Caută ajutor

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Acest fir de discuție a fost arhivat. Adresează o întrebare nouă dacă ai nevoie de ajutor.

Potential security risk message incorrect

  • 19 răspunsuri
  • 1 are această problemă
  • 163 de vizualizări
  • Ultimul răspuns de Mace2

more options

From my public IP of FF ses the web site as a potential security risk. FF is reporting this incorrectly as other web browsers show this site as valid. I have included the certificate values.

what is the reason for the error meesage? Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.


Capturi de ecran atașate

Soluție aleasă

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert.

When using, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.

Citește acest răspuns în context 👍 0

Toate răspunsurile (19)

more options

There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

Websites don't load - troubleshoot and fix error messages

What do the security warning codes mean

  • uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
  • configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites

more options

The invalid cert message is occuring on linux as well as Mac OS.

I have enclosed a clearer cert

more options

This works for me on Linux.

There are two IP addresses for this domain if I test the server.

The first address seems to be OK with no issues reported apart missing SNI support and only support for a few acceptable cipher suites (most are considered weak).

The second server is more problematic:

This server doesn't send required intermediate certificates (DigiCert Global CA G2) needed to build a certificate chain that ends in a trusted root certificate, so if you end up on this server then you get an error in case Firefox hasn't cached the missing intermediate certificate.

more options

Strangely Firefox message appears and disappears for this site. Below the fingerprint for the certificate is a match but it still occasionally gives that message — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65

more options

It probably depends on to which server you are routed at the time, as noted above by cor-el.

more options

I would not expect the certificate SHA finger print to match.The certificate shows the correct Hash value verified by server.

My DNS servers from Vmedia inc are and If one is resolving incorrectly I would expect the sha1 hash not to be correct but it is correct.

From — 29:26:5F:8E:5D:60:12:46:FC:B9:B6:3C:DE:5D:7C:8F:51:6D:A9:65

Here is the error and the certificate.

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:



more options

It isn't resolving incorrectly, there are 2 IP addresses to which the domain name can resolve. Both have incomplete certificate chains while i am looking right now. The intermediate certificate is available to download, but Firefox doesn't look for these. The cert should be sent by the server.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23760
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 65494
;		IN	A


The certificate you are looking at is fine, the fingerprints would match. The problem is not with that certificate, but with the trust chain. The server should simply send the intermediate cert.

That being said, it has obviously sent the intermediate certificates sometimes, because i can load the site. Last time from IP

[HTTP/1.1 200 OK 366ms]
HTTP Strict Transport Security:	Disabled
Public Key Pinning:	Disabled
Issued To	
Common Name (CN):
Organization (O):	TELUS
Organizational Unit (OU):	<Not Available>
Issued By	
Common Name (CN):	DigiCert Global CA G2
Organization (O):	DigiCert Inc
Organizational Unit (OU):	<Not Available>
Period of Validity	
Begins On:	June 24, 2019
Expires On:	July 14, 2020

DigiCert Global CA G2 is the intermediate, therefore i don't get the warning and i connect.

Just for flavor, the site has other errors, such as they are trying to embed a Google Map but they haven't had their site URL authorized for using the API.

If the site had any contact info, i would contact them. Their forum doesn't even have a subforum for site issues, and i am personally not poking them on social media or their generic whois mail address. (domain.registration[arobase]telus [dot]com)

more options

Thanks. Crankygoat.

the command GET I beilieve you ran from dig command. I get a different display

dig GET

<<>> DiG 9.10.6 <<>> GET
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28372
flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
EDNS: version: 0, flags:; udp: 512

. 3338 IN SOA 2020011600 1800 900 604800 86400

Query time: 436 msec
WHEN: Thu Jan 16 04:16:39 EST 2020
MSG SIZE rcvd: 137
more options

GET (etc.) was the entry i got looking at the Web Console after the page had loaded. I just used that to see to which of the IP addresses i was routed when loading the page in a browser.

You are going to get NXDOMAIN (domain doesn't exist) from dig or nslookup as GET is not a domain. and are valid domains.

If i had a decent way to contact them, i would just tell them to test their certs and see that their intermediate cert is not (or not always) sent, which causes the connection to fail in Firefox.

I just tried again and today i am sent to the address.

I have no idea why i have gotten certificates and you have not, especially considering different cert tests say the intermediate is not sent. (Maybe i got it in a box of Cracker Jack?) I get the same results with FF 71 and 73.

more options

Yes. I understand I did enter the incorrect domain. However I noticed that Safari browser as well as my Android Firefox never seems to get the certificate error message and both are functioning on the same network.

I will have to perform more testing to see if this is just coincidence.

more options

I believe the problem may be with my ISP I cannot ping any known IP for such as or their DNS servers or

IP address Hostname IP Address Location Country Canada (CA) State/Region Ontario (ON) City Hamilton ISP ViaNetTV Inc ASN 54198 Timezone America/Toronto Local Time Fri, 17 Jan 2020 00:20:23 -0500 Latitude/Longitude 43.2284,-79.9071

traceroutes to my ISP gives me traceroute traceroute to (, 64 hops max, 52 byte packets

3 (  366.954 ms *  423.370 ms
4 (  307.191 ms  191.471 ms  126.917 ms
5 (  54.088 ms  28.712 ms  28.767 ms
6 (  36.279 ms  59.615 ms  25.908 ms
7 (  22.520 ms  23.665 ms  48.061 ms
8 (  135.003 ms  22.556 ms  22.233 ms
9  * * *

10 * * * 11 * * * 12 * * *

Line 4 is Cogent a different ISP. So from my workstation to directly to I am going thorugh cogent

more options

Try to rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached.

If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

more options

I did not modify the cert8.db I reinstalled 72 and the certificate message disappeared. However the Ubuntu workstation still has the certificat error which suggests an induced certificate error with Firefox.

On the original workstation without with the certificate error FF produced the error occassionaly but Safari on the same workstation never produced the certificate error. Also grades the site as B, so I do not know what FF is stating when it whos the certificate error. FF on my android which is version 68.4.1 does not produce the error.

more options

As noted, when the intermediate certificate is not sent, Firefox has a problem with it. Other browsers will search for an intermediate cert and download it. Most ssllabs tests will show the intermediate cert not being sent. As long as you get the cert once, the browser won't have a problem again until the expiry date, if it isn't sent a cert.

I never had a problem loading the site (i.e., i received the cert), yet multiple tests at ssllabs (and elsewhere) showed one or both servers for the domain not sending the intermediate. So the problem will show up almost randomly.

The grade isn't particularly relevant, the actual tests are. You need to expand the results for each IP address. The Intermediate Certificate results at the bottom are the diagnostically significant results for this issue.

FF for Android may have received the cert, but it is also an entirely different beast than desktop FF. I don't know if it enforces the same policy strictness.

more options

I do not know why the intermediate certificate would not be sent when on the same physical workstation another browser (Safari) has no complaint. FF will work sometimes then stop without closing the browser.

Can I interrogate or test the intermediate certificate manually ?

more options

I believe I understand why other browser work. They go out to find the missing certificate where Firefox does not.

I agree with Firefox method as the problem is with the certificate and no browser should go seeking to correct for an error. Bravo FF

Can anyone tell me if Firefox shows the certificate chain?

more options

Firefox caches intermediate certificates send by a server, so if you have visited a server that sends a specific intermediate certificate then you won't get an error if you visit a website that doesn't send the intermediate certificate (i.e. Firefox will fallback to the cached certificate).

more options

Soluție aleasă

If you click through to view the certificate from the taskbar, it shows the chain at the top of the cert window. Clicking each will show the referenced cert.

When using, if you click one of the server addresses and scroll to the bottom of the report, it will also show you the chain and what is missing, if anything.