Unknown certificate issuer on new Firefox profile on Windows 10
Using 64-bit Firefox on a Windows 10 system (version 1909, OS Build 18363.476), there is a site which works fine when using an old profile but which for news profiles gives a “Did Not Connect: Potential Security Issue” message with error code SEC_ERROR_UNKNOWN_ISSUER.
Steps to reproduce:
1. Visit https://www.bancosantander.es/
2. Click on the top-right red square with a lock icon and the text “Acceso clientes” / “Accés clients”
A frame with a login form should appear but instead an error page shows up (the certificate is for particulares.bancosantander.es and the issuer CN Entrust Certification Authority - L1M; if necessary I can paste the about:certificate string).
The profiles that work were created on previous builds of both Firefox and Windows. On the aforementioned Windows version, all tested Firefox builds (stable 71.0.0 and unbranded builds reaching back to Firefox 68.0.1) do not work (the profiles might have been created earlier but I don't know where to get earlier builds which won't require installing).
What could be the problem, and how could it be fixed?
Giải pháp được chọn
Can you post the certificate code (base 64) ?
What security software do you have?
See also:
Try to copy cert9.db from the old profile to the new profile.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Folder/Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - https://support.mozilla.org/en-US/kb/Profiles
Tất cả các câu trả lời (3)
Giải pháp được chọn
Can you post the certificate code (base 64) ?
What security software do you have?
See also:
Try to copy cert9.db from the old profile to the new profile.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Folder/Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - https://support.mozilla.org/en-US/kb/Profiles
The computer has no additional security software that I am aware of and I believe no certificates have been manually installed.
Having a better look at the certificate being served,{1} could it be that the server is currently not providing the intermediate ones? When comparing, I had forgotten that Chrome works around that server issue, and now that I have taken my time to understand Firefox's current certificate information window I would say that this is the case — and likely the problem.
I hadn't thought that the working profiles might be relying on cached information. I imagine that this is why your proposed workaround/test of copying cert9.db from a working to a non-working profile makes things work. Thanks!
{1} I don't know of a better way to export the certificates that Firefox is getting (suggestions are welcome), so sorry for the formatting monstruosity:
-----BEGIN CERTIFICATE----- MIIICzCCBvOgAwIBAgIRANZMWV+zQW9QAAAAAFTQN4QwDQYJKoZIhvcNAQELBQAw gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg MjAxNCBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMU0wHhcN MTkwOTAyMDY1NjMzWhcNMjExMDA1MDcyNjMxWjCCAQ4xCzAJBgNVBAYTAkVTMRIw EAYDVQQIEwlDYW50YWJyaWExEjAQBgNVBAcTCVNhbnRhbmRlcjETMBEGCysGAQQB gjc8AgEDEwJFUzEaMBgGCysGAQQBgjc8AgECEwlDYW50YWJyaWExMDAuBgNVBAoT J0dydXBvIFNhbnRhbmRlciAoQmFuY28gU2FudGFuZGVyLCBTLkEuKTEdMBsGA1UE DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xGDAWBgNVBAsTD0JBTkNPIFNBTlRBTkRF UjESMBAGA1UEBRMJQTM5MDAwMDEzMScwJQYDVQQDEx5wYXJ0aWN1bGFyZXMuYmFu Y29zYW50YW5kZXIuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 0gsopnGzIi+esuEh38X3kyTr9RImV+XJmtw06ziiwm4/iXy9QR+Xb+hQg6W9XFLF I3mU/Kl4WvvAliqdGD9vQGgmSaRdjAJnlI+4Vqn5lpiyFUwXMLqT4S4UUScnRFcK wQQcHBlAae5RhK48fr99F4535FQ4vxTJIaZu8SIDbv2iOEb/Q6OUADEqdk5UB47V r8SOGzuoJO8AQ3PRRgpeQUxwXHmsjGG/pBdXPi92kNjVd9IQD/FhMkHxA7d1osqa Wi2/gIcrqqAGfhUwdUpc53kc4IzV3A4mwIOA/RnEYpYMdHHPJL6nBu63G25gls64 E7Fjhoz54QrPKEYeSaYRAgMBAAGjggOzMIIDrzBNBgNVHREERjBEgh5wYXJ0aWN1 bGFyZXMuYmFuY29zYW50YW5kZXIuZXOCInd3dy5wYXJ0aWN1bGFyZXMuYmFuY29z YW50YW5kZXIuZXMwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB2AId1v+dZfPiM Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABbPDeRvEAAAQDAEcwRQIhAKumlXei NVEYf8lGaRMg+fSOWf77+P0kUHaX5jvnoFveAiBziQ8ki3cF8ZQLxtsZVw7jzvH8 xOh6iwFYaAS3bEqtIwB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM AAABbPDeR1oAAAQDAEcwRQIgXHxXTM3lsgKVO3D3BqIQozOMLkmXKlBjzfhZEWiO UNoCIQDTm+uNXamFm+vxp5fwi9wrsLYtSytiw8vMBmqQKsUZGQB3AFYUBpov18Ls 0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABbPDeR6gAAAQDAEgwRgIhAMeNhc23 K0tLpWWDnepn9vEN4e1+eYH26WaEblI5mXtYAiEAqCcqOmM0L1TdnyB5/F+D8zwr nyc7n/7Phvwiob0+l0kAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c EAAAAWzw3keoAAAEAwBHMEUCIG0S8b9hj4dhVRQYYVsdRj0z14MZ2A3DOU4bN9as 61LXAiEAvWpXykM8AeqxcDIjHyNwkQwPQfa/bODhhjWc38CmxyYwDgYDVR0PAQH/ BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBoBggrBgEFBQcB AQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsG AQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxbS1jaGFpbjI1Ni5jZXIw MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFt LmNybDBKBgNVHSAEQzBBMDYGCmCGSAGG+mwKAQIwKDAmBggrBgEFBQcCARYaaHR0 cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwBwYFZ4EMAQEwHwYDVR0jBBgwFoAUw/fQ tSowra8NkSFwOVTdvIlwxzowHQYDVR0OBBYEFNzc9xD5/yEp5hArEqUYihGi8uaE MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAL5bqRRm0LHy+XFi1dJG6FMJ r3HJ6hZcmrijiK+vSvlNqJOi1dp4n2OuEcR1BAK5IGM0dmsh+/nNy6Zu0dX27dsX wEKykkoX03hPbLMOil6wCxmTxQM/OTfQVAskWlV/kC5c7xQRSPkGTrYnmRTh+A5b +rZ2GkO/BWi4Rpcphg/fQMIa1NNj5RZ3e+BUU84/Lwd5ygi9XKnZyoXB9tr7OiIB mIcLK7dwkzYLuxRSjjcDxo37KC1XNfntvJ8LzNTkwOvynbTfcfHjEzbgGFiJUBXG t9H3BqVP5XT+Hq2dgOMhfzZcoLrX4ra+siqFAzvDD0Y//LdmIxpZKAh4rBiNUNc=
END CERTIFICATE-----
Được chỉnh sửa bởi cor-el vào
I've formatted the certificate code.
There are indeed chain issues reported:
- https://www.ssllabs.com/ssltest/analyze.html?d=particulares.bancosantander.es&latest
- Entrust Certification Authority - L1M
- http://aia.entrust.net/l1m-chain256.cer (direct download; not tested)
Firefox caches intermediate certificates send by servers, so this may work is you have visited a server in the past that sends this intermediate certificate. If you have a browser that works then export the missing intermediate certificate or use the above posted download link and import this certificate in the Firefox Certificate Manager under the Authorities tab.