Compare Revisions

This article explains what this error message means and how to bypass the warning in Firefox if you need to.

This article describes why the '''This Connection Is Untrusted''' error message may appear when trying to visit secure (http'''s''') websites in Firefox. * For troubleshooting secure connection problems with the error message '''Secure Connection Failed''', see the [[Secure Connection Failed]] article. {for fx44} *If you see the error message '''Your connection is not secure''', see the article [[What does "Your connection is not secure" mean?]]. {/for} * For troubleshooting other error messages, see [[Error loading web sites]]. {for win8} {note}'''Note:''' If you see this error message on major sites like Google, Facebook, YouTube and others in user accounts protected by Microsoft Family Safety filter, please refer to Microsoft's documentation for Windows Update [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 KB2965142] (published on 6/9/2014) and Windows Update [https://support.microsoft.com/en-us/kb/2981655 KB2981655] (published on 8/11/2014).{/note}{/for} {for win10} {note}'''Note:''' You may currently see this error message on major sites like Google, Facebook, YouTube and others on Windows 10 in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article, [http://windows.microsoft.com/en-us/windows-10/turn-off-microsoft-family-settings Turn off Microsoft family settings].{/note}{/for} __TOC__ = Certificates and identification = When you visit a website whose web address starts with http'''s''', your communication with the site is encrypted to help ensure your privacy. Before starting the encrypted communication, the website will present Firefox with a "certificate" to identify itself. The certificate helps Firefox determine whether the site you're visiting is actually the site that it claims to be. If there is a problem with the certificate, you will see the '''This Connection Is Untrusted''' alert page. <br><br>[[Image:Connection Untrusted]] Seeing the alert does not necessarily mean that the website you're visiting is trying to trick you into believing it is a different website - it means that Firefox isn't able to verify the identity of the website, and that you should proceed carefully. There are several problems that can cause Firefox to reject a certificate. Some of them are described in detail in the [[#w_technical-information|Technical information]] section below. = Get out of there! = The safest thing to do is to click {button Get me out of here!}, or to go to a different website. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website. If possible, you should contact the owners of the website and inform them of the error. = Technical information = Click on '''Technical Details''' for more information on why the website's identity information is invalid. Some common errors are described below. == The certificate will not be valid until ''(date)'' == {note}The certificate will not be valid until ''date'' (...)<br><br>Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE{/note} The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time{for win} (double-click the clock icon on the Windows Taskbar){/for} in order to fix the problem. == The certificate expired on ''(date)'' == {note}The certificate expired on ''date'' (...)<br><br>Error code: SEC_ERROR_EXPIRED_CERTIFICATE{/note} This error occurs when a website's identity certification has expired. The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time{for win} (double-click the clock icon on the Windows Taskbar){/for} in order to fix the problem. == The certificate is not trusted because the issuer certificate is unknown == {note}The certificate is not trusted because the issuer certificate is unknown.<br>The server might not be sending the appropriate intermediate certificates.<br>An additional root certificate may need to be imported.<br><br>Error code: SEC_ERROR_UNKNOWN_ISSUER{/note} You may have enabled SSL scanning in your security software such as Avast, Bitdefender, ESET or Kaspersky. Try to disable this option. More details about this are available in the support article [[How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites]]. {for win8,win10} You may also see this error message on major sites like Google, Facebook, YouTube and others on Windows in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article [http://go.microsoft.com/fwlink/p/?LinkId=627342 How do I turn off family features?]. {/for} == The certificate is not trusted because it is self-signed == {note}The certificate is not trusted because it is self-signed. <br><br>Error code: SEC_ERROR_UNTRUSTED_ISSUER{/note} Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites. == The certificate is only valid for ''(site name)'' == {note}example.<i></i>com uses an invalid security certificate.<br><br>The certificate is only valid for the following names: www.example.<i></i>com, *.example.<i></i>com <br><br>Error code: SSL_ERROR_BAD_CERT_DOMAIN{/note} This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is. A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example<!---->.com, but the certificate is for https://'''www.'''example<!---->.com. In this case, if you access https://'''www.'''example<!---->.com directly, you should not receive the warning. == Corrupted certificate store == You may also see certificate error messages when the file in your profile folder that stores your certificates ({filepath cert8.db}) has become corrupted. Try to delete this file while Firefox is closed to regenerate it: {note}'''Note:''' You should only perform these steps as a last resort, after all other troubleshooting steps have failed.{/note} #[[T:profileFolder]] #[[T:closeFirefox]] # Click on the file named {filepath cert8.db}. # Press {for mac}{key command}+{/for}{key Delete}. # Restart Firefox. ;{note}'''Note:'''{filepath cert8.db} will be recreated when you restart Firefox. This is normal.{/note} = Bypassing the warning = You should only bypass the warning if you're confident in both the identity of the website and the integrity of your connection - even if you trust the site, someone could be tampering with your connection. Legitimate public sites will '''not''' ask you to add connection rule exceptions - an invalid certificate can be an indication of a web page that will defraud you or steal your identity. # On the warning page, click '''I Understand the Risks'''. # Click {button Add Exception...}. The Add Security Exception dialog will appear. # Read the text describing the problems with this site. # Click {button Confirm Security Exception} if you want to trust the site. {note}If '''I Understand the Risks''' is missing, this page may be opened in an (i)frame. In that case, {for mac}press {key Ctrl} and click on{/for}{for win,linux}right-click{/for} the frame, choose ''This Frame'', then ''Open Frame in New Tab'', and continue as above.{/note}