Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Unknown certificate issuer on new Firefox profile on Windows 10

  • 3 replies
  • 1 has this problem
  • 198 views
  • Last reply by cor-el

more options

Using 64-bit Firefox on a Windows 10 system (version 1909, OS Build 18363.476), there is a site which works fine when using an old profile but which for news profiles gives a “Did Not Connect: Potential Security Issue” message with error code SEC_ERROR_UNKNOWN_ISSUER.

Steps to reproduce:

1. Visit https://www.bancosantander.es/

2. Click on the top-right red square with a lock icon and the text “Acceso clientes” / “Accés clients”

A frame with a login form should appear but instead an error page shows up (the certificate is for particulares.bancosantander.es and the issuer CN Entrust Certification Authority - L1M; if necessary I can paste the about:certificate string).

The profiles that work were created on previous builds of both Firefox and Windows. On the aforementioned Windows version, all tested Firefox builds (stable 71.0.0 and unbranded builds reaching back to Firefox 68.0.1) do not work (the profiles might have been created earlier but I don't know where to get earlier builds which won't require installing).

What could be the problem, and how could it be fixed?

Chosen solution

Can you post the certificate code (base 64) ?

What security software do you have?

See also:


Try to copy cert9.db from the old profile to the new profile.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Read this answer in context 👍 1

All Replies (3)

more options

Chosen Solution

Can you post the certificate code (base 64) ?

What security software do you have?

See also:


Try to copy cert9.db from the old profile to the new profile.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

more options

The computer has no additional security software that I am aware of and I believe no certificates have been manually installed.

Having a better look at the certificate being served,{1} could it be that the server is currently not providing the intermediate ones? When comparing, I had forgotten that Chrome works around that server issue, and now that I have taken my time to understand Firefox's current certificate information window I would say that this is the case — and likely the problem.

I hadn't thought that the working profiles might be relying on cached information. I imagine that this is why your proposed workaround/test of copying cert9.db from a working to a non-working profile makes things work. Thanks!

{1} I don't know of a better way to export the certificates that Firefox is getting (suggestions are welcome), so sorry for the formatting monstruosity:

-----BEGIN CERTIFICATE-----
MIIICzCCBvOgAwIBAgIRANZMWV+zQW9QAAAAAFTQN4QwDQYJKoZIhvcNAQELBQAw
gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL
Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg
MjAxNCBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs
BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMU0wHhcN
MTkwOTAyMDY1NjMzWhcNMjExMDA1MDcyNjMxWjCCAQ4xCzAJBgNVBAYTAkVTMRIw
EAYDVQQIEwlDYW50YWJyaWExEjAQBgNVBAcTCVNhbnRhbmRlcjETMBEGCysGAQQB
gjc8AgEDEwJFUzEaMBgGCysGAQQBgjc8AgECEwlDYW50YWJyaWExMDAuBgNVBAoT
J0dydXBvIFNhbnRhbmRlciAoQmFuY28gU2FudGFuZGVyLCBTLkEuKTEdMBsGA1UE
DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xGDAWBgNVBAsTD0JBTkNPIFNBTlRBTkRF
UjESMBAGA1UEBRMJQTM5MDAwMDEzMScwJQYDVQQDEx5wYXJ0aWN1bGFyZXMuYmFu
Y29zYW50YW5kZXIuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5
0gsopnGzIi+esuEh38X3kyTr9RImV+XJmtw06ziiwm4/iXy9QR+Xb+hQg6W9XFLF
I3mU/Kl4WvvAliqdGD9vQGgmSaRdjAJnlI+4Vqn5lpiyFUwXMLqT4S4UUScnRFcK
wQQcHBlAae5RhK48fr99F4535FQ4vxTJIaZu8SIDbv2iOEb/Q6OUADEqdk5UB47V
r8SOGzuoJO8AQ3PRRgpeQUxwXHmsjGG/pBdXPi92kNjVd9IQD/FhMkHxA7d1osqa
Wi2/gIcrqqAGfhUwdUpc53kc4IzV3A4mwIOA/RnEYpYMdHHPJL6nBu63G25gls64
E7Fjhoz54QrPKEYeSaYRAgMBAAGjggOzMIIDrzBNBgNVHREERjBEgh5wYXJ0aWN1
bGFyZXMuYmFuY29zYW50YW5kZXIuZXOCInd3dy5wYXJ0aWN1bGFyZXMuYmFuY29z
YW50YW5kZXIuZXMwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB2AId1v+dZfPiM
Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABbPDeRvEAAAQDAEcwRQIhAKumlXei
NVEYf8lGaRMg+fSOWf77+P0kUHaX5jvnoFveAiBziQ8ki3cF8ZQLxtsZVw7jzvH8
xOh6iwFYaAS3bEqtIwB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM
AAABbPDeR1oAAAQDAEcwRQIgXHxXTM3lsgKVO3D3BqIQozOMLkmXKlBjzfhZEWiO
UNoCIQDTm+uNXamFm+vxp5fwi9wrsLYtSytiw8vMBmqQKsUZGQB3AFYUBpov18Ls
0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABbPDeR6gAAAQDAEgwRgIhAMeNhc23
K0tLpWWDnepn9vEN4e1+eYH26WaEblI5mXtYAiEAqCcqOmM0L1TdnyB5/F+D8zwr
nyc7n/7Phvwiob0+l0kAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c
EAAAAWzw3keoAAAEAwBHMEUCIG0S8b9hj4dhVRQYYVsdRj0z14MZ2A3DOU4bN9as
61LXAiEAvWpXykM8AeqxcDIjHyNwkQwPQfa/bODhhjWc38CmxyYwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBoBggrBgEFBQcB
AQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsG
AQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxbS1jaGFpbjI1Ni5jZXIw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFt
LmNybDBKBgNVHSAEQzBBMDYGCmCGSAGG+mwKAQIwKDAmBggrBgEFBQcCARYaaHR0
cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwBwYFZ4EMAQEwHwYDVR0jBBgwFoAUw/fQ
tSowra8NkSFwOVTdvIlwxzowHQYDVR0OBBYEFNzc9xD5/yEp5hArEqUYihGi8uaE
MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAL5bqRRm0LHy+XFi1dJG6FMJ
r3HJ6hZcmrijiK+vSvlNqJOi1dp4n2OuEcR1BAK5IGM0dmsh+/nNy6Zu0dX27dsX
wEKykkoX03hPbLMOil6wCxmTxQM/OTfQVAskWlV/kC5c7xQRSPkGTrYnmRTh+A5b
+rZ2GkO/BWi4Rpcphg/fQMIa1NNj5RZ3e+BUU84/Lwd5ygi9XKnZyoXB9tr7OiIB
mIcLK7dwkzYLuxRSjjcDxo37KC1XNfntvJ8LzNTkwOvynbTfcfHjEzbgGFiJUBXG
t9H3BqVP5XT+Hq2dgOMhfzZcoLrX4ra+siqFAzvDD0Y//LdmIxpZKAh4rBiNUNc=

END CERTIFICATE-----

Modified by cor-el

more options

I've formatted the certificate code.

There are indeed chain issues reported:

Firefox caches intermediate certificates send by servers, so this may work is you have visited a server in the past that sends this intermediate certificate. If you have a browser that works then export the missing intermediate certificate or use the above posted download link and import this certificate in the Firefox Certificate Manager under the Authorities tab.