Troubleshooting a common SSL certificate error
One of the more frustrating aspects of web browsers and the errors they generate is that they all generally use different nomenclature. While Chrome and Opera tend to operate on the same plane, Safari, Firefox and Microsoft Edge all do their own thing. Case in point, let’s consider the error code SEC_ERROR_UNKNOWN_ISSUER in Firefox.
The error code SEC_ERROR_UNKNOWN_ISSUER also appears as “NET::ERR_CERT_AUTHORITY_INVALID” in Chrome and “DLG_FLAGS_INVALID_CA” in Edge. What’s more complicated is that this message can mean two things for Firefox and Edge users, whereas Chrome has dedicated error messages for each of the two variations. We’ll get into that in just a second.
What Does SEC_ERROR_UNKNOWN_ISSUER Mean?
The error code SEC_ERROR_UNKNOWN_ISSUER is meant to tell users that a website is attempting to use an SSL certificate that was issued by an untrusted entity. The way public key infrastructure (PKI) works — and in order for it to function correctly — only trusted certificate authorities (CAs) can issue trusted certificates. There’s a very strict set of guidelines that CAs follow to ensure that they’re both performing their due diligence concerning validation and that they’re acting in good faith when they issue certificates. Any mistakes are dealt with harshly, so there’s plenty of incentive to get things right.
If you’re getting the SEC_ERROR_UNKNOWN_ISSUER message, it means whoever issued your certificate is NOT trusted by the browsers.
What the Error Code SEC_ERROR_UNKNOWN_ISSUER in Firefox Means
Now here’s where it gets confusing. The error code SEC_ERROR_UNKNOWN_ISSUER in Firefox refers to one of two possible scenarios:
- The certificate was issued by an untrusted CA; or
- Somehow, the issuing CA’s root was deleted from the root store.
It’s almost always the former. Specifically, it’s usually a Symantec Legacy certificate at fault. Symantec was completely distrusted last Fall. All of its remaining digital certificates needed to be reissued by DigiCert — who took over Symantec’s CA operations following its acquisition. Otherwise, they would be distrusted by the browsers, too.
Firefox uses the SEC_ERROR_UNKNOWN_ISSUER warning to refer to any issuance by an untrusted CA. Other browsers, like Chrome, have specific messages for Symantec Legacy and other untrusted CA issuances. But to make things even more confusing, the CERT_AUTHORITY_INVALID error message that Chrome gives untrusted CAs (not named Symantec) is the same one it uses for self-signed certificate errors, whereas Firefox has a dedicated error message for self-signed.
Feeling confused yet?
Just remember that we’re focusing on Firefox right now. So when you see SEC_ERROR_UNKNOWN_ISSUER, it’s safe to assume the certificate is not trusted because of who issued it.
Fixing SEC_ERROR_UNKNOWN_ISSUER for Web Users
Unfortunately, the majority of the time, the most you can do when you see the SEC_ERROR_UNKNOWN_ISSUER message pop up is notify the site owner. DO NOT click through the warning. That’s a bad habit to get into and it rewards bad security. Instead, notify the site owner and, if it isn’t fixed quickly, maybe think of taking your business elsewhere.
The other possibility, and this is much more remote — unless you’ve been messing around with your settings — is that the relevant root CA certificate got deleted from your root store. If this is the case, just wipe your settings and then delete and reinstall Firefox. That’s the quickest way to fix the issue. We know, it’s not the error code SEC_ERROR_UNKNOWN_ISSUER fix you were necessarily hoping for. However, just remember that if you’re still getting there error afterwards, it’s them — not you.
Fixing SEC_ERROR_UNKNOWN_ISSUER for Site Owners
Regardless of whether you’re getting this error because of a legacy Symantec certificate or just because your certificate’s CA isn’t trusted by Firefox, you really only have one choice: You need to get another certificate.
There are dozens of trusted CAs at various price points that can issue you a universally trusted SSL certificate. If you’re using ACME, the change only requires a few clicks. Otherwise, it’ll need a few minutes of manual intervention. Regardless, the problem is the CA that issued the certificate. It’s time to find a new one.
Purchase Sectigo SSL Certificates & Save Up to 89%
We offer the best discount on all types of Sectigo SSL Certificates. It includes Sectigo Wildcard SSL, EV SSL, Multi-Domain SAN/UCC SSL, and Code Signing Certificates.