SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
Websites with self-signed certificates keep breaking and come up with the error on the attached picture. This usually occurs after a Firefox automatic update but it has also happened out of the blue.
One day website works fine, the other day it comes with the error and no certificate has been changed.
All Replies (16)
I wanted to add that I'm an avid Firefox user and fan and have been using it for more than 10 years. This started happening about 3 major versions ago, (from 65.0).
At some point I recreated my Firefox profile to see if that would help, but websites that have been working originally, keep breaking. Those websites work on other browsers such as IE and Edge.
Any help with this would be much appreciated. Everytime I open IE for a website that doesn't work because of this issue, it feels like a part of me dies :D :D
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
Websites don't load - troubleshoot and fix error messages
That's an unusual error code. I found some information that I don't claim to fully understand. Also, why would it work sometimes and not others? Hmm...
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION means "A certificate contains an extension marked as critical that is not handled by mozilla::pkix."
The six extensions Firefox can handle as critical extensions are: Subject Alternate Name, Basic Constraints, Key Usage, Extended Key Usages, Name Constraints, and Authority Information Access.
If any other extension is marked as critical, Firefox stops verifying the certificate and won't connect.
"What Can I Do: Re-generate the certificate without the extension or with it not marked as critical."
Source: https://wiki.mozilla.org/SecurityEngineering/x509Certs
@FredMcD
I have checked BitDefender and SSL scan is off.
This can be verified by checking the certificate when opening an HTTPS page. When BitDefender is intercepting SSL traffic, the BitDefender certificate shows up, and when it doesn't, the normal webpage certificate shows up. Screenshot attached.
@jscher
Is this something that changed in recent versions? Those websites were working before.
Also, they have self-signed certificates generated by default. It's highly unlikely they would include a critical extension not recognizable by Firefox pkix.
Hi PraSSaDaR, unfortunately, I don't know how to extract the certificate details on the "Secure Connection Failed" error page.
It doesn't look like there is anything more to be added. Thank you both for your help.
If I find out anything new, I will post the update here.
Um, the behavior you're describing, with:
- One day website works fine, the other day it comes with the error and no certificate has been changed and
- At some point I recreated my Firefox profile to see if that would help, but websites that have been working originally, keep breaking.
... It would seem like there's a - Firefox, not Firefox (?) - Windows Registry rootkit, or something. I'd say there's at least 50/50 chance that your browser is (hi)jacked, right? I mean, if you're sure that you had earlier ran "firefox.exe -P" and made a -completely- fresh profile.
Are you not running some sort of a (automatic) sandbox - such as COMODO's "Auto-Containment", which would place Firefox.exe in 'UNRECOGNIZED FILES' - and if not, or it's not being detected: then it may be the case that your Registry got b0rked?? What do you think? o.0
EDIT: ^^ Would it be too late to try it now, think that Firefox sigs should be built-in to the software (COMODO Firewall, or IS) and so it'll still report if it's funny - yea?
Mozilla's WebPKI thingy says that:
- SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
- A certificate contains an extension marked as critical that is not handled by mozilla::pkix
@https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
And that you should "Re-generate the certificate without the extension or with it not marked as critical" which you obviously got nothing to do with - so, that information is entirely useless. :)
Basically, I'm just spamming at this point, so I should prolly just wait for you to post back about this highly-unusual issue...
(I mean, it could be that Bitdefender - or, whatever - is still throwing a fit, even though its SSL intercept is set to "off", because such software is -generally, just- invasive af? ++ Sorry if none of this has helped, like at all.)
Okulungisiwe
Issue still persists on version 69.
Site was working fine with Firefox 68. After upgrading to 69, error described above comes up.
Can this be reported to the developers as a bug please?
PraSSaDaR said
Issue still persists on version 69. Site was working fine with Firefox 68. After upgrading to 69, error described above comes up. Can this be reported to the developers as a bug please?
Hi PraSSaDaR, I found a bug on file where several people started getting this error code with self-signed certificates (157022). It's possible the error code is inaccurate in some cases, since someone could use an alternate method to add an exception:
Found this bug report because many of our internal certificates stopped working in Firefox 69, giving the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error message. ... Workaround for me is to go to about:preferences#privacy and view the certificates, then on the Servers tab enter the URL to the server. The certificate is then fetched and can be stored, after which Firefox can connect again. This should have the same result as the checkbox on certificate warning pages in Firefox 68, that would store the exception.
That should only work if the error code is inaccurate and the real reason is something more common such as an incomplete chain of trust (normal for self-signed certificates).
To clarify the steps:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type cert and Firefox should filter to the Certificates section.
Click the "View Certificates" button and in the Certificate Manager, click the Servers tab. At the bottom, click the "Add Exception" button (first screenshot). That will pop up a small dialog where you can enter the URL to retrieve the extension (second screenshot).
If that works, then the error code was mistaken.
Hi jscher2000,
The workaround that you mentioned didn't work unfortunately. The error reads:
No information available
Unable to obtain identification status for this site.
I tried multiple sites that weren't working before and the one that just broke after the upgrade to Firefox 69.
The certificate hasn't changed at all which clearly points that this is a Firefox issue.
Hi PraSSaDaR, this error code is very specific, so I think you may need to try generating new certificates consistent with the discussion here:
Why would I generate new certificates just for Firefox while they work with other browsers? Is this a PKI security issue and cert specifications that other browsers haven't caught up with yet?
How was it working on Firefox 68 and stopped working on 69 if no changes have been made to our certificates and to the underlying PKI structure of Firefox?
Firefox is very strict with certificates, making it more secure.
Firefox is the most secure browser I've ever used and it's one of the main reasons I keep using it. However, this is not the point I'm trying to make here.
I tested this in a corporate environment with other users experiencing the same issue. I would encourage you to raise it with the Developers as on setups like Firefox 69 + other OSes (such as Windows 8 and Windows Server 2012R2) + BitDefender it is working fine.
The problem occurs on Firefox 68 and 69 on Windows 10 (Build 1809 and latest). This eliminates BitDefender, Firefox PKI handling changes, and changes to our internal certificates as probable causes.
Hi PraSSaDaR, do you want to review the following bug that's on file for Firefox 69 and see whether it covers the type of certificate that's causing the problem for you:
Thank you jscher2000.
I've posted my comments along with one of the countless "problematic" certificates on the bug that you shared with me.
Hopefully, it will be resolved soon.