Firefox and SEC_ERROR_UNKNOWN_ISSUER


#1

Recently I’m unable to visit our site anymore via Firefox, which now reports an Error code: SEC_ERROR_UNKNOWN_ISSUER error.

This only happens on Firefox. I tried to look for other sites which experience the same error and was surprised that even https://ssllabs.com is affected (which I ended up using to verify the integrity of our certificate).

Now, I do have an antivirus (Bitdefender - Free) which doesn’t allow me to toggle the SSL option separately, regardless if I turn off my Protection Shield, both our site and ssllabs.com will work. Not something we want our visitors to do of course, so I kept reading and eventually found myself reading about intermediate certificates.

From what I’ve gathered the certificate I define in my nginx configuration should include the intermediate certificate, which I do not know where to get. Our nginx is using certificates provided by Cloudflare (which comes in a .key/.pem pair), like so:

ssl_certificate      /home/ubuntu/cloudflare/www.site.com.pem;
ssl_certificate_key  /home/ubuntu/cloudflare/www.site.com.key;

The contents of the .pem file only contains a single block of certificate. What is an Intermediate CA, and where can I secure that and set that up?

Also, in Firefox, clicking the Advanced button, then the Error code: SEC_ERROR_UNKNOWN_ISSUER will display a certificate-like code I think I can use, but I hesitated to try. The contents provided by Firefox is composed of two certificate blocks, neither looks similar to the existing one provided by Cloudflare. My hunch is that this is the certificate Bitdefender is injecting, but really I don’t have a clue.


#2

Domain?


#3

It’s https://staging.globalpropertyguide.com


#4

Loads fine for me on Firefox

image


#5

That is weird, because I’m still getting it (I’m in Asia BTW), and my employer still does from Europe.

Attached is a snippet from ssllabs which leads me to believe this is an Intermediate CA.


#6

I appear to get the same certificate, but Firefox accepts it in my case. Can you post a screenshot of the error as well as one of the certificate details in the browser?

Considering you are proxying through Cloudflare you do not need to worry about the configuration on your server as that would be only relevant for the connection between Cloudflare and your server, the issue at hand seems to be with the Cloudflare certificate however.


#7

image


#8

I had to Accept the Risk and Continue to get the following:

Hope this helps. Appreciate your help, Sandro.


#9

Wow…different Common Name. The OP’s screenshot shows the cert was issued three days ago. I guess different datacenters can end up with different certificates.

I’m getting same CN as @sandro, and it was issued four days ago.

The Cert #3 screenshot is normal. It’s the most backwards-compatible one for older browsers.

https://www.ssllabs.com/ssltest/analyze.html?d=staging.globalpropertyguide.com&s=104.25.103.105&latest


#10

“Verified by Bitdefender”? It almost seems as if something is replacing that certificate. Can you try it on another machine? Do you have anything remotely network security related installed on your machine or the network? You referred to “Bitdefender” in your first post. Any way to disable that?


#11

Could it be that thing is opening the TLS tunnel? :flushed:

https://www.bitdefender.com/support/what-to-do-when-security-certificates-cannot-be-verified-installed-1090.html


#12

@sandro I could definitely disable Bitdefender, but that’s the antivirus I’m running on my desktop. I also think that’s not something we can expect the visitors would appreciate doing just to view our content. Hence, the option to fix this serverside if possible.

It’s a relief to know not everyone using Firefox is affected.

@sdayman On the ssllabs screenshot I posted I’m getting a Chain issues: Incomplete and Signature algorithm: SHA1withRSA INSECURE, exactly like my screenshot, but you and sandro seem to be seeing differently? Could you grab a screenshot so I can show it around here in the office?


#13

I dont know what this Bitdefender does but currently it almost seems as if it replaces the certificate and renders it invalid thereby. That is rather speculation at this point but the only conclusion I could draw so far based on the available information.

In any case, there is nothing you can do on the server side as the connection does not go to your server but to Cloudflare.


#14

@sandro Glad to know there is nothing I could add to the web server to fix this. Will try to drop here again tomorrow if I find any additional leads. Thank you guys for the help!


#15

As a first step I’d definitely try to rule out Bitdefender by disabling it and checking whether the issue gets resolved. Considering what your screenshots said I am quite confident it will.


#16

The link I posted shows the same issue, yet I can reach your site with Firefox.


closed #17

This topic was automatically closed after 30 days. New replies are no longer allowed.