Home » Wiki » How to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

How to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

by | SSL Errors

How to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

What Does SEC_ERROR_UNKNOWN_ISSUER Error Mean?

The SEC_ERROR_UNKNOWN_ISSUER error in Firefox indicates that the website’s security certificate is not trusted. This usually happens when the certificate is self-signed, expired, or issued by an unknown certificate authority. While annoying, this error is a security feature that protects users from potential threats. This guide will walk you through the steps to fix the SEC_ERROR_UNKNOWN_ISSUER error in Firefox.

Understanding the SEC_ERROR_UNKNOWN_ISSUER Error

When you try to access a website in Firefox, it establishes a secure HTTPS connection using SSL/TLS certificates. The certificate proves the website’s identity and encrypts the browsing session.

Firefox checks the certificate against a list of trusted Certificate Authorities (CAs) that issue valid certificates. If the cert is signed by a CA that Firefox doesn’t trust, you will see the SEC_ERROR_UNKNOWN_ISSUER error.

Some common reasons for this error include:

  • The website uses a self-signed certificate instead of one issued by a trusted CA.
  • The certificate has expired and needs to be renewed.
  • The CA that issued the certificate is not in Firefox’s trusted list. This may happen with smaller or privately operated CAs.
  • There are problems with the website’s certificate configuration.
  • Your system’s date and time settings are incorrect.

7 Easy Steps to Fix SEC_ERROR_UNKNOWN_ISSUER Error in Firefox

Step 1 – Check the Website Certificate

The first step is to examine the website’s certificate in detail. This will provide information about the error and help troubleshoot it.

View the Certificate in Firefox

  • In Firefox, go to the website showing the error.
  • Click the lock icon next to the URL and select ‘More Information’.
  • On the page that opens, go to the ‘Security’ tab.
  • Click ‘View Certificate’.

Check the Following in the Certificate

  • Issued To: This should match the website domain name.
  • Issued By: The CA that issued the certificate. Note if it is unknown or missing.
  • Validity Period: Check if the cert is expired.
  • Signature Algorithm: It should use modern encryption like SHA-256.

If the certificate is invalid, contact the website owner to renew or reissue it.

Step 2 – Check Firefox Certificate Authorities

One cause for the error is that Firefox doesn’t trust the CA that issued the certificate. Firefox maintains a list of trusted root CAs that websites typically use.

To check this:

  • Go to Firefox Options/Preferences > Privacy & Security
  • Scroll down to ‘Certificates’ and click ‘View Certificates’.
  • Go to the ‘Authorities’ tab.
  • Look for the CA that issued the website certificate.

If the CA is not in the list, Firefox will not trust certificates issued by it. You can try contacting the CA to get added to Firefox’s root list.

Alternatively, you can manually add the CA certificate to the trusted list in Firefox, outlined in the next section.

Step 3 – Import the CA Certificate into Firefox

If the issuing CA is not recognized by Firefox, you can manually add its certificate to the trust list:

Obtain Certificate

  • Contact the website owner and ask them to provide the CA certificate file. Alternatively, the CA may make certificates publicly available on their website.

Import CA Certificate

  • Open Firefox Options/Preferences > Privacy & Security
  • Scroll down to ‘Certificates’ and click ‘View Certificates’.
  • Go to the ‘Authorities’ tab and click ‘Import’.
  • Select the CA certificate file and add it to the list.

Trust the CA

  • Go to the ‘Authorities’ tab.
  • Find the newly added CA certificate.
  • Check the box to ‘Trust this CA to identify websites’.

The CA is now trusted by Firefox and websites using its issued certificates will work.

Step 4 – Add a Security Exception in Firefox

If you are unable to fix the root cause of the error, you can bypass it by adding a permanent security exception for the site:

  • Restart Firefox and try accessing the problematic website.
  • When you see the error, click ‘Advanced’ > ‘Add Exception’.
  • Confirm the security exception by clicking ‘Confirm Security Exception’.

This will permanently allow the site to ignore future SEC_ERROR_UNKNOWN_ISSUER errors. Note that this workaround comes with security risks if the certificate is invalid. Only do this for trusted sites.

Step 5 – Refresh Firefox’s Certificate Cache

In some cases, the error may occur due to corruption in Firefox’s certificate cache. Clearing the cache forces Firefox to rebuild its list of trusted certificates.

To refresh the cache:

  • Type about:config in the address bar and hit Enter.
  • Search for security.tls.version.max and set the value to 4.
  • Search for security.tls.version.fallback-limit and set the value to 3.
  • Restart Firefox.

This will flush the cached certificates and may resolve the issue.

Step 6 – Check System Date & Time Settings

If your system’s date and time settings are incorrect, it can cause website certificates to appear expired and trigger the error.

  • Go to your Operating System’s Date & Time settings.
  • Make sure the date, time zone, and clock are accurate.
  • Re-launch Firefox and test the website again.

Setting the right date & time will validate certificates correctly and stop the error.

Step 7 – Reset Firefox to Default Settings

If none of the above step’s work, you can try resetting Firefox to factory defaults. This eliminates any bad configurations or extensions causing problems with certificate validation.

Warning: Resetting will clear your Firefox profile including browsing data, extensions, and customizations.

To reset Firefox:

  • Click the menu button > Help > Troubleshooting Information.
  • Click ‘Refresh Firefox’ button in the upper right.
  • Confirm the reset action in the dialog.
  • Firefox will restart with default settings.

Now test the problematic website again. The SEC_ERROR_UNKNOWN_ISSUER should be resolved in a fresh profile.

Common Scenarios for SEC_ERROR_UNKNOWN_ISSUER Error

Here are some common scenarios that can trigger this error and how to fix them:

Using a Self-signed Certificate

Websites using self-signed certificates will show this error. Obtain a valid certificate from a trusted CA for the site to resolve it.

Certificate Expired

Check the validity dates on the certificate. Contact the website owner to renew the expired certificate.

New CA not Recognized

For smaller CAs, manually import the CA certificate into Firefox to add it to the trust list.

Server Misconfiguration

If the server is showing the wrong certificate for the domain, the site owner will need to fix the configuration.

Dates Incorrect on your System

Fix date and time settings on your OS if they are incorrect. Firefox uses this to validate certificates.

Problems with Firefox Profile

Reset Firefox to defaults to eliminate corrupt certificate caches and settings.

Troubleshooting Tips

  • Visit the site in Chrome or Edge to check if the error occurs only in Firefox or not. This verifies whether the issue is with the website certificate or Firefox.
  • Check if the error shows up consistently on specific sites or is intermittent. Intermittent issues may be related to server or network problems.
  • Try accessing the site in Firefox’s private browsing mode. If it works, an extension may be interfering with certificate validation.
  • See if the website loads properly on a different network. Corporate proxies or firewalls could be blocking the certificate.
  • Test if the website works properly in a fresh Firefox profile without extensions. This isolates add-on related problems.

Conclusion

The SEC_ERROR_UNKNOWN_ISSUER error arises when the certificate presented by a website is deemed untrusted by Firefox. It is often due to issues with the certificate itself, misconfigured CAs, or problems with Firefox’s certificate store.

Carefully inspecting the certificate details allows you to identify the source of the problem. Importing missing CA certificates, adding exceptions, and resetting Firefox are some ways to make Firefox trust the certificate again. For site owners, obtaining and maintaining valid certificates signed by recognized CAs is crucial.

While the error message may seem intimidating, it is easily resolved in most cases. Taking the time to diagnose it helps keep your browsing sessions secure.

Frequently Asked Questions

Why am I suddenly getting this error on websites that worked before?

There are a few possible reasons:

  • The website’s certificate may have recently expired. The site owner needs to renew it.
  • A change in Firefox’s trusted Certificate Authorities list could cause a previously working CA to no longer be recognized.
  • The certificate store in your Firefox profile could have become corrupted. Resetting Firefox fixes this.

Is it safe to add a security exception for sites showing this error?

Adding a permanent exception for sites with the SEC_ERROR_UNKNOWN_ISSUER error comes with some risks.

When you bypass the error, Firefox will no longer validate the identity or security of the site on future visits. This opens you up to potential man-in-the-middle attacks if the certificate is invalid.

Exceptions should only be added after verifying the site owner and ensuring the connection is secure through other means. Avoid exceptions on sensitive sites like banking or shopping applications.

I am seeing this error on my company network. How do I fix it?

Enterprise networks often use internal private CAs and certificate stores. If the internal CA is not trusted by Firefox, all company websites can show the error.

Your network admin will need to add the enterprise CA certificate to Firefox’s trusted certificates list. Alternatively, they may override the Firefox certificate store via group policy to use the company’s trusted CAs.

Can I disable certificate validation in Firefox to bypass the error?

Firefox does not provide any settings to fully disable certificate validation and bypass errors like SEC_ERROR_UNKNOWN_ISSUER. This is intentionally done for security reasons.

One workaround is using Firefox’s DNS over HTTPS (DoH) feature. By enabling DoH and choosing a provider that does not enforce certificate validation, you can bypass the checks.

However, disabling certificate validation leaves you vulnerable to attacks so this method is not recommended.

Why am I getting this error randomly on some websites?

Intermittent instances of the error, where the certificate validation works sometimes but fails occasionally, points to issues like:

  • Problems with the server wrongly sending different certificates sporadically.
  • Latency in Firefox receiving CA certificate revocation lists, causing valid certificates to temporarily seem revoked.
  • Network outages or intermittent firewall/proxy problems blocking the certificate.

If the problem persists, report it on Firefox’s bug tracker with details like affected sites and error frequency.