X
點擊此處開啟此網站的行動版。

技術支援討論區

Unknown certificate issuer on new Firefox profile on Windows 10

已張貼

Using 64-bit Firefox on a Windows 10 system (version 1909, OS Build 18363.476), there is a site which works fine when using an old profile but which for news profiles gives a “Did Not Connect: Potential Security Issue” message with error code SEC_ERROR_UNKNOWN_ISSUER.

Steps to reproduce:

1. Visit https://www.bancosantander.es/

2. Click on the top-right red square with a lock icon and the text “Acceso clientes” / “Accés clients”

A frame with a login form should appear but instead an error page shows up (the certificate is for particulares.bancosantander.es and the issuer CN Entrust Certification Authority - L1M; if necessary I can paste the about:certificate string).

The profiles that work were created on previous builds of both Firefox and Windows. On the aforementioned Windows version, all tested Firefox builds (stable 71.0.0 and unbranded builds reaching back to Firefox 68.0.1) do not work (the profiles might have been created earlier but I don't know where to get earlier builds which won't require installing).

What could be the problem, and how could it be fixed?

Using 64-bit Firefox on a Windows 10 system (version 1909, OS Build 18363.476), there is a site which works fine when using an old profile but which for news profiles gives a “Did Not Connect: Potential Security Issue” message with error code SEC_ERROR_UNKNOWN_ISSUER. Steps to reproduce: 1. Visit https://www.bancosantander.es/ 2. Click on the top-right red square with a lock icon and the text “Acceso clientes” / “Accés clients” A frame with a login form should appear but instead an error page shows up (the certificate is for particulares.bancosantander.es and the issuer CN Entrust Certification Authority - L1M; if necessary I can paste the about:certificate string). The profiles that work were created on previous builds of both Firefox and Windows. On the aforementioned Windows version, all tested Firefox builds (stable 71.0.0 and unbranded builds reaching back to Firefox 68.0.1) do not work (the profiles might have been created earlier but I don't know where to get earlier builds which won't require installing). What could be the problem, and how could it be fixed?

被選擇的解決方法

Can you post the certificate code (base 64) ?

What security software do you have?

See also:


Try to copy cert9.db from the old profile to the new profile.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

從原來的回覆中察看解決方案 1
引用
cor-el
  • Top 10 Contributor
  • Moderator
17696 個解決方法 160119 個答案

選擇的解決方法

Can you post the certificate code (base 64) ?

What security software do you have?

See also:


Try to copy cert9.db from the old profile to the new profile.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Can you post the certificate code (base 64) ? What security software do you have? See also: *https://support.mozilla.org/en-US/kb/error-codes-secure-websites ---- Try to copy cert9.db from the old profile to the new profile. *https://support.mozilla.org/en-US/kb/recovering-important-data-from-an-old-profile You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the <b>about:profiles</b> page. *Help -> Troubleshooting Information -> Profile Folder/Directory:<br>Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder *https://support.mozilla.org/en-US/kb/Profiles
這篇文章有幫助嗎? 1
引用

提出問題者

The computer has no additional security software that I am aware of and I believe no certificates have been manually installed.

Having a better look at the certificate being served,{1} could it be that the server is currently not providing the intermediate ones? When comparing, I had forgotten that Chrome works around that server issue, and now that I have taken my time to understand Firefox's current certificate information window I would say that this is the case — and likely the problem.

I hadn't thought that the working profiles might be relying on cached information. I imagine that this is why your proposed workaround/test of copying cert9.db from a working to a non-working profile makes things work. Thanks!

{1} I don't know of a better way to export the certificates that Firefox is getting (suggestions are welcome), so sorry for the formatting monstruosity:

-----BEGIN CERTIFICATE-----
MIIICzCCBvOgAwIBAgIRANZMWV+zQW9QAAAAAFTQN4QwDQYJKoZIhvcNAQELBQAw
gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL
Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg
MjAxNCBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs
BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMU0wHhcN
MTkwOTAyMDY1NjMzWhcNMjExMDA1MDcyNjMxWjCCAQ4xCzAJBgNVBAYTAkVTMRIw
EAYDVQQIEwlDYW50YWJyaWExEjAQBgNVBAcTCVNhbnRhbmRlcjETMBEGCysGAQQB
gjc8AgEDEwJFUzEaMBgGCysGAQQBgjc8AgECEwlDYW50YWJyaWExMDAuBgNVBAoT
J0dydXBvIFNhbnRhbmRlciAoQmFuY28gU2FudGFuZGVyLCBTLkEuKTEdMBsGA1UE
DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xGDAWBgNVBAsTD0JBTkNPIFNBTlRBTkRF
UjESMBAGA1UEBRMJQTM5MDAwMDEzMScwJQYDVQQDEx5wYXJ0aWN1bGFyZXMuYmFu
Y29zYW50YW5kZXIuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5
0gsopnGzIi+esuEh38X3kyTr9RImV+XJmtw06ziiwm4/iXy9QR+Xb+hQg6W9XFLF
I3mU/Kl4WvvAliqdGD9vQGgmSaRdjAJnlI+4Vqn5lpiyFUwXMLqT4S4UUScnRFcK
wQQcHBlAae5RhK48fr99F4535FQ4vxTJIaZu8SIDbv2iOEb/Q6OUADEqdk5UB47V
r8SOGzuoJO8AQ3PRRgpeQUxwXHmsjGG/pBdXPi92kNjVd9IQD/FhMkHxA7d1osqa
Wi2/gIcrqqAGfhUwdUpc53kc4IzV3A4mwIOA/RnEYpYMdHHPJL6nBu63G25gls64
E7Fjhoz54QrPKEYeSaYRAgMBAAGjggOzMIIDrzBNBgNVHREERjBEgh5wYXJ0aWN1
bGFyZXMuYmFuY29zYW50YW5kZXIuZXOCInd3dy5wYXJ0aWN1bGFyZXMuYmFuY29z
YW50YW5kZXIuZXMwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB2AId1v+dZfPiM
Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABbPDeRvEAAAQDAEcwRQIhAKumlXei
NVEYf8lGaRMg+fSOWf77+P0kUHaX5jvnoFveAiBziQ8ki3cF8ZQLxtsZVw7jzvH8
xOh6iwFYaAS3bEqtIwB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM
AAABbPDeR1oAAAQDAEcwRQIgXHxXTM3lsgKVO3D3BqIQozOMLkmXKlBjzfhZEWiO
UNoCIQDTm+uNXamFm+vxp5fwi9wrsLYtSytiw8vMBmqQKsUZGQB3AFYUBpov18Ls
0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABbPDeR6gAAAQDAEgwRgIhAMeNhc23
K0tLpWWDnepn9vEN4e1+eYH26WaEblI5mXtYAiEAqCcqOmM0L1TdnyB5/F+D8zwr
nyc7n/7Phvwiob0+l0kAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c
EAAAAWzw3keoAAAEAwBHMEUCIG0S8b9hj4dhVRQYYVsdRj0z14MZ2A3DOU4bN9as
61LXAiEAvWpXykM8AeqxcDIjHyNwkQwPQfa/bODhhjWc38CmxyYwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBoBggrBgEFBQcB
AQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsG
AQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxbS1jaGFpbjI1Ni5jZXIw
MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFt
LmNybDBKBgNVHSAEQzBBMDYGCmCGSAGG+mwKAQIwKDAmBggrBgEFBQcCARYaaHR0
cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwBwYFZ4EMAQEwHwYDVR0jBBgwFoAUw/fQ
tSowra8NkSFwOVTdvIlwxzowHQYDVR0OBBYEFNzc9xD5/yEp5hArEqUYihGi8uaE
MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAL5bqRRm0LHy+XFi1dJG6FMJ
r3HJ6hZcmrijiK+vSvlNqJOi1dp4n2OuEcR1BAK5IGM0dmsh+/nNy6Zu0dX27dsX
wEKykkoX03hPbLMOil6wCxmTxQM/OTfQVAskWlV/kC5c7xQRSPkGTrYnmRTh+A5b
+rZ2GkO/BWi4Rpcphg/fQMIa1NNj5RZ3e+BUU84/Lwd5ygi9XKnZyoXB9tr7OiIB
mIcLK7dwkzYLuxRSjjcDxo37KC1XNfntvJ8LzNTkwOvynbTfcfHjEzbgGFiJUBXG
t9H3BqVP5XT+Hq2dgOMhfzZcoLrX4ra+siqFAzvDD0Y//LdmIxpZKAh4rBiNUNc=

END CERTIFICATE-----
The computer has no additional security software that I am aware of and I believe no certificates have been manually installed. Having a better look at the certificate being served,{1} could it be that the server is currently not providing the intermediate ones? When comparing, I had forgotten that Chrome works around that server issue, and now that I have taken my time to understand Firefox's current certificate information window I would say that this is the case — and likely the problem. I hadn't thought that the working profiles might be relying on cached information. I imagine that this is why your proposed workaround/test of copying cert9.db from a working to a non-working profile makes things work. Thanks! {1} I don't know of a better way to export the certificates that Firefox is getting (suggestions are welcome), so sorry for the formatting monstruosity: <pre>-----BEGIN CERTIFICATE----- MIIICzCCBvOgAwIBAgIRANZMWV+zQW9QAAAAAFTQN4QwDQYJKoZIhvcNAQELBQAw gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg MjAxNCBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMU0wHhcN MTkwOTAyMDY1NjMzWhcNMjExMDA1MDcyNjMxWjCCAQ4xCzAJBgNVBAYTAkVTMRIw EAYDVQQIEwlDYW50YWJyaWExEjAQBgNVBAcTCVNhbnRhbmRlcjETMBEGCysGAQQB gjc8AgEDEwJFUzEaMBgGCysGAQQBgjc8AgECEwlDYW50YWJyaWExMDAuBgNVBAoT J0dydXBvIFNhbnRhbmRlciAoQmFuY28gU2FudGFuZGVyLCBTLkEuKTEdMBsGA1UE DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xGDAWBgNVBAsTD0JBTkNPIFNBTlRBTkRF UjESMBAGA1UEBRMJQTM5MDAwMDEzMScwJQYDVQQDEx5wYXJ0aWN1bGFyZXMuYmFu Y29zYW50YW5kZXIuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 0gsopnGzIi+esuEh38X3kyTr9RImV+XJmtw06ziiwm4/iXy9QR+Xb+hQg6W9XFLF I3mU/Kl4WvvAliqdGD9vQGgmSaRdjAJnlI+4Vqn5lpiyFUwXMLqT4S4UUScnRFcK wQQcHBlAae5RhK48fr99F4535FQ4vxTJIaZu8SIDbv2iOEb/Q6OUADEqdk5UB47V r8SOGzuoJO8AQ3PRRgpeQUxwXHmsjGG/pBdXPi92kNjVd9IQD/FhMkHxA7d1osqa Wi2/gIcrqqAGfhUwdUpc53kc4IzV3A4mwIOA/RnEYpYMdHHPJL6nBu63G25gls64 E7Fjhoz54QrPKEYeSaYRAgMBAAGjggOzMIIDrzBNBgNVHREERjBEgh5wYXJ0aWN1 bGFyZXMuYmFuY29zYW50YW5kZXIuZXOCInd3dy5wYXJ0aWN1bGFyZXMuYmFuY29z YW50YW5kZXIuZXMwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB2AId1v+dZfPiM Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABbPDeRvEAAAQDAEcwRQIhAKumlXei NVEYf8lGaRMg+fSOWf77+P0kUHaX5jvnoFveAiBziQ8ki3cF8ZQLxtsZVw7jzvH8 xOh6iwFYaAS3bEqtIwB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM AAABbPDeR1oAAAQDAEcwRQIgXHxXTM3lsgKVO3D3BqIQozOMLkmXKlBjzfhZEWiO UNoCIQDTm+uNXamFm+vxp5fwi9wrsLYtSytiw8vMBmqQKsUZGQB3AFYUBpov18Ls 0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABbPDeR6gAAAQDAEgwRgIhAMeNhc23 K0tLpWWDnepn9vEN4e1+eYH26WaEblI5mXtYAiEAqCcqOmM0L1TdnyB5/F+D8zwr nyc7n/7Phvwiob0+l0kAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c EAAAAWzw3keoAAAEAwBHMEUCIG0S8b9hj4dhVRQYYVsdRj0z14MZ2A3DOU4bN9as 61LXAiEAvWpXykM8AeqxcDIjHyNwkQwPQfa/bODhhjWc38CmxyYwDgYDVR0PAQH/ BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBoBggrBgEFBQcB AQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsG AQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxbS1jaGFpbjI1Ni5jZXIw MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFt LmNybDBKBgNVHSAEQzBBMDYGCmCGSAGG+mwKAQIwKDAmBggrBgEFBQcCARYaaHR0 cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwBwYFZ4EMAQEwHwYDVR0jBBgwFoAUw/fQ tSowra8NkSFwOVTdvIlwxzowHQYDVR0OBBYEFNzc9xD5/yEp5hArEqUYihGi8uaE MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAL5bqRRm0LHy+XFi1dJG6FMJ r3HJ6hZcmrijiK+vSvlNqJOi1dp4n2OuEcR1BAK5IGM0dmsh+/nNy6Zu0dX27dsX wEKykkoX03hPbLMOil6wCxmTxQM/OTfQVAskWlV/kC5c7xQRSPkGTrYnmRTh+A5b +rZ2GkO/BWi4Rpcphg/fQMIa1NNj5RZ3e+BUU84/Lwd5ygi9XKnZyoXB9tr7OiIB mIcLK7dwkzYLuxRSjjcDxo37KC1XNfntvJ8LzNTkwOvynbTfcfHjEzbgGFiJUBXG t9H3BqVP5XT+Hq2dgOMhfzZcoLrX4ra+siqFAzvDD0Y//LdmIxpZKAh4rBiNUNc= -----END CERTIFICATE-----</pre>

由 cor-el 於 修改

這篇文章有幫助嗎?
引用
cor-el
  • Top 10 Contributor
  • Moderator
17696 個解決方法 160119 個答案

I've formatted the certificate code.

There are indeed chain issues reported:

Firefox caches intermediate certificates send by servers, so this may work is you have visited a server in the past that sends this intermediate certificate. If you have a browser that works then export the missing intermediate certificate or use the above posted download link and import this certificate in the Firefox Certificate Manager under the Authorities tab.

I've formatted the certificate code. There are indeed chain issues reported: *https://www.ssllabs.com/ssltest/analyze.html?d=particulares.bancosantander.es&latest * Entrust Certification Authority - L1M **http://aia.entrust.net/l1m-chain256.cer (direct download; not tested) Firefox caches intermediate certificates send by servers, so this may work is you have visited a server in the past that sends this intermediate certificate. If you have a browser that works then export the missing intermediate certificate or use the above posted download link and import this certificate in the Firefox Certificate Manager under the Authorities tab.
這篇文章有幫助嗎?
引用
問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題