X
Tap here to go to the mobile version of the site.

Support Forum

Potential security risk message incorrect

Posted

From my public IP of 104.158.49.18 FF ses the web site https://www.publicmobile.ca/ as a potential security risk. FF is reporting this incorrectly as other web browsers show this site as valid. I have included the certificate values.

what is the reason for the error meesage? Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust www.publicmobile.ca because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

From my public IP of 104.158.49.18 FF ses the web site https://www.publicmobile.ca/ as a potential security risk. FF is reporting this incorrectly as other web browsers show this site as valid. I have included the certificate values. what is the reason for the error meesage? Someone could be trying to impersonate the site and you should not continue. Websites prove their identity via certificates. Firefox does not trust www.publicmobile.ca because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates. Error code: SEC_ERROR_UNKNOWN_ISSUER
Attached screenshots

Chosen solution

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert.

When using ssllabs.com, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.

Read this answer in context 0
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:71.0) Gecko/20100101 Firefox/71.0

More Information

FredMcD
  • Top 10 Contributor
4344 solutions 61105 answers

There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Websites don't load - troubleshoot and fix error messages

http://kb.mozillazine.org/Error_loading_websites

What do the security warning codes mean


  • MOZILLA_PKIX_ERROR_MITM_DETECTED
  • uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
  • configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message [https://support.mozilla.org/en-US/kb/websites-dont-load-troubleshoot-and-fix-errors?redirectlocale=en-US&redirectslug=Error+loading+web+sites Websites don't load - troubleshoot and fix error messages] http://kb.mozillazine.org/Error_loading_websites [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean What do the security warning codes mean] *MOZILLA_PKIX_ERROR_MITM_DETECTED *uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN *configured their website improperly How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER
Was this helpful to you?
Quote

Question owner

The invalid cert message is occuring on linux as well as Mac OS.

I have enclosed a clearer publicmobile.ca cert

The invalid cert message is occuring on linux as well as Mac OS. I have enclosed a clearer publicmobile.ca cert
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17775 solutions 160795 answers

This works for me on Linux.

There are two IP addresses for this domain if I test the server.

The first address seems to be OK with no issues reported apart missing SNI support and only support for a few acceptable cipher suites (most are considered weak).

The second server is more problematic:

This server doesn't send required intermediate certificates (DigiCert Global CA G2) needed to build a certificate chain that ends in a trusted root certificate, so if you end up on this server then you get an error in case Firefox hasn't cached the missing intermediate certificate.

This works for me on Linux. There are two IP addresses for this domain if I test the server. *https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca The first address seems to be OK with no issues reported apart missing SNI support and only support for a few acceptable cipher suites (most are considered weak). *https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca&s=54.83.51.244 The second server is more problematic: *https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca&s=23.23.153.163&latest This server doesn't send required intermediate certificates (DigiCert Global CA G2) needed to build a certificate chain that ends in a trusted root certificate, so if you end up on this server then you get an error in case Firefox hasn't cached the missing intermediate certificate.
Was this helpful to you?
Quote

Question owner

Strangely Firefox message appears and disappears for this site. Below the fingerprint for the certificate is a match but it still occasionally gives that message

https://www.grc.com/fingerprints.htm publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65

Strangely Firefox message appears and disappears for this site. Below the fingerprint for the certificate is a match but it still occasionally gives that message https://www.grc.com/fingerprints.htm publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
40 solutions 471 answers

It probably depends on to which server you are routed at the time, as noted above by cor-el.

It probably depends on to which server you are routed at the time, as noted above by cor-el.
Was this helpful to you?
Quote

Question owner

I would not expect the certificate SHA finger print to match.The certificate shows the correct Hash value verified by GRC.com server.

My DNS servers from Vmedia inc are 198.251.50.199 and 198.251.50.200 If one is resolving incorrectly I would expect the sha1 hash not to be correct but it is correct.

From https://www.grc.com/fingerprints.htm

publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65


Here is the error and the certificate.

https://publicmobile.ca/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:


BEGIN CERTIFICATE-----

MIIGQDCCBSigAwIBAgIQBhoW3r+sph64BMbbButhrDANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE aWdpQ2VydCBHbG9iYWwgQ0EgRzIwHhcNMTkwNjI1MDAwMDAwWhcNMjAwNzE0MTIw MDAwWjB8MQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMH VG9yb250bzEOMAwGA1UEChMFVEVMVVMxHzAdBgNVBAsTFlRFTFVTIERpZ2l0YWwg U2VjdXJpdHkxGDAWBgNVBAMTD3B1YmxpY21vYmlsZS5jYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN03OpTsLtgWJUvvCtKSrQ/+y4r5yjqEcTewFE09 oLgqdNu4VdbtYhqz6m9aDl84T2ayuDHShAnH1lbyge18KrpyLSiV/OoPTonyfSz/ vXtBZFvWj4Mzse5SoSwYPYU84bQAlHd7+Ca1i2FzT+WPkaG64iKMWc9l453rGdY9 sDTVFC/8s7318pCS1hnrsg8yVxBLTeJiUmpoXqojH32I/qlAbrCfpWmPUh0OGDXa trqYeXkAUuLIs8bNsdxk+ktr7qj3NiHmDPfXQ1V7JhoXLU9cuCDofT0O9sXd+AMP W3uvOkABnCietlIjbE9zn2nJ3XYwLesH2Fsq8BhPWCMMuu0CAwEAAaOCAvQwggLw MB8GA1UdIwQYMBaAFCRuKy3QapJRUSVpAaqaR6aJ50AgMB0GA1UdDgQWBBSLRroi hBjrWV86Z4+zJ7LPL9OMPTAvBgNVHREEKDAmgg9wdWJsaWNtb2JpbGUuY2GCE3d3 dy5wdWJsaWNtb2JpbGUuY2EwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5k aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQUcyLmNybDA1oDOgMYYvaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsQ0FHMi5jcmwwTAYDVR0g BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwdAYIKwYBBQUHAQEEaDBmMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBRzIuY3J0MAkG A1UdEwQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC72d+8H4pxtZOUI5eq kntHOFeVCqtS6BqQlmQ2jh7RhQAAAWuPlcUGAAAEAwBHMEUCIFoy+lqHcXoA/G1L /ABlCT8sZvFVNaho4nQPlHgyuwY0AiEAw1GA0rE46JII/QkMsZtI+9IRgJDP28Gh fG8SgjxXYW4AdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWuP lcRUAAAEAwBHMEUCIQCP50aMvaWx/eFIzqZPOEHtiJnyUVtQJhix91ERxVhwowIg HufqsqQwFjiOsBmFt7a20MUetUAG7osXxVQyX1AEkmEwDQYJKoZIhvcNAQELBQAD ggEBAIayRDVOHvBau4RTm2RrPGqrDKGSX1agk4g4NE6BeXcjLE1OfOA15xv3Gqqs g0ArAdM4B5KAF+JFVleFZmWEmKQq5KBr1mkV8QYlxhHmnZ5L1F2snP2LKMF0YQST nhO0xEGgMEZWNioNj4B+gDFpPnZzk8f0BhWhfLlcvp4WFt9Qt9lASrhpuoCikfCG lgYTc42w9UE9Z1DjV+KanUx4cc4G0GpWT1faF3GnziwfjP1/xDZ75iwMCDTQ4gcU K4r1JZYhRBsoeHf8HNgfxMAA8mND16OHJh9IEhpgX9ZY/ipyhJ6djNRcnsIJE/sn myplE2T+1TqLSbGSZstx4Qyd8js=


END CERTIFICATE-----
I would not expect the certificate SHA finger print to match.The certificate shows the correct Hash value verified by GRC.com server. My DNS servers from Vmedia inc are 198.251.50.199 and 198.251.50.200 If one is resolving incorrectly I would expect the sha1 hash not to be correct but it is correct. '''From https://www.grc.com/fingerprints.htm publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65 Here is the error and the certificate. https://publicmobile.ca/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIGQDCCBSigAwIBAgIQBhoW3r+sph64BMbbButhrDANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE aWdpQ2VydCBHbG9iYWwgQ0EgRzIwHhcNMTkwNjI1MDAwMDAwWhcNMjAwNzE0MTIw MDAwWjB8MQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMH VG9yb250bzEOMAwGA1UEChMFVEVMVVMxHzAdBgNVBAsTFlRFTFVTIERpZ2l0YWwg U2VjdXJpdHkxGDAWBgNVBAMTD3B1YmxpY21vYmlsZS5jYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN03OpTsLtgWJUvvCtKSrQ/+y4r5yjqEcTewFE09 oLgqdNu4VdbtYhqz6m9aDl84T2ayuDHShAnH1lbyge18KrpyLSiV/OoPTonyfSz/ vXtBZFvWj4Mzse5SoSwYPYU84bQAlHd7+Ca1i2FzT+WPkaG64iKMWc9l453rGdY9 sDTVFC/8s7318pCS1hnrsg8yVxBLTeJiUmpoXqojH32I/qlAbrCfpWmPUh0OGDXa trqYeXkAUuLIs8bNsdxk+ktr7qj3NiHmDPfXQ1V7JhoXLU9cuCDofT0O9sXd+AMP W3uvOkABnCietlIjbE9zn2nJ3XYwLesH2Fsq8BhPWCMMuu0CAwEAAaOCAvQwggLw MB8GA1UdIwQYMBaAFCRuKy3QapJRUSVpAaqaR6aJ50AgMB0GA1UdDgQWBBSLRroi hBjrWV86Z4+zJ7LPL9OMPTAvBgNVHREEKDAmgg9wdWJsaWNtb2JpbGUuY2GCE3d3 dy5wdWJsaWNtb2JpbGUuY2EwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5k aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQUcyLmNybDA1oDOgMYYvaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsQ0FHMi5jcmwwTAYDVR0g BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwdAYIKwYBBQUHAQEEaDBmMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBRzIuY3J0MAkG A1UdEwQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC72d+8H4pxtZOUI5eq kntHOFeVCqtS6BqQlmQ2jh7RhQAAAWuPlcUGAAAEAwBHMEUCIFoy+lqHcXoA/G1L /ABlCT8sZvFVNaho4nQPlHgyuwY0AiEAw1GA0rE46JII/QkMsZtI+9IRgJDP28Gh fG8SgjxXYW4AdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWuP lcRUAAAEAwBHMEUCIQCP50aMvaWx/eFIzqZPOEHtiJnyUVtQJhix91ERxVhwowIg HufqsqQwFjiOsBmFt7a20MUetUAG7osXxVQyX1AEkmEwDQYJKoZIhvcNAQELBQAD ggEBAIayRDVOHvBau4RTm2RrPGqrDKGSX1agk4g4NE6BeXcjLE1OfOA15xv3Gqqs g0ArAdM4B5KAF+JFVleFZmWEmKQq5KBr1mkV8QYlxhHmnZ5L1F2snP2LKMF0YQST nhO0xEGgMEZWNioNj4B+gDFpPnZzk8f0BhWhfLlcvp4WFt9Qt9lASrhpuoCikfCG lgYTc42w9UE9Z1DjV+KanUx4cc4G0GpWT1faF3GnziwfjP1/xDZ75iwMCDTQ4gcU K4r1JZYhRBsoeHf8HNgfxMAA8mND16OHJh9IEhpgX9ZY/ipyhJ6djNRcnsIJE/sn myplE2T+1TqLSbGSZstx4Qyd8js= -----END CERTIFICATE-----
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
40 solutions 471 answers

Helpful Reply

It isn't resolving incorrectly, there are 2 IP addresses to which the domain name can resolve. Both have incomplete certificate chains while i am looking right now. The intermediate certificate is available to download, but Firefox doesn't look for these. The cert should be sent by the server.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> www.publicmobile.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23760
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.publicmobile.ca.		IN	A

;; ANSWER SECTION:
www.publicmobile.ca.	300	IN	A	54.83.51.244
www.publicmobile.ca.	300	IN	A	23.23.153.163

The certificate you are looking at is fine, the fingerprints would match. The problem is not with that certificate, but with the trust chain. The server should simply send the intermediate cert.

https://support.mozilla.org/en-US/kb/error-codes-secure-websites#w_missing-intermediate-certificate


That being said, it has obviously sent the intermediate certificates sometimes, because i can load the site. Last time from IP 23.23.153.163

GEThttps://publicmobile.ca/en/bc/
[HTTP/1.1 200 OK 366ms]
	
Connection:	
Host publicmobile.ca:	
HTTP Strict Transport Security:	Disabled
Public Key Pinning:	Disabled
Certificate:	
Issued To	
Common Name (CN):	publicmobile.ca
Organization (O):	TELUS
Organizational Unit (OU):	<Not Available>
Issued By	
Common Name (CN):	DigiCert Global CA G2
Organization (O):	DigiCert Inc
Organizational Unit (OU):	<Not Available>
Period of Validity	
Begins On:	June 24, 2019
Expires On:	July 14, 2020

DigiCert Global CA G2 is the intermediate, therefore i don't get the warning and i connect.

Just for flavor, the site has other errors, such as they are trying to embed a Google Map but they haven't had their site URL authorized for using the API.

If the site had any contact info, i would contact them. Their forum doesn't even have a subforum for site issues, and i am personally not poking them on social media or their generic whois mail address. (domain.registration[arobase]telus [dot]com)

It isn't resolving incorrectly, there are 2 IP addresses to which the domain name can resolve. ''Both'' have incomplete certificate chains while i am looking right now. The intermediate certificate is available to download, but Firefox doesn't look for these. The cert should be sent by the server. <pre> ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> www.publicmobile.ca ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.publicmobile.ca. IN A ;; ANSWER SECTION: www.publicmobile.ca. 300 IN A 54.83.51.244 www.publicmobile.ca. 300 IN A 23.23.153.163 </pre> The certificate you are looking at is fine, the fingerprints would match. The problem is not with that certificate, but with the trust chain. The server should simply send the intermediate cert. https://support.mozilla.org/en-US/kb/error-codes-secure-websites#w_missing-intermediate-certificate That being said, it has obviously sent the intermediate certificates ''sometimes'', because i can load the site. Last time from IP 23.23.153.163 <pre> GEThttps://publicmobile.ca/en/bc/ [HTTP/1.1 200 OK 366ms] Connection: Host publicmobile.ca: HTTP Strict Transport Security: Disabled Public Key Pinning: Disabled Certificate: Issued To Common Name (CN): publicmobile.ca Organization (O): TELUS Organizational Unit (OU): <Not Available> Issued By Common Name (CN): DigiCert Global CA G2 Organization (O): DigiCert Inc Organizational Unit (OU): <Not Available> Period of Validity Begins On: June 24, 2019 Expires On: July 14, 2020 </pre> DigiCert Global CA G2 is the intermediate, therefore i don't get the warning and i connect. Just for flavor, the site has other errors, such as they are trying to embed a Google Map but they haven't had their site URL authorized for using the API. If the site had any contact info, i would contact them. Their forum doesn't even have a subforum for site issues, and i am personally not poking them on social media or their generic whois mail address. (domain.registration[arobase]telus [dot]com)
Was this helpful to you? 1
Quote

Question owner

Thanks. Crankygoat.

the command GEThttps://publicmobile.ca/en/bc/ I beilieve you ran from dig command. I get a different display

dig GEThttps://publicmobile.ca/en/bc/

<<>> DiG 9.10.6 <<>> GEThttps://publicmobile.ca/en/bc/
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28372
flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
OPT PSEUDOSECTION:
EDNS: version: 0, flags:; udp: 512
QUESTION SECTION:
GEThttps://publicmobile.ca/en/bc/. IN A
AUTHORITY SECTION:

. 3338 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020011600 1800 900 604800 86400

Query time: 436 msec
SERVER: 9.9.9.9#53(9.9.9.9)
WHEN: Thu Jan 16 04:16:39 EST 2020
MSG SIZE rcvd: 137
Thanks. Crankygoat. the command GEThttps://publicmobile.ca/en/bc/ I beilieve you ran from dig command. I get a different display dig GEThttps://publicmobile.ca/en/bc/ ; <<>> DiG 9.10.6 <<>> GEThttps://publicmobile.ca/en/bc/ ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28372 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;GEThttps://publicmobile.ca/en/bc/. IN A ;; AUTHORITY SECTION: . 3338 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020011600 1800 900 604800 86400 ;; Query time: 436 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Thu Jan 16 04:16:39 EST 2020 ;; MSG SIZE rcvd: 137
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
40 solutions 471 answers

Helpful Reply

GEThttps://publicmobile.ca/en/bc/ (etc.) was the entry i got looking at the Web Console after the page had loaded. I just used that to see to which of the IP addresses i was routed when loading the page in a browser.

You are going to get NXDOMAIN (domain doesn't exist) from dig or nslookup as GEThttps://publicmobile.ca/en/bc/ is not a domain. publicmobile.ca and www.publicmobile.ca are valid domains.

If i had a decent way to contact them, i would just tell them to test their certs and see that their intermediate cert is not (or not always) sent, which causes the connection to fail in Firefox.

I just tried again and today i am sent to the 54.83.51.24 address.

I have no idea why i have gotten certificates and you have not, especially considering different cert tests say the intermediate is not sent. (Maybe i got it in a box of Cracker Jack?) I get the same results with FF 71 and 73.

GEThttps://publicmobile.ca/en/bc/ (etc.) was the entry i got looking at the Web Console after the page had loaded. I just used that to see to which of the IP addresses i was routed when loading the page in a browser. You are going to get NXDOMAIN (domain doesn't exist) from dig or nslookup as GEThttps://publicmobile.ca/en/bc/ is not a domain. publicmobile.ca and www.publicmobile.ca are valid domains. If i had a decent way to contact them, i would just tell them to test their certs and see that their intermediate cert is not (or not always) sent, which causes the connection to fail in Firefox. I just tried again and today i am sent to the 54.83.51.24 address. I have no idea why i have gotten certificates and you have not, especially considering different cert tests say the intermediate is not sent. (Maybe i got it in a box of Cracker Jack?) I get the same results with FF 71 and 73.
Was this helpful to you? 1
Quote

Question owner

Yes. I understand I did enter the incorrect domain. However I noticed that Safari browser as well as my Android Firefox never seems to get the certificate error message and both are functioning on the same network.

I will have to perform more testing to see if this is just coincidence.

Yes. I understand I did enter the incorrect domain. However I noticed that Safari browser as well as my Android Firefox never seems to get the certificate error message and both are functioning on the same network. I will have to perform more testing to see if this is just coincidence.
Was this helpful to you?
Quote

Question owner

I believe the problem may be with my ISP Vmedia.ca I cannot ping any known IP for Vmedia.ca such as 151.139.128.10 or their DNS servers 198.251.50.199 or 198.251.50.200.

IP address 104.158.49.18 Hostname 18.49.158.104.in-addr.arpa IP Address Location Country Canada (CA) State/Region Ontario (ON) City Hamilton ISP ViaNetTV Inc ASN 54198 Timezone America/Toronto Local Time Fri, 17 Jan 2020 00:20:23 -0500 Latitude/Longitude 43.2284,-79.9071


traceroutes to vmedia.ca my ISP gives me traceroute 151.139.128.10 traceroute to 151.139.128.10 (151.139.128.10), 64 hops max, 52 byte packets

1 
2  
3  3.52.251.198.in-addr.arpa (198.251.52.3)  366.954 ms *  423.370 ms
4  198.251.49.89 (198.251.49.89)  307.191 ms  191.471 ms  126.917 ms
5  198.251.51.56 (198.251.51.56)  54.088 ms  28.712 ms  28.767 ms
6  198.251.50.16 (198.251.50.16)  36.279 ms  59.615 ms  25.908 ms
7  be4582.211.ccr32.yyz02.atlas.cogentco.com (38.122.70.217)  22.520 ms  23.665 ms  48.061 ms
8  be3529.rcr51.b054249-0.yyz02.atlas.cogentco.com (154.54.24.194)  135.003 ms  22.556 ms  22.233 ms
9  * * *

10 * * * 11 * * * 12 * * *

Line 4 is Cogent a different ISP. So from my workstation to directly to Vmedia.ca I am going thorugh cogent 154.54.24.194.

I believe the problem may be with my ISP Vmedia.ca I cannot ping any known IP for Vmedia.ca such as 151.139.128.10 or their DNS servers 198.251.50.199 or 198.251.50.200. IP address 104.158.49.18 Hostname 18.49.158.104.in-addr.arpa IP Address Location Country Canada (CA) State/Region Ontario (ON) City Hamilton ISP ViaNetTV Inc ASN 54198 Timezone America/Toronto Local Time Fri, 17 Jan 2020 00:20:23 -0500 Latitude/Longitude 43.2284,-79.9071 traceroutes to vmedia.ca my ISP gives me traceroute 151.139.128.10 traceroute to 151.139.128.10 (151.139.128.10), 64 hops max, 52 byte packets 1 2 3 3.52.251.198.in-addr.arpa (198.251.52.3) 366.954 ms * 423.370 ms 4 198.251.49.89 (198.251.49.89) 307.191 ms 191.471 ms 126.917 ms 5 198.251.51.56 (198.251.51.56) 54.088 ms 28.712 ms 28.767 ms 6 198.251.50.16 (198.251.50.16) 36.279 ms 59.615 ms 25.908 ms 7 be4582.211.ccr32.yyz02.atlas.cogentco.com (38.122.70.217) 22.520 ms 23.665 ms 48.061 ms 8 be3529.rcr51.b054249-0.yyz02.atlas.cogentco.com (154.54.24.194) 135.003 ms 22.556 ms 22.233 ms 9 * * * 10 * * * 11 * * * 12 * * * Line 4 is Cogent a different ISP. So from my workstation to directly to Vmedia.ca I am going thorugh cogent 154.54.24.194.
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17775 solutions 160795 answers

Try to rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached.

If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Try to rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached. *https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db. You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the <b>about:profiles</b> page. *Help -> Troubleshooting Information -> Profile Folder/Directory:<br>Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder *https://support.mozilla.org/en-US/kb/Profiles
Was this helpful to you? 1
Quote

Question owner

I did not modify the cert8.db I reinstalled 72 and the certificate message disappeared. However the Ubuntu workstation still has the certificat error which suggests an induced certificate error with Firefox.

On the original workstation without with the certificate error FF produced the error occassionaly but Safari on the same workstation never produced the certificate error. Also https://www.ssllabs.com grades the site as B, so I do not know what FF is stating when it whos the certificate error. FF on my android which is version 68.4.1 does not produce the error.

I did not modify the cert8.db I reinstalled 72 and the certificate message disappeared. However the Ubuntu workstation still has the certificat error which suggests an induced certificate error with Firefox. On the original workstation without with the certificate error FF produced the error occassionaly but Safari on the same workstation never produced the certificate error. Also https://www.ssllabs.com grades the site as B, so I do not know what FF is stating when it whos the certificate error. FF on my android which is version 68.4.1 does not produce the error.
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
40 solutions 471 answers

As noted, when the intermediate certificate is not sent, Firefox has a problem with it. Other browsers will search for an intermediate cert and download it. Most ssllabs tests will show the intermediate cert not being sent. As long as you get the cert once, the browser won't have a problem again until the expiry date, if it isn't sent a cert.

I never had a problem loading the site (i.e., i received the cert), yet multiple tests at ssllabs (and elsewhere) showed one or both servers for the domain not sending the intermediate. So the problem will show up almost randomly.

The grade isn't particularly relevant, the actual tests are. You need to expand the results for each IP address. The Intermediate Certificate results at the bottom are the diagnostically significant results for this issue.

FF for Android may have received the cert, but it is also an entirely different beast than desktop FF. I don't know if it enforces the same policy strictness.

As noted, when the intermediate certificate is not sent, Firefox has a problem with it. Other browsers will search for an intermediate cert and download it. Most ssllabs tests will show the intermediate cert not being sent. As long as you get the cert once, the browser won't have a problem again until the expiry date, if it isn't sent a cert. I never had a problem loading the site (i.e., i received the cert), yet multiple tests at ssllabs (and elsewhere) showed one or both servers for the domain not sending the intermediate. So the problem will show up almost randomly. The grade isn't particularly relevant, the actual tests are. You need to expand the results for each IP address. The Intermediate Certificate results at the bottom are the diagnostically significant results for this issue. FF for Android may have received the cert, but it is also an entirely different beast than desktop FF. I don't know if it enforces the same policy strictness.
Was this helpful to you?
Quote

Question owner

I do not know why the intermediate certificate would not be sent when on the same physical workstation another browser (Safari) has no complaint. FF will work sometimes then stop without closing the browser.

Can I interrogate or test the intermediate certificate manually ?

I do not know why the intermediate certificate would not be sent when on the same physical workstation another browser (Safari) has no complaint. FF will work sometimes then stop without closing the browser. Can I interrogate or test the intermediate certificate manually ?
Was this helpful to you?
Quote

Question owner

I believe I understand why other browser work. They go out to find the missing certificate where Firefox does not.

I agree with Firefox method as the problem is with the certificate and no browser should go seeking to correct for an error. Bravo FF

Can anyone tell me if Firefox shows the certificate chain?

I believe I understand why other browser work. They go out to find the missing certificate where Firefox does not. I agree with Firefox method as the problem is with the certificate and no browser should go seeking to correct for an error. Bravo FF Can anyone tell me if Firefox shows the certificate chain?
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17775 solutions 160795 answers

Firefox caches intermediate certificates send by a server, so if you have visited a server that sends a specific intermediate certificate then you won't get an error if you visit a website that doesn't send the intermediate certificate (i.e. Firefox will fallback to the cached certificate).

Firefox caches intermediate certificates send by a server, so if you have visited a server that sends a specific intermediate certificate then you won't get an error if you visit a website that doesn't send the intermediate certificate (i.e. Firefox will fallback to the cached certificate).
Was this helpful to you?
Quote
crankygoat
  • Top 25 Contributor
40 solutions 471 answers

Chosen Solution

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert.

When using ssllabs.com, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert. When using ssllabs.com, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.
Was this helpful to you?
Quote

Question owner

OK. Thanks

OK. Thanks
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.