3f7X7XiFz23vruQyBNQKT2HKXwgcCAwEAAaOCBAMwggP/MB8GA1UdIwQYMBaA FA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRx4FDR54BS+yMUZZ1Dp40x qlZpJjCBxAYDVR0RBIG8MIG5ggwqLnJlZGRpdC5jb22CCnJlZGRpdC5jb22CESou cmVkZGl0bWVkaWEuY29tgg9yZWRkaXRtZWRpYS5jb22CCSoucmVkZC5pdIIHcmVk ZC5pdIIUd3d3LnJlZGRpdHN0YXRpYy5jb22CE2kucmVkZGl0dXBsb2Fkcy5jb22C GCoudGh1bWJzLnJlZGRpdG1lZGlhLmNvbYIRd3d3LnJlZGRpdGluYy5jb22CDXJl ZGRpdGluYy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2Vy dC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNl cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn gQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k aWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIw ADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUApLkJkLQYWBSHuxOizGdwCjw1 mAT5G9+443fNDsgN3BAAAAFlRULTsAAABAMARjBEAiBcrugEb8o8AymzIh0fUN/F 0i9SHl/xCQnCIMbXoSd+rwIgVwN50xsjJVuBP7cVxR5oSlj2USU3KVkZoAq+PIwM HucAdgCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWVFQtSDAAAE AwBHMEUCIGo9XmyFN5b38sdORa5NThm594MGPYK4se987nB8WsvPAiEA8Imvn9QF 63D4vIwY8d+aticvw2dbwHdoZFpCj96yRn8AdwC72d+8H4pxtZOUI5eqkntHOFeV CqtS6BqQlmQ2jh7RhQAAAWVFQtSGAAAEAwBIMEYCIQCH+S3U0ac6/F5Bsc5xyHpO +UTpgz8DKiJSCfaObn3u5wIhANl9+8L/zSfwf7KPUhdPWfNnkMUFaFgRY1/HdOej 6a4UMA0GCSqGSIb3DQEBCwUAA4IBAQC9OsE5bjOOvx0VowfFacujFxU1kYDikX90 BH106XP7YQIExGmjZ9mo5Ai6UgMHUSIYO4sNFcZYYk6N7bd75K0i8U8X2AcoIfiC 6VYdrw4e2rNMXW10CzIh1Co/t65QZ9KtuWXWwxQJYJuIcLsQT7MG7+K48ZJNSsB9 VuuzqNebxSZTyhEBMsN030/Oy1CiUsq+nekZfibcAHxc5L6JG8sFnW6R4uTuGg1q Zsvr95KZi5lpoUOE2UkdOK2TG7ntn7JLY4C4Yv2VGKrnxGiqajcKwkdh0a6xC1EX Y9JObNczgauCO56+f8+xcRoZpTAE/JtywwVl++brUeoLLUdCVthx


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz


END CERTIFICATE-----
'''Reddit''' https://www.reddit.com/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: true HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIHQzCCBiugAwIBAgIQB1sC352kFlEvZM5wcfyMBzANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwODE3MDAwMDAwWhcN MjAwOTAyMTIwMDAwWjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEChMLUmVkZGl0IEluYy4x FTATBgNVBAMMDCoucmVkZGl0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAM/pmlSjpBriKS1FgXKzqItMziu7otc9nmls8zLRaKwDHRpwVfiGWkLc kOfvhn79U2zqwDilJ7TKepbjXgpa7mUgs5bX5DqZPXhyfV1hFD66RRQi2wVbvdbJ dBGL3VrKZVJRIIpTtc3Q169FIslNKbc9eGq1nwO/REhI5dxDCHAoHwLpp+XfbjkB JGzlgKIBdBHed67KFVUKFvh1RVanVJUNG6IkAXXnPZSigwfA2wBH3QguOc1YxswP B4cOH5sdZeAJQ6j9rSxNqjZthoV43La5nsVYxRtreJ8ooV5ZX/dsL7BBBkWfF/ac VSU3f7X7XiFz23vruQyBNQKT2HKXwgcCAwEAAaOCBAMwggP/MB8GA1UdIwQYMBaA FA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRx4FDR54BS+yMUZZ1Dp40x qlZpJjCBxAYDVR0RBIG8MIG5ggwqLnJlZGRpdC5jb22CCnJlZGRpdC5jb22CESou cmVkZGl0bWVkaWEuY29tgg9yZWRkaXRtZWRpYS5jb22CCSoucmVkZC5pdIIHcmVk ZC5pdIIUd3d3LnJlZGRpdHN0YXRpYy5jb22CE2kucmVkZGl0dXBsb2Fkcy5jb22C GCoudGh1bWJzLnJlZGRpdG1lZGlhLmNvbYIRd3d3LnJlZGRpdGluYy5jb22CDXJl ZGRpdGluYy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2Vy dC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNl cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn gQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k aWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIw ADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUApLkJkLQYWBSHuxOizGdwCjw1 mAT5G9+443fNDsgN3BAAAAFlRULTsAAABAMARjBEAiBcrugEb8o8AymzIh0fUN/F 0i9SHl/xCQnCIMbXoSd+rwIgVwN50xsjJVuBP7cVxR5oSlj2USU3KVkZoAq+PIwM HucAdgCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWVFQtSDAAAE AwBHMEUCIGo9XmyFN5b38sdORa5NThm594MGPYK4se987nB8WsvPAiEA8Imvn9QF 63D4vIwY8d+aticvw2dbwHdoZFpCj96yRn8AdwC72d+8H4pxtZOUI5eqkntHOFeV CqtS6BqQlmQ2jh7RhQAAAWVFQtSGAAAEAwBIMEYCIQCH+S3U0ac6/F5Bsc5xyHpO +UTpgz8DKiJSCfaObn3u5wIhANl9+8L/zSfwf7KPUhdPWfNnkMUFaFgRY1/HdOej 6a4UMA0GCSqGSIb3DQEBCwUAA4IBAQC9OsE5bjOOvx0VowfFacujFxU1kYDikX90 BH106XP7YQIExGmjZ9mo5Ai6UgMHUSIYO4sNFcZYYk6N7bd75K0i8U8X2AcoIfiC 6VYdrw4e2rNMXW10CzIh1Co/t65QZ9KtuWXWwxQJYJuIcLsQT7MG7+K48ZJNSsB9 VuuzqNebxSZTyhEBMsN030/Oy1CiUsq+nekZfibcAHxc5L6JG8sFnW6R4uTuGg1q Zsvr95KZi5lpoUOE2UkdOK2TG7ntn7JLY4C4Yv2VGKrnxGiqajcKwkdh0a6xC1EX Y9JObNczgauCO56+f8+xcRoZpTAE/JtywwVl++brUeoLLUdCVthx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END CERTIFICATE-----
jscher2000
  • Top 10 Contributor
8586 solutions 70240 answers

As best I can tell, the two certificates are identical to the ones my Firefox accepts.

Which implies that the root certificate which signed the intermediate certificate -- which is supplied as part of Firefox and stored in cert9.db -- is somehow untrusted in your Firefox, or that Firefox is broken and not comparing correctly.

If you are running a Firefox build from your distribution instead of the one directly from Mozilla, are you aware of any relevant changes they might have made?

Otherwise, I would suggest removing cert9.db and letting Firefox rebuild it. There's a section in the general article on steps to do that: What do the security warning codes mean? (see "Corrupted certificate store").

As best I can tell, the two certificates are identical to the ones my Firefox accepts. Which implies that the root certificate which signed the intermediate certificate -- which is supplied as part of Firefox and stored in cert9.db -- is somehow untrusted in your Firefox, or that Firefox is broken and not comparing correctly. If you are running a Firefox build from your distribution instead of the one directly from Mozilla, are you aware of any relevant changes they might have made? Otherwise, I would suggest removing cert9.db and letting Firefox rebuild it. There's a section in the general article on steps to do that: [[What do the security warning codes mean?]] (see "Corrupted certificate store").
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156833 answers

Note that the OP already has tried to remove cert9.db.

Try to rename/remove pkcs11.txt and secmode.db as well.

You can check the DigiCert Global Root CA in the Certificate Manager under the Authorities tab.

Note that the OP already has tried to remove cert9.db. Try to rename/remove pkcs11.txt and secmode.db as well. You can check the <b>DigiCert Global Root CA</b> in the Certificate Manager under the Authorities tab.