I allowe firefox to update today (MacOS 10.11.6, Firefox 61.0.2, 64-b it) and can no longer browse - Firefox claims all certs are bad, even Mozilla's cert.
I let Firefox upgrade this morning to 61.0.2, 64-bit on MacOS 10.11.6. Now it claims all certs are bad (even Mozilla's certs) with the following type of message "Your connection is not secure. The owner of www.mozilla.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. Learn more… Report errors like this to help Mozilla identify and block malicious sites"
I either add exceptions (which seems wrong) or I cannot browse to any site
I let the upgrade occur because firefox claimed it had a slow start up and wanted to fix that.
الحل المُختار
A followup - I did find how to tell AVG to not do the man-in-the-middle checks, and that does allow Firefox to reach sites I've used for years (Mozilla, MSN, F1, etc.)
A good and fast support system - thanks to all that helped.
Read this answer in context 👍 0All Replies (8)
hi, first please make sure that the date, time & timezone are set correctly on your system. if this doesn't solve the issue (or it is already set properly), a solution depends on the individual circumstances:
- what is the error code shown when you click on advanced on that error page?
- please also give us more information about the error by clicking on the error code, copying the text to the clipboard and then pasting it here into a reply in the forum like shown in the screenshot.
thank you!
The error message is "SEC_ERROR_UNKNOWN_ISSUER", and if you click on that you get the cert displayed and 'Peer’s Certificate issuer is not recognized. '
Time is correct (set via ntp I suspect, and matches other time sources (e.g., a clock set by radio signal). Timezone (EDT) is also correct.
jssimonson said
The error message is "SEC_ERROR_UNKNOWN_ISSUER", and if you click on that you get the cert displayed and 'Peer’s Certificate issuer is not recognized. '
Can you share the large block of gibberish (encoded certificate)? This may help identify a "man in the middle" of Firefox's connection to the site.
In anticipation, I'll also give you this link: How to troubleshoot security error codes on secure websites.
Sure, and thanks for the help. The AV product I use on that Mac is AVG 18.3. I've initiated a full scan.
Here's the block of info for the cert: www.mozilla.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER https://www.mozilla.com/
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain:
BEGIN CERTIFICATE-----
MIIJbDCCCFSgAwIBAgICC0IwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ1ox
DTALBgNVBAgMBEJybm8xDDAKBgNVBAoMA0FWRzEdMBsGA1UECwwUU29mdHdhcmUg
RGV2ZWxvcG1lbnQxFzAVBgNVBAMMDkFWRyB0cnVzdGVkIENBMB4XDTE4MDUxODAw
MDAwMFoXDTE5MDkyMDEyMDAwMFowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRswGQYDVQQKExJNb3pp
bGxhIEZvdW5kYXRpb24xDzANBgNVBAsTBldlYk9wczEhMB8GA1UEAxMYcmVkaXJl
Y3Qtc2FuLm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvIhxs0RIwNhwDWjMJIQ6H5vpfh3vBzaC0ry4hBZ+u2X8fj4z34S8hJ2wi/VC
r40KBh0mIafvMOwl85OfgwKvdyjRTc6fdy7SPpmH25zhVzgXRbRj5OvaFTrSOEYW
y3sAIDYQkMH2Zsp+B5SDA2jA2pOjHZ+fHdTNipIF1pdyVCTDilFne9IBQN251u5L
36fUTyu3PaSs9f3lxn04P5ZVeEVlETu7iTvJzVJqNvIWfh2LLjcfIZn4A7+UFD35
yHKU9I78n704xfzo+BHHbKtHkSmyQkd+onLVUKo669NHtd8irJ+O2A6sr3Nm9Xbu
t71KCA9DMXfU6C7x3J2oOwobYQIDAQABo4IGADCCBfwwHQYDVR0OBBYEFNFG75se
8sCd0Hi4TUG+LumkEoDDMB8GA1UdIwQYMBaAFLuiwMmewEMrMhYynwbphHQjxGdu
MIIFuAYDVR0RBIIFrzCCBauCGHJlZGlyZWN0LXNhbi5tb3ppbGxhLm9yZ4IWdHJl
ZXN0YXR1cy5tb3ppbGxhLm9yZ4IYb3BlbnN0YW5kYXJkLm1vemlsbGEub3Jngg5t
b3ppbGxhLm9yZy51a4IRaW5wdXQubW96aWxsYS5vcmeCF3BvbnRvb24ubW96aWxs
YWxhYnMuY29tghhtaXhlZHJlYWxpdHkubW96aWxsYS5vcmeCEGpvaW4ubW96aWxs
YS5vcmeCEmFkZG9ucy5tb3ppbGxhLmNvbYIPZG50Lm1vemlsbGEub3JnghFpbnB1
dC5tb3ppbGxhLmNvbYIPd3d3LmZpcmVmb3guY29tghd3d3cudGhlb3BlbnN0YW5k
YXJkLm5ldIIPYXNrLm1vemlsbGEub3Jnghl3d3cubGVhbmRhdGFwcmFjdGljZXMu
Y29tgg90YXNrY2x1c3Rlci5uZXSCGm1vYmlsZXBhcnRuZXJzLm1vemlsbGEub3Jn
ghJ3d3cuZ2V0ZmlyZWZveC5jb22CD2J6ci5tb3ppbGxhLm9yZ4IXd3d3LWFyY2hp
dmUubW96aWxsYS5vcmeCFHd3dy5vcGVuc3RhbmRhcmQub3JnghdhY3RpdmF0aW9u
cy5tb3ppbGxhLmNvbYITbmlnaHRseS5tb3ppbGxhLm9yZ4ITdGhlb3BlbnN0YW5k
YXJkLm5ldIIVd2Vid2V3YW50Lm1vemlsbGEub3Jngg93d3cubW96aWxsYS5jb22C
FG1vemlsbGEtcG9kY2FzdHMub3JnghttYXN0ZXJmaXJlZm94b3MubW96aWxsYS5v
cmeCE2NhcmVlcnMubW96aWxsYS5jb22CDmdldGZpcmVmb3guY29tght3ZWJzaXRl
LWFyY2hpdmUubW96aWxsYS5vcmeCFnZpZGVvcy1jZG4ubW96aWxsYS5uZXSCEGl0
aXNhdHJhY2tlci5vcmeCGmRlc2lnbmxhbmd1YWdlLm1vemlsbGEub3JnghdhY3Rp
dmF0aW9ucy5tb3ppbGxhLm9yZ4IQb3BlbnN0YW5kYXJkLmNvbYIWYWZmaWxpYXRl
cy5tb3ppbGxhLm9yZ4ITY29udGVudC5tb3ppbGxhLm9yZ4IRYWlybW8ubW96aWxs
YS5vcmeCE21venRyYXAubW96aWxsYS5vcmeCG3Byb2R1Y3QtZGV0YWlscy5tb3pp
bGxhLm9yZ4ISYXVyb3JhLm1vemlsbGEub3JnghJ0aGVodWIubW96aWxsYS5jb22C
DGJ1Z3ppbGxhLm9yZ4IScGxhbmV0Lm1vemlsbGEub3Jngg90cmFja2VydGVzdC5v
cmeCEnN0YXRpYy5tb3ppbGxhLmNvbYIQcHVibGljc3VmZml4Lm9yZ4IPZ2l0Lm1v
emlsbGEub3JnghBpdGlzYXRyYWNrZXIuY29tghV0bHNjYW5hcnkubW96aWxsYS5v
cmeCFWxlYW5kYXRhcHJhY3RpY2VzLm9yZ4IVbWV0cmljc2dyYXBoaWNzanMub3Jn
ghJ2aWRlb3MubW96aWxsYS5vcmeCE2ZyaWVuZHMubW96aWxsYS5vcmeCEHd3dy5i
dWd6aWxsYS5vcmeCFHd3dy5wdWJsaWNzdWZmaXgub3JnghBiZXRhLm1vemlsbGEu
b3Jngg9zc28ubW96aWxsYS5jb22CEG9wZW5zdGFuZGFyZC5vcmeCC2ZpcmVmb3gu
Y29tghVsZWFuZGF0YXByYWN0aWNlcy5jb22CC21vemlsbGEuY29tghl3d3cubGVh
bmRhdGFwcmFjdGljZXMub3JnghZvbmVhbmRkb25lLm1vemlsbGEub3JnghJmb3J1
bXMubW96aWxsYS5vcmeCFHd3dy5vcGVuc3RhbmRhcmQuY29tghJmaXJlZm94cXVh
bnR1bS5jb22CEmNvbnRyaWJ1dGVqc29uLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEA
GwcyYiku8Jo1yF+N9fV+A3ipx7IGTIP8Pq8lXPVbXPXvwn5JZPD4JJSOrfyk7SPx
mefZGnxefraeXEEUW/mFmda5ESO1OLcUosuz+rQSGQcrNNdJW/Us91lDXVrtr16S
1LADyc1imp6YCx028vz0Md3uJM++7eyTngA+Zxi6u5hxFXt5fl2SPfLxINkVuLEI
S+y8chrpC0L0qby5TM4PRT7rkE5MERI5xvEz1DHXD9qOmrFAgMqiQUlLJ5O3pvee
jUFLCAeeWiwPc1+7KUJ/K6DcY+Ai5ajNW/vCNUURmzc/x0Kl7XNV/LRD8Ip+4Any
eNH18AEUPpM4ZiEB/Bm1+Q==
END CERTIFICATE-----
Thank you for sharing the certificate. It shows that the certificate was issued by "AVG trusted CA" instead of the true certificate issuer, an indication that your AVG security software is intercepting your web browsing.
A new installation of Firefox isn't set up to work with any "man in the middle" security suite like AVG, Avast, Bitdefender, ESET, or Kaspersky. What can you do? Either:
- The security software will set up Firefox automatically at your next system startup or by using a button in the software's interface (simplest)
- You can disable the "man in the middle" feature (see: How to troubleshoot security error codes on secure websites -- the new AVG is similar to Avast); this may improve performance by removing one level of filtering
- If necessary, you can manually import AVG's signing certificate into Firefox's certificate store
- You can set Firefox to trust certificates that MacOS X collects
Very helpful, thanks much. The simplest solution you recommend, are you saying restart the Mac? Am I understanding the problem correctly, it is AVG interfering with Firefox's certs? I've will have to look into AVG docs, I don't see an obvious way to disable the man-in-the middle feature. I'll look into the other methods as well (importing the AVG signing cert). Setting Firefox to trust the collected certs - is that a good solution?
jssimonson said
The simplest solution you recommend, are you saying restart the Mac?
It might work. AVG/Avast usually can set up Firefox automatically, but I don't know exactly what triggers it.
Am I understanding the problem correctly, it is AVG interfering with Firefox's certs? I've will have to look into AVG docs, I don't see an obvious way to disable the man-in-the middle feature.
AVG now works similarly to Avast. Possibly it's browser interception is also called the Web Shield, but I haven't looked at the docs.
I'll look into the other methods as well (importing the AVG signing cert). Setting Firefox to trust the collected certs - is that a good solution?
I think it's better to have Firefox use its own certificate store if you can.
الحل المُختار
A followup - I did find how to tell AVG to not do the man-in-the-middle checks, and that does allow Firefox to reach sites I've used for years (Mozilla, MSN, F1, etc.)
A good and fast support system - thanks to all that helped.