搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

How can I eliminate the SEC_ERROR_UNKNOWN_ISSUER errors I get at multiple websites?

more options

I just installed FF 63 on a 64-bit Windows 7 machine, and I'm getting SEC_ERROR_UNKNOWN_ISSUER errors at many, but not all, websites. Reaching the same websites via the same URLs using Chrome works fine.

All discussions of this problem seem to lead to https://support.mozilla.org/en-US/kb/error-codes-secure-websites?redirectlocale=en-US&redirectslug=troubleshoot-SEC_ERROR_UNKNOWN_ISSUER, but it's not helpful. My antivirus is Bitdefender Free, which appears to have no option for disabling the interception of secure connections.

Running FF in safe mode behaves the same as in "normal" mode: I get SEC_ERROR_UNKNOWN_ISSUER errors at many (but not all) websites.

Help? As things stand now, FF is pretty close to useless for me.

I just installed FF 63 on a 64-bit Windows 7 machine, and I'm getting SEC_ERROR_UNKNOWN_ISSUER errors at many, but not all, websites. Reaching the same websites via the same URLs using Chrome works fine. All discussions of this problem seem to lead to https://support.mozilla.org/en-US/kb/error-codes-secure-websites?redirectlocale=en-US&redirectslug=troubleshoot-SEC_ERROR_UNKNOWN_ISSUER, but it's not helpful. My antivirus is Bitdefender Free, which appears to have no option for disabling the interception of secure connections. Running FF in safe mode behaves the same as in "normal" mode: I get SEC_ERROR_UNKNOWN_ISSUER errors at many (but not all) websites. Help? As things stand now, FF is pretty close to useless for me.

被采纳的解决方案

I got the following information from Bitdefender, which resolved the problem for me:

In order to resolve this issue please follow these steps:

- open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed

Restart Firefox. A restart of the computer may also be required.

定位到答案原位置 👍 2

所有回复 (12)

more options

Hi LangfristigerFFUser, Bitdefender might be the culprit for this problem. We could try to confirm that by checking one of the certificates Firefox objects to if you're not sure.

They offer these instructions, but they are not for your version?

https://www.bitdefender.com/support/what-to-do-when-security-certificates-cannot-be-verified-installed-1090.html


Here are two workarounds to get Firefox to trust all of the fake certificates Bitdefender or another "man in the middle" will generate:

Option #1: Import the Signing Certificate

If you import the program's signing certificate into Firefox's certificate store, then all of its fake certificates will be trusted.

(A) If you do not already have a certificate file ready to import, you can export it from IE or Chrome.

  • This may appear in IE's Certificates dialog OR it may appear when you view the certificate details on any secure page you load in IE/chrome
  • The Export or Copy to file button starts the Export Wizard. Use the DER format and save to a convenient location

Example screenshots: https://support.mozilla.org/questions/1199797#answer-1064849

(B) When finished with all the necessary exports to complete the chain in the Certification Path, you can import the certificate(s) into the Firefox Authorities tab:

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the security software's certificate.

(See Fourth and fifth screenshots in the above-linked post.)

When asked, I suggest allowing the certificate for websites only unless your IT suggests otherwise.

It's a bit of pain, but the advantage of that approach is that you are making the minimal compromise of security.

Option #2: Trust all Signing Certificates in the Windows Cert Store

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(B) In the search box above the list, type or paste enterp and pause while the list is filtered

(C) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

I'm not sure whether that will start working immediately or after the next time to exit Firefox and start it up again. I guess you'll know if you visit an HTTPS address and Firefox no longer objects.

The disadvantage of this method is that any security compromise of the system certificate store will affect Firefox, too. This may be a lesser concern on a business system; it's more of an issue on a home system.

Do either of those work for you?

more options

You can check if there is more detail available about the issuer of the certificate.

  • click the "Advanced" button show more detail
  • click the blue error text (SEC_ERROR_UNKNOWN_ISSUER) to show the certificate chain
  • click "Copy text to clipboard" and paste the base64 certificate chain text in a reply

If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate.

  • open the Servers tab in the Certificate Manager
    • Options/Preferences -> Privacy & Security
      Certificates: View Certificates -> Servers: "Add Exception"
  • paste the URL of the website (https://xxx.xxx) in it's Location field

Let Firefox retrieve the certificate -> "Get Certificate"

  • click the "View" button and inspect the certificate

You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.

See also:

more options

Here's the certificate chain for one of the URLs that give rise to the problem. I have no idea how to interpret this information.


https://answers.microsoft.com/en-us/office/forum/office_2010-excel/is-office-2010-fully-compatible-with-office-2013/badd50d4-177e-4e5e-836b-6189e5361873

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: true HTTP Public Key Pinning: false

Certificate chain:


BEGIN CERTIFICATE-----

MIIEAjCCAuqgAwIBAgIJAI2UMgV6VVsZMA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLmF2ZnJlZTAwMDAwMDEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTgw NDI0MTgyNjE5WhcNMjAwNDI0MTgyNjE5WjCBjDELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y cG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UE AxMVYW5zd2Vycy5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAs9eNNQyGbqLiBGxsijOzgPjzqNB//0kQTq5a6aZL/bPCEn58Ls0e frzTodvIekB83V9Ktlv8RikIaPuOv8bPNtSarzGhmE0mfcerMFIEqwcuRRQc2//d 04l0cvwGZaYIeRvRS4wvxxzrFhcyiZu4s+E3XvotW++ZaKA6dyDQq4vIQVfNQwUI P3Q+YLBUT4MGTYVPMARNoekpT2zw9U7YnGP+euBvsYGDEM1y5xYiH87SbmsfpkZJ rnARq83d61Lm5J7JT79ph3f9pBXwQRBoyzeBeMLIs5hjZ/n2FdEj+ISAbH6jRMRG 9UpTlcRw7wfKY9o1GEJxySQCVeBvx7mm+wIDAQABo4GRMIGOMDYGA1UdHwQvMC0w K6ApoCeGJWh0dHA6Ly8xMjcuMTI3LjEyNy4xMjc6MzkzOS9lZjUwYy5jcnQwVAYD VR0RBE0wS4IZdWF0LWFuc3dlcnMubWljcm9zb2Z0LmNvbYIXY29tbXVuaXR5Lm9m ZmljZTM2NS5jb22CFWFuc3dlcnMubWljcm9zb2Z0LmNvbTANBgkqhkiG9w0BAQsF AAOCAQEACXNIjoDzVO2r0jpbFvoP72YAd6+Cdr/Y/tB5ZNAntjmcBPCeK7q9V8xy gVYhbMGi48vgOt1J4c2l8xNYpkxrOroWpQ1Hd7AwUltDGnwT3xE10dBbULVMjDxc XaUSelZ4/2X2hDXcte7qbbfduISCvKOI2JkCRyfQ/ndv94EtxQO+LF1K+82N4AMh UWjsue/56rCa7W4VCuo4F0tDIPQMBdr+ic0T3JejtOPa/NSrDnQgWokJet/E3sGq dY8HG5OAvebWEJ/a4u/ns+ItX6bi0YeV61dBESjXWX6j8FkJhYDFlvRyTuNImJWE fRis8l35ZX8Ma7W8MBYywcLwBdPP5A==


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIIDZjCCAk6gAwIBAgIJANJMYPRGumcLMA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLmF2ZnJlZTAwMDAwMDEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTAw MTAxMDgwMDAwWhcNMjgxMDA1MjIzOTM5WjBgMS0wKwYDVQQDDCRCaXRkZWZlbmRl ciBQZXJzb25hbCBDQS5hdmZyZWUwMDAwMDAxDDAKBgNVBAsMA0lEUzEUMBIGA1UE CgwLQml0ZGVmZW5kZXIxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAs9eNNQyGbqLiBGxsijOzgPjzqNB//0kQTq5a6aZL/bPCEn58 Ls0efrzTodvIekB83V9Ktlv8RikIaPuOv8bPNtSarzGhmE0mfcerMFIEqwcuRRQc 2//d04l0cvwGZaYIeRvRS4wvxxzrFhcyiZu4s+E3XvotW++ZaKA6dyDQq4vIQVfN QwUIP3Q+YLBUT4MGTYVPMARNoekpT2zw9U7YnGP+euBvsYGDEM1y5xYiH87Sbmsf pkZJrnARq83d61Lm5J7JT79ph3f9pBXwQRBoyzeBeMLIs5hjZ/n2FdEj+ISAbH6j RMRG9UpTlcRw7wfKY9o1GEJxySQCVeBvx7mm+wIDAQABoyMwITAPBgNVHRMBAf8E BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAU6zIyQg8 h9IBLupG77vEkhKRfdVTUWBXXYACjgH8qgqWwgDHXRorgZ0CFVZtR8d58y+WkWKa sHYe5SniBzBzI6WsKVHHIoFCdvnOa1E8ph/l/DK7kKHwY0uc9BugLenhqB4DyHEm 2r1IGRmuXPjeoGME02fb76cyZgDiGxvAcSH4KV7jKVa+99g4/QVvRuHFwTElv4uo w1M61Q+wie8+H9fgl9ocSmb1kb6G0tl7WRM+n6ikOAvRoJ2T5rmdDPZhUU9xJ1mL JN67GNfnqTuWQW6/c6N4oiZDEGxbXAkRemA5Dt2djiwLOzcBaj7jMan5r8nq5cHZ /GeEeKYAPGKt1Q==


END CERTIFICATE-----
more options

This certificate is issued by Bitdefender, so you need to check this software.


  • Subject C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=answers.microsoft.com
  • Issuer CN=Bitdefender Personal CA.avfree000000, OU=IDS, O=Bitdefender, C=US
more options

How can you tell that it's issued by Bitdefender?

In the meantime, I've opened a ticket with Bitdefender, because there does not seem to be a way to disable SSL scanning in the version I'm using. (It's the free version, so I don't think it does SSL scanning, anyway.)

A full Malwarebytes scan of my machine comes up clean.

more options

Hi LangfristigerFFUser, about this part --

How can you tell that it's issued by Bitdefender?

-- There are pages online that will decode the certificate to show what the fields say. For example, I use:

https://certlogik.com/decoder/

If you page everything between the BEGIN and END lines there, and submit it, then there will be a line for Issuer which has the information from the certificate that signed the fake site certificate.

more options

选择的解决方案

I got the following information from Bitdefender, which resolved the problem for me:

In order to resolve this issue please follow these steps:

- open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed

Restart Firefox. A restart of the computer may also be required.

由LangfristigerFFUser于修改

more options

Great, thank you for reporting back on those steps.

more options

LangfristigerFFUser said

I got the following information from Bitdefender, which resolved the problem for me: In order to resolve this issue please follow these steps: - open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed Restart Firefox. A restart of the computer may also be required.

It works! Thank you.

more options

Thanks for those instructions, they worked for me, although the location of mitm_cache was slightly different.

I'm on Windows 10 and I found it by searching for it in my Bitdefender folder. It was in C:\Program Files\Bitdefender\Bitdefender Security\mitm_cache

more options

LangfristigerFFUser said

I got the following information from Bitdefender, which resolved the problem for me: In order to resolve this issue please follow these steps: - open Firefox - press on the menu button in the upper right that looks like three bars one under another - go to Options - go to Privacy & Security - press on View certificates - go to Authorities - delete any Bitdefender entries in the list - press on Import - navigate to C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache - select fake-ca.crt and press on Open - check all the boxes you are prompted with - press on next until the certificate is installed Restart Firefox. A restart of the computer may also be required.


Nope, that doesn't exist.

C:\Program Files\Bitdefender Antivirus Free\web\mitm_cache

Not only that, there's nothing about Bitdefender in Authorities to delete.

more options

Hi Clarino1, you probably have a Bitdefender folder in one of these locations:

  • C:\Program Files\Bitdefender [some product name]
  • C:\Program Files (x86)\Bitdefender [some product name]

What can you find?

Also, you would only need to remove a certificate from Firefox's Certificate Manager, Authorities tab, if you had previously imported a Bitdefender certificate and it has expired or no longer matches the product you're using.