Compare Revisions
Troubleshoot security error codes on secure websites
Revision 115415:
Revision 115415 by Artist on
Revision 116151:
Revision 116151 by philipp on
Keywords:
load, connect, banned, blocked
load, connect, banned, blocked
Search results summary:
This article explains why you might see the error code "SEC_ERROR_UNKNOWN_ISSUER" on HTTPS websites and how you can troubleshoot it.
This article explains why you might see the error code "SEC_ERROR_UNKNOWN_ISSUER" on HTTPS websites and how you can troubleshoot it.
Content:
On websites which are supposed to be secure (i.e. the URL begins with "http'''s'''://"), Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a "{for fx44}[[What does "Your connection is not secure" mean?|Your connection is not secure]]{/for}{for not fx44}[["This Connection is Untrusted" error message appears - What to do|This Connection is Untrusted]]{/for}" error message instead. This article explains why you might see the error code "SEC_ERROR_UNKNOWN_ISSUER" on websites and how to troubleshoot it.
__TOC__
= What does this error code mean? =
During a secure connection a website needs to provide a certificate issued by a trusted [https://en.wikipedia.org/wiki/Certificate_authority certificate authority] in order to ensure that the user is connected to the intended target and the connection is encrypted. If you get a "{for fx44}Your connection is not secure{/for}{for not fx44}This Connection is Untrusted{/for}" error page and see the error code "SEC_ERROR_UNKNOWN_ISSUER" after you click on {for fx44}{button Advanced}{/for}{for not fx44}{menu Technical Details}{/for}, it means that the certificate provided was issued by a certificate authority that is not known by Firefox and therefore cannot be trusted by default.
{for fx44}[[Image:Fx44 SEC_ERROR_UNKNOWN_ISSUER error]]{/for}
= The error occurs on multiple secure sites =
In case you get this problem on multiple unrelated HTTPS-sites, it indicates that something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox. The most common causes are security software scanning encrypted connections or malware listening in, replacing legitimate website certificates with their own.
== Antivirus Products ==
Generally, if your security product contains a feature to scan encrypted connections, you could try to reinstall the security product, which might trigger the software to place its certificates into the Firefox trust store again. Try the following solutions for particular security products:
=== Avast ===
In Avast security products you can disable the interception of secure connections:
# Open the dashboard of your Avast application.
# Go to {menu Settings} > {menu Active Protection} and click {button Customize} next to {menu Web Shield}.
# Uncheck the {pref Enable HTTPS Scanning} setting and confirm this by clicking {button OK}.
More Information about this feature is available on this [https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/ Avast Blog].
=== Bitdefender ===
In Bitdefender security products you can disable the interception of secure connections:
# Open the dashboard of your Bitdefender application.
# For the 2016 version of the Bitdefender security product click on {menu Modules}. For the 2015 version click on {menu Protection}.
# Click on {menu Web Protection}.
# Toggle off the {pref Scan SSL} setting.
For corporate Bitdefender products, please refer to this [http://www.bitdefender.com/support/how-to-enable-ssl-https-scanning-in-cloud-security-for-endpoints-1117.html Bitdefender Support Center page].
=== ESET ===
In ESET security products you can try to disable and re-enable ''SSL/TLS protocol filtering'' or generally disable the interception of secure connections as described in [http://support.eset.com/kb3126/ ESET’s support article].
=== Kaspersky ===
In Kaspersky security products you can disable the interception of secure connections:
# Open the dashboard of your Kaspersky application.
# Click on {menu Settings} on the bottom-left.
# Click {menu Additional} and then {menu Network}.
# For the 2016 version of the Kaspersky security product check the {pref Do not scan encrypted connections} option and confirm this change. For the 2015 version uncheck the {pref Scan encrypted connections} option.
== Family Safety settings in Windows accounts ==
In Microsoft Windows accounts protected by Family Safety settings, secure connections on popular websites like Google, Facebook and YouTube might be intercepted and their certificates replaced by a certificate issued by Microsoft in order to filter and record search activity.
Read this [http://windows.microsoft.com/en-us/windows/family-features-remove-uninstall-faq Microsoft FAQ page] on how to turn off these family features for accounts. {for win8, win10}In case you want to manually install the missing certificates for affected accounts, you can refer to this [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 Microsoft support article].{/for}
== Monitoring/Filtering in corporate networks ==
Some traffic monitoring/filtering products used in corporate environments might intercept encrypted connections by replacing a website's certificate with their own, at the same time possibly triggering errors on secure HTTPS-sites.
If you suspect this might be the case, please contact your IT department to ensure the correct configuration of Firefox to enable it working properly in such an environment.
== Malware ==
Some forms of malware intercepting encrypted web traffic can cause this error message - refer to the article [[Troubleshoot Firefox issues caused by malware]] on how to deal with malware problems.
= The error occurs on one particular site only =
In case you get this problem on one particular site only, this type of error indicates that the web server is not configured properly: The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing). You should contact the owner of the website and inform him of the error.
If the website allows it, you can add an exception in order to visit the site, in spite its certificate is not being trusted by default:
# On the warning page, click {for fx44}{button Advanced}{/for}{for not fx44}{menu I understand the Risks}{/for}.
# Click {button Add Exception…}. The ''Add Security Exception'' dialog will appear.
# Read the text describing the problems with the website. You can click {button View…} in order to closer inspect the untrusted certificate as well.
# Click {button Confirm Security Exception} if you are sure you want to trust the site.
{warning}'''Warning:''' You should never add a certificate exception for a legitimate major website or sites where financial transactions take place – in this case an invalid certificate can be an indication that your connection is compromised by a third party.{/warning}
On websites which are supposed to be secure (i.e. the URL begins with "http'''s'''://"), Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a "{for fx44}[[What does "Your connection is not secure" mean?|Your connection is not secure]]{/for}{for not fx44}[["This Connection is Untrusted" error message appears - What to do|This Connection is Untrusted]]{/for}" error message instead. This article explains why you might see the error code "SEC_ERROR_UNKNOWN_ISSUER" on websites and how to troubleshoot it.
__TOC__
= What does this error code mean? =
During a secure connection a website needs to provide a certificate issued by a trusted [https://en.wikipedia.org/wiki/Certificate_authority certificate authority] in order to ensure that the user is connected to the intended target and the connection is encrypted. If you get a "{for fx44}Your connection is not secure{/for}{for not fx44}This Connection is Untrusted{/for}" error page and see the error code "SEC_ERROR_UNKNOWN_ISSUER" after you click on {for fx44}{button Advanced}{/for}{for not fx44}{menu Technical Details}{/for}, it means that the certificate provided was issued by a certificate authority that is not known by Firefox and therefore cannot be trusted by default.
{for fx44}[[Image:Fx44 SEC_ERROR_UNKNOWN_ISSUER error]]{/for}
{warning}'''Warning:''' You should never add a certificate exception for a legitimate major website or sites where financial transactions take place – in this case an invalid certificate can be an indication that your connection is compromised by a third party.{/warning}
= The error occurs on multiple secure sites =
In case you get this problem on multiple unrelated HTTPS-sites, it indicates that something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox. The most common causes are security software scanning encrypted connections or malware listening in, replacing legitimate website certificates with their own.
== Antivirus Products ==
Generally, if your security product contains a feature to scan encrypted connections, you could try to reinstall the security product, which might trigger the software to place its certificates into the Firefox trust store again. Try the following solutions for particular security products:
=== Avast ===
In Avast security products you can disable the interception of secure connections:
# Open the dashboard of your Avast application.
# Go to {menu Settings} > {menu Active Protection} and click {button Customize} next to {menu Web Shield}.
# Uncheck the {pref Enable HTTPS Scanning} setting and confirm this by clicking {button OK}.
More Information about this feature is available on this [https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/ Avast Blog].
=== Bitdefender ===
In Bitdefender security products you can disable the interception of secure connections:
# Open the dashboard of your Bitdefender application.
# For the 2016 version of the Bitdefender security product click on {menu Modules}. For the 2015 version click on {menu Protection}.
# Click on {menu Web Protection}.
# Toggle off the {pref Scan SSL} setting.
For corporate Bitdefender products, please refer to this [http://www.bitdefender.com/support/how-to-enable-ssl-https-scanning-in-cloud-security-for-endpoints-1117.html Bitdefender Support Center page].
=== ESET ===
In ESET security products you can try to disable and re-enable ''SSL/TLS protocol filtering'' or generally disable the interception of secure connections as described in [http://support.eset.com/kb3126/ ESET’s support article].
=== Kaspersky ===
In Kaspersky security products you can disable the interception of secure connections:
# Open the dashboard of your Kaspersky application.
# Click on {menu Settings} on the bottom-left.
# Click {menu Additional} and then {menu Network}.
# For the 2016 version of the Kaspersky security product check the {pref Do not scan encrypted connections} option and confirm this change. For the 2015 version uncheck the {pref Scan encrypted connections} option.
== Family Safety settings in Windows accounts ==
In Microsoft Windows accounts protected by Family Safety settings, secure connections on popular websites like Google, Facebook and YouTube might be intercepted and their certificates replaced by a certificate issued by Microsoft in order to filter and record search activity.
Read this [http://windows.microsoft.com/en-us/windows/family-features-remove-uninstall-faq Microsoft FAQ page] on how to turn off these family features for accounts. {for win8, win10}In case you want to manually install the missing certificates for affected accounts, you can refer to this [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 Microsoft support article].{/for}
== Monitoring/Filtering in corporate networks ==
Some traffic monitoring/filtering products used in corporate environments might intercept encrypted connections by replacing a website's certificate with their own, at the same time possibly triggering errors on secure HTTPS-sites.
If you suspect this might be the case, please contact your IT department to ensure the correct configuration of Firefox to enable it working properly in such an environment.
== Malware ==
Some forms of malware intercepting encrypted web traffic can cause this error message - refer to the article [[Troubleshoot Firefox issues caused by malware]] on how to deal with malware problems.
= The error occurs on one particular site only =
In case you get this problem on one particular site only, this type of error indicates that the web server is not configured properly: The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing). You should contact the owner of the website and inform him of the error.
If the website allows it, you can add an exception in order to visit the site, in spite its certificate is not being trusted by default:
# On the warning page, click {for fx44}{button Advanced}{/for}{for not fx44}{menu I understand the Risks}{/for}.
# Click {button Add Exception…}. The ''Add Security Exception'' dialog will appear.
# Read the text describing the problems with the website. You can click {button View…} in order to closer inspect the untrusted certificate as well.
# Click {button Confirm Security Exception} if you are sure you want to trust the site.