Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

browser warning: potential security risk ahead - ssl_error_bad_cert_domain

more options

the situation: we publish an internal wiki website in our intranet. the delivering server provides a certificate issued by our own microsoft active directory pki (root-intermediate-servercert). firefox is configured by gpos in order to use windows cert store, where root and intermediate are installed. but nevertheless firefox drops an error message ssl_bad_cert_domain and i do not see why. in chrome or chromium based edge everything is fine. no ssl warnings. as you can see in the attached screenshot the cert includes various san fields for different host names, which includes two ip addresses (anonymized).

any advice what do to is mostly appreciated.

thanks a lot peter

the situation: we publish an internal wiki website in our intranet. the delivering server provides a certificate issued by our own microsoft active directory pki (root-intermediate-servercert). firefox is configured by gpos in order to use windows cert store, where root and intermediate are installed. but nevertheless firefox drops an error message ssl_bad_cert_domain and i do not see why. in chrome or chromium based edge everything is fine. no ssl warnings. as you can see in the attached screenshot the cert includes various san fields for different host names, which includes two ip addresses (anonymized). any advice what do to is mostly appreciated. thanks a lot peter
Attached screenshots

Modified by El Viejo

Chosen solution

indeed, removing the ip addresses from both san fields (dns, ip) did the trick. i do not feel capable to call this a firefox bug but at least it should be brought to the attention of the developers. so i am going to file a bug report (given there is'nt one already).

ps: no need to escalate this as it has been subject of discussion here (and i have learned how to issue certs according the specs :-) so no ip addresses in dns fields). https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

Read this answer in context 👍 0

All Replies (7)

more options
  • MOZILLA_PKIX_ERROR_MITM_DETECTED
  • uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
  • configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

more options

hello fredmcd, thanks for you quick reply. our ff users get only the ssl_error_bad_cert_domain and it can easily be resolved by setting a security exception but i do not want to do this for known reasons :-) as i mentioned in my first post our pki and the cert are set up the way it is supposed to work. chrome, edge and even good old (or better said bad old) ie do not drop a certificate warning. so my question is: where is the reason why firefox claims a bad domain name in the cert?

i do not want to post the public part of the cert because there is an internal ip address in two fields (dns, ip). could this be the reason for the error message?

more options

I don't know much about such issues and called for more help.

more options

There might be something Firefox doesn't like about the Subject Alt Names field.

For example, a few years ago we had a question where there were IP addresses mixed with regular host names in the field, which perhaps caused Firefox to read it incorrectly. That thread doesn't appear to have been resolved one way or the other:

https://support.mozilla.org/questions/1233865

more options

hello jscher2000, thanks for pointing me to the other thread. i am going to reissue the cert without ip addresses and test it.

more options

Chosen Solution

indeed, removing the ip addresses from both san fields (dns, ip) did the trick. i do not feel capable to call this a firefox bug but at least it should be brought to the attention of the developers. so i am going to file a bug report (given there is'nt one already).

ps: no need to escalate this as it has been subject of discussion here (and i have learned how to issue certs according the specs :-) so no ip addresses in dns fields). https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

Modified by El Viejo

more options

Thank you for reporting back on that. I don't know why browsers disagree on such things.