There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Websites don't load - troubleshoot and fix error messages

http://kb.mozillazine.org/Error_loading_websites

What do the security warning codes mean

• MOZILLA_PKIX_ERROR_MITM_DETECTED
• uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
• configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

The invalid cert message is occuring on linux as well as Mac OS.

I have enclosed a clearer publicmobile.ca cert

This works for me on Linux.

There are two IP addresses for this domain if I test the server.

• https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca

The first address seems to be OK with no issues reported apart missing SNI support and only support for a few acceptable cipher suites (most are considered weak).

• https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca&s=54.83.51.244

The second server is more problematic:

• https://www.ssllabs.com/ssltest/analyze.html?d=www.publicmobile.ca&s=23.23.153.163&latest

This server doesn't send required intermediate certificates (DigiCert Global CA G2) needed to build a certificate chain that ends in a trusted root certificate, so if you end up on this server then you get an error in case Firefox hasn't cached the missing intermediate certificate.

Strangely Firefox message appears and disappears for this site. Below the fingerprint for the certificate is a match but it still occasionally gives that message

https://www.grc.com/fingerprints.htm publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65

It probably depends on to which server you are routed at the time, as noted above by cor-el.

I would not expect the certificate SHA finger print to match.The certificate shows the correct Hash value verified by GRC.com server.

My DNS servers from Vmedia inc are 198.251.50.199 and 198.251.50.200 If one is resolving incorrectly I would expect the sha1 hash not to be correct but it is correct.

From https://www.grc.com/fingerprints.htm

publicmobile.ca publicmobile.ca — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65

Here is the error and the certificate.

https://publicmobile.ca/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

MIIGQDCCBSigAwIBAgIQBhoW3r+sph64BMbbButhrDANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE aWdpQ2VydCBHbG9iYWwgQ0EgRzIwHhcNMTkwNjI1MDAwMDAwWhcNMjAwNzE0MTIw MDAwWjB8MQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMH VG9yb250bzEOMAwGA1UEChMFVEVMVVMxHzAdBgNVBAsTFlRFTFVTIERpZ2l0YWwg U2VjdXJpdHkxGDAWBgNVBAMTD3B1YmxpY21vYmlsZS5jYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN03OpTsLtgWJUvvCtKSrQ/+y4r5yjqEcTewFE09 oLgqdNu4VdbtYhqz6m9aDl84T2ayuDHShAnH1lbyge18KrpyLSiV/OoPTonyfSz/ vXtBZFvWj4Mzse5SoSwYPYU84bQAlHd7+Ca1i2FzT+WPkaG64iKMWc9l453rGdY9 sDTVFC/8s7318pCS1hnrsg8yVxBLTeJiUmpoXqojH32I/qlAbrCfpWmPUh0OGDXa trqYeXkAUuLIs8bNsdxk+ktr7qj3NiHmDPfXQ1V7JhoXLU9cuCDofT0O9sXd+AMP W3uvOkABnCietlIjbE9zn2nJ3XYwLesH2Fsq8BhPWCMMuu0CAwEAAaOCAvQwggLw MB8GA1UdIwQYMBaAFCRuKy3QapJRUSVpAaqaR6aJ50AgMB0GA1UdDgQWBBSLRroi hBjrWV86Z4+zJ7LPL9OMPTAvBgNVHREEKDAmgg9wdWJsaWNtb2JpbGUuY2GCE3d3 dy5wdWJsaWNtb2JpbGUuY2EwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5k aWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQUcyLmNybDA1oDOgMYYvaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsQ0FHMi5jcmwwTAYDVR0g BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwdAYIKwYBBQUHAQEEaDBmMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBRzIuY3J0MAkG A1UdEwQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC72d+8H4pxtZOUI5eq kntHOFeVCqtS6BqQlmQ2jh7RhQAAAWuPlcUGAAAEAwBHMEUCIFoy+lqHcXoA/G1L /ABlCT8sZvFVNaho4nQPlHgyuwY0AiEAw1GA0rE46JII/QkMsZtI+9IRgJDP28Gh fG8SgjxXYW4AdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWuP lcRUAAAEAwBHMEUCIQCP50aMvaWx/eFIzqZPOEHtiJnyUVtQJhix91ERxVhwowIg HufqsqQwFjiOsBmFt7a20MUetUAG7osXxVQyX1AEkmEwDQYJKoZIhvcNAQELBQAD ggEBAIayRDVOHvBau4RTm2RrPGqrDKGSX1agk4g4NE6BeXcjLE1OfOA15xv3Gqqs g0ArAdM4B5KAF+JFVleFZmWEmKQq5KBr1mkV8QYlxhHmnZ5L1F2snP2LKMF0YQST nhO0xEGgMEZWNioNj4B+gDFpPnZzk8f0BhWhfLlcvp4WFt9Qt9lASrhpuoCikfCG lgYTc42w9UE9Z1DjV+KanUx4cc4G0GpWT1faF3GnziwfjP1/xDZ75iwMCDTQ4gcU K4r1JZYhRBsoeHf8HNgfxMAA8mND16OHJh9IEhpgX9ZY/ipyhJ6djNRcnsIJE/sn myplE2T+1TqLSbGSZstx4Qyd8js=

It isn't resolving incorrectly, there are 2 IP addresses to which the domain name can resolve. Both have incomplete certificate chains while i am looking right now. The intermediate certificate is available to download, but Firefox doesn't look for these. The cert should be sent by the server.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> www.publicmobile.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23760
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.publicmobile.ca.		IN	A

;; ANSWER SECTION:
www.publicmobile.ca.	300	IN	A	54.83.51.244
www.publicmobile.ca.	300	IN	A	23.23.153.163

The certificate you are looking at is fine, the fingerprints would match. The problem is not with that certificate, but with the trust chain. The server should simply send the intermediate cert.

https://support.mozilla.org/en-US/kb/error-codes-secure-websites#w_missing-intermediate-certificate

That being said, it has obviously sent the intermediate certificates sometimes, because i can load the site. Last time from IP 23.23.153.163

GEThttps://publicmobile.ca/en/bc/
[HTTP/1.1 200 OK 366ms]
	
Connection:	
Host publicmobile.ca:	
HTTP Strict Transport Security:	Disabled
Public Key Pinning:	Disabled
Certificate:	
Issued To	
Common Name (CN):	publicmobile.ca
Organization (O):	TELUS
Organizational Unit (OU):	<Not Available>
Issued By	
Common Name (CN):	DigiCert Global CA G2
Organization (O):	DigiCert Inc
Organizational Unit (OU):	<Not Available>
Period of Validity	
Begins On:	June 24, 2019
Expires On:	July 14, 2020

DigiCert Global CA G2 is the intermediate, therefore i don't get the warning and i connect.

Just for flavor, the site has other errors, such as they are trying to embed a Google Map but they haven't had their site URL authorized for using the API.

If the site had any contact info, i would contact them. Their forum doesn't even have a subforum for site issues, and i am personally not poking them on social media or their generic whois mail address. (domain.registration[arobase]telus [dot]com)

Thanks. Crankygoat.

the command GEThttps://publicmobile.ca/en/bc/ I beilieve you ran from dig command. I get a different display

dig GEThttps://publicmobile.ca/en/bc/

<<>> DiG 9.10.6 <<>> GEThttps://publicmobile.ca/en/bc/

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28372

flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

GEThttps://publicmobile.ca/en/bc/. IN A

AUTHORITY SECTION:

. 3338 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020011600 1800 900 604800 86400

Query time: 436 msec

SERVER: 9.9.9.9#53(9.9.9.9)

WHEN: Thu Jan 16 04:16:39 EST 2020

MSG SIZE rcvd: 137

GEThttps://publicmobile.ca/en/bc/ (etc.) was the entry i got looking at the Web Console after the page had loaded. I just used that to see to which of the IP addresses i was routed when loading the page in a browser.

You are going to get NXDOMAIN (domain doesn't exist) from dig or nslookup as GEThttps://publicmobile.ca/en/bc/ is not a domain. publicmobile.ca and www.publicmobile.ca are valid domains.

If i had a decent way to contact them, i would just tell them to test their certs and see that their intermediate cert is not (or not always) sent, which causes the connection to fail in Firefox.

I just tried again and today i am sent to the 54.83.51.24 address.

I have no idea why i have gotten certificates and you have not, especially considering different cert tests say the intermediate is not sent. (Maybe i got it in a box of Cracker Jack?) I get the same results with FF 71 and 73.

Yes. I understand I did enter the incorrect domain. However I noticed that Safari browser as well as my Android Firefox never seems to get the certificate error message and both are functioning on the same network.

I will have to perform more testing to see if this is just coincidence.

I believe the problem may be with my ISP Vmedia.ca I cannot ping any known IP for Vmedia.ca such as 151.139.128.10 or their DNS servers 198.251.50.199 or 198.251.50.200.

IP address 104.158.49.18 Hostname 18.49.158.104.in-addr.arpa IP Address Location Country Canada (CA) State/Region Ontario (ON) City Hamilton ISP ViaNetTV Inc ASN 54198 Timezone America/Toronto Local Time Fri, 17 Jan 2020 00:20:23 -0500 Latitude/Longitude 43.2284,-79.9071

traceroutes to vmedia.ca my ISP gives me traceroute 151.139.128.10 traceroute to 151.139.128.10 (151.139.128.10), 64 hops max, 52 byte packets

1 
2  
3  3.52.251.198.in-addr.arpa (198.251.52.3)  366.954 ms *  423.370 ms
4  198.251.49.89 (198.251.49.89)  307.191 ms  191.471 ms  126.917 ms
5  198.251.51.56 (198.251.51.56)  54.088 ms  28.712 ms  28.767 ms
6  198.251.50.16 (198.251.50.16)  36.279 ms  59.615 ms  25.908 ms
7  be4582.211.ccr32.yyz02.atlas.cogentco.com (38.122.70.217)  22.520 ms  23.665 ms  48.061 ms
8  be3529.rcr51.b054249-0.yyz02.atlas.cogentco.com (154.54.24.194)  135.003 ms  22.556 ms  22.233 ms
9  * * *

10 * * * 11 * * * 12 * * *

Line 4 is Cogent a different ISP. So from my workstation to directly to Vmedia.ca I am going thorugh cogent 154.54.24.194.

Try to rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached.

• https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean

If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

• Help -> Troubleshooting Information -> Profile Folder/Directory:
  Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder
• https://support.mozilla.org/en-US/kb/Profiles

I did not modify the cert8.db I reinstalled 72 and the certificate message disappeared. However the Ubuntu workstation still has the certificat error which suggests an induced certificate error with Firefox.

On the original workstation without with the certificate error FF produced the error occassionaly but Safari on the same workstation never produced the certificate error. Also https://www.ssllabs.com grades the site as B, so I do not know what FF is stating when it whos the certificate error. FF on my android which is version 68.4.1 does not produce the error.

As noted, when the intermediate certificate is not sent, Firefox has a problem with it. Other browsers will search for an intermediate cert and download it. Most ssllabs tests will show the intermediate cert not being sent. As long as you get the cert once, the browser won't have a problem again until the expiry date, if it isn't sent a cert.

I never had a problem loading the site (i.e., i received the cert), yet multiple tests at ssllabs (and elsewhere) showed one or both servers for the domain not sending the intermediate. So the problem will show up almost randomly.

The grade isn't particularly relevant, the actual tests are. You need to expand the results for each IP address. The Intermediate Certificate results at the bottom are the diagnostically significant results for this issue.

FF for Android may have received the cert, but it is also an entirely different beast than desktop FF. I don't know if it enforces the same policy strictness.

I do not know why the intermediate certificate would not be sent when on the same physical workstation another browser (Safari) has no complaint. FF will work sometimes then stop without closing the browser.

Can I interrogate or test the intermediate certificate manually ?

I believe I understand why other browser work. They go out to find the missing certificate where Firefox does not.

I agree with Firefox method as the problem is with the certificate and no browser should go seeking to correct for an error. Bravo FF

Can anyone tell me if Firefox shows the certificate chain?

Firefox caches intermediate certificates send by a server, so if you have visited a server that sends a specific intermediate certificate then you won't get an error if you visit a website that doesn't send the intermediate certificate (i.e. Firefox will fallback to the cached certificate).

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert.

When using ssllabs.com, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.

OK. Thanks