This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox loses all trust every CA after while

  • 5 replies
  • 1 has this problem
  • 1 view
  • Last reply by cor-el

more options

We do have Firefox running in a corporate environment (Active Directory, Roaming Profiles, GPO Folder Redirections). For a while now Firefox loses all trust in every CA after the Firefox ran idle for a while.

And I do mean this literally: The do get SEC_ERROR_UNKNOWN_ISSUER on every site even though the chain checks out if I test it via:

``` openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -untrusted chain-from-ff.crt host.crt ```

The test is done on an independent Fedora Linux machine.

If the user restarts Firefox everything works again until the next time. On the machines there is only Windows Defender running no other antivirus software.

We do have Firefox running in a corporate environment (Active Directory, Roaming Profiles, GPO Folder Redirections). For a while now Firefox loses all trust in every CA after the Firefox ran idle for a while. And I do mean this literally: The do get SEC_ERROR_UNKNOWN_ISSUER on every site even though the chain checks out if I test it via: ``` openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -untrusted chain-from-ff.crt host.crt ``` The test is done on an independent Fedora Linux machine. If the user restarts Firefox everything works again until the next time. On the machines there is only Windows Defender running no other antivirus software.

All Replies (5)

more options

Hi, has there been any changes to your firewall at the time this issue started ?

more options

No active changes on the running system. It always happens after the user has the computer running in idle.

PS: Could someone change the tags of this thread? I have checked using Linux but the problem is not related to Linux in any way… The Clients are running on Windows 10

more options

For the poor masses who find this question via search engine.

The problem appears to be the same as can be found in:

https://support.mozilla.org/en-US/questions/1226671 and on Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1479340

more options

How about a actually screen shot of the error? No two same problems are triggered the same.

more options

Did you make sure that the computer time is still correct? Are toy using internet based time servers to ensure a correct time?

Is this a certificate issue or is something else wrong?

You can check if there is more detail available about the issuer of the certificate.

  • click the "Advanced" button show more detail
  • click the blue SEC_ERROR_UNKNOWN_ISSUER error text to show the certificate chain
  • click "Copy text to clipboard" and paste the base64 certificate chain text in a reply

If there is a different error message then please post its content or attach a screenshot.

If clicking the blue error text doesn't provide the certificate chain then try these steps to inspect the certificate.

  • open the Servers tab in the Certificate Manager
    • Options/Preferences -> Privacy & Security
      Certificates: View Certificates -> Servers: "Add Exception"
  • paste the URL of the website (https://xxx.xxx) in it's Location field

Let Firefox retrieve the certificate -> "Get Certificate"

  • click the "View" button and inspect the certificate

You can see detail like the issuer of the certificate and intermediate certificates in the Details tab.