Firefox 66.0.3 (64bit) does not know certain CAs. (e.g. CloudFlare Inc ECC CA-2 and Microsoft IT TLS CA 4) resulting in not being able to visit certain websites
Apparently FF "forgot" some root CAs. So when a website uses HSTS I cannot visit it anymore. Examples I found more or less by chance are patreon.com (Cloudflare CA) and microsoft.com (MS CA). For both I get the "SEC_ERROR_UNKNOWN_ISSUER" error. The error message tells me that it is probably not a problem I can resolve myself but I doubt that, if rather well known websites like the examples listed above wer not accessible for several days the internet would have produced a shitstorm already. I already looked around the support website and found http://mzl.la/1M2JxD0 which did not provide any helpful information. I also tried to open both examples on MS Edge (because it was the easiest solution to use the preinstalled browser) and both worked fine so it does not seem to be a OS (Windows 10 64 bit) issue.
I also found the wiki https://wiki.mozilla.org/CA/AddRootToFirefox and I was slightly suprised that I have neither of the two directories where the root certificates are supposed to be saved. Though I don't know how current the information on the wiki is. ( %USERPROFILE%\AppData\Local\Mozilla\Certificates && %USERPROFILE%\AppData\Roaming\Mozilla\Certificates )
I've also read that often Antivirus programms interfere, but I currently have only Windows Defender and Malwarebytes Antimalware installed, the second one is only manually started every now and then and does not activly in the background all the time. I haven't found any option for the Windows Defender that could have an influence.
So yeah. I am currently a bit stumped on what exactly happened and how to solve this.
Chosen solution
Try to rename the cert9.db (cert9.db.old) file and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has stored.
If this has helped to solve the problem then you can remove the renamed cert9.db.old file. Otherwise you can undo the rename and restore cert9.db.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:preferences page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
All Replies (6)
Hi SteelDragon, could you click the View Certificate link and see what the root certificate is? Mine shows Baltimore CyberTrust Root --
-- which is a bundled certificate.
If you get the encoded certificate(s) rather than an English-language view, you can use a site like the following to decode it(them), or paste the block(s) of gibberish into a reply here.
There does not seem to be a hierarchy like in yours. it only lists patreon itself as single level.
When I put it into the decoder you linked it also does not look wrong. At least from my amateur point of view.
Usually the web server sends the intermediate certificate so that Firefox can verify the complete chain up to the trusted root, and assuming the intermediate certificate checks out, Firefox caches it in the cert9.db file. Subsequently, it shows up when you check the Certificate Manager on the Options page. (Screenshot added)
It sounds as though you are not getting served that intermediate certificate, but I can't tell why. A "man in the middle" is the usual suspect, but I can't tell at this point what is going on.
Modified by jscher2000 - Support Volunteer
Anything unusual in your connection settings here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type proxy and Firefox should filter to the "Settings" button, which you can click.
The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy".
Any difference?
Chosen Solution
Try to rename the cert9.db (cert9.db.old) file and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has stored.
If this has helped to solve the problem then you can remove the renamed cert9.db.old file. Otherwise you can undo the rename and restore cert9.db.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:preferences page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
renaming and deleting the cert9.db file helped!
Thanks jscher2000 and cor-el for providing helpful feedback including background infomation on how this stuff works.
While I don't understand why / how the certificate chain got interupted (connection settings were set to "no proxy", changing them to "use OS/system setting" changed nothing) it seems to be some kind of one-time error, because with a newly created cert9.db file it works fine, as said above.