Skip to content

SEC_ERROR_UNKNOWN_ISSUER in Firefox: Fix Guide

Key idea:

SEC_ERROR_UNKNOWN_ISSUER means Firefox does not trust the SSL certificate issuer. Firefox ships its own Mozilla trust store (≠ system store), so regional or corporate CAs often fail. Causes: self-signed cert, missing intermediate CA, CA not in Mozilla store. Fix: use Let's Encrypt or a commercial CA + the full fullchain bundle.

This error blocks HTTPS access. Below: causes, fixes, working config, FAQ.

Check your site's SSL →

Common Causes

  • Self-signed certificate (not from a public CA)
  • Server returns only the server cert without intermediate CA
  • Issuer CA is not in the Mozilla CA Certificate Program
  • Corporate/government CA requires manual install
  • Certificate in pfx/pkcs12 without its chain

Step-by-Step Fix

  1. Check the chain with Enterno SSL Checker — you should see 3 levels: site → intermediate → root
  2. For nginx: use fullchain.pem, not just cert.pem
  3. For Apache: add SSLCertificateChainFile with the intermediate CA
  4. If self-signed — issue Let's Encrypt: certbot --nginx -d example.com
  5. For a corporate CA: install the root in every Firefox (Preferences → Privacy → Certificates)

Check SSL Certificate →

Example: Proper nginx TLS config

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_stapling        on;
    ssl_stapling_verify on;
}

Related SSL Errors

TL;DR: Resolving SEC_ERROR_UNKNOWN_ISSUER in Firefox

The SEC_ERROR_UNKNOWN_ISSUER error in Firefox indicates that the web browser cannot verify the SSL certificate of the website due to an unrecognized certificate authority (CA). To resolve this issue, ensure that the SSL certificate is issued by a trusted CA, check your system's certificate store, or manually add the certificate to Firefox's trusted certificates. For immediate resolution, verify the certificate chain and ensure that all intermediate certificates are correctly installed.

Understanding SEC_ERROR_UNKNOWN_ISSUER

The SEC_ERROR_UNKNOWN_ISSUER error occurs when Firefox encounters an SSL certificate that it cannot validate against its list of trusted certificate authorities. This can happen for several reasons:

  • The SSL certificate is self-signed and not recognized by Firefox.
  • The certificate is issued by a CA that is not included in Firefox's trusted root certificate store.
  • The certificate chain is incomplete, missing intermediate certificates necessary for validation.

To ensure SSL certificates are valid, they should be issued by recognized CAs such as DigiCert, Let's Encrypt, or GlobalSign. In practice, you can check the validity of a certificate using the openssl command-line tool.

openssl s_client -connect example.com:443 -showcerts

This command retrieves the SSL certificate from the specified domain and displays the certificate chain. Verify that all certificates in the chain are present and correctly linked.

Practical Steps to Fix SEC_ERROR_UNKNOWN_ISSUER

To address the SEC_ERROR_UNKNOWN_ISSUER error, follow these steps:

  1. Verify the Certificate Chain: Use the openssl command to check the SSL certificate chain.
  2. Install Missing Intermediate Certificates: If the command output indicates missing intermediate certificates, obtain them from your SSL provider and install them on your server. For example, if you are using Apache, you would add the following lines to your configuration:
SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate_certificate.crt
  1. Check Firefox's Certificate Store: Open Firefox, type about:preferences#privacy in the address bar, scroll down to the Certificates section, and click on View Certificates. From there, check if the CA is listed under the Authorities tab.
  2. Add the Certificate Manually: If the certificate is self-signed or from an untrusted CA, you can add it manually. In the View Certificates window, click on the Import button and select the certificate file. Ensure you check the box to trust the certificate for identifying websites.

After making these changes, restart Firefox and revisit the website. If the issue persists, consider checking server configurations or consulting with your SSL provider for further assistance.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

Why does Chrome work but Firefox does not?

Chrome and Firefox ship different trusted-CA lists. Chrome since 2023 ships its own chrome-root-store. If your CA is only in the Chrome store — Firefox shows SEC_ERROR_UNKNOWN_ISSUER.

How do I bypass the error temporarily?

Click "Advanced → Accept the Risk and Continue". Works only for ad-hoc visits. Not recommended for production sites.

What is the Mozilla CA Certificate Program?

The public list of CAs Firefox trusts. ~150 CAs. Getting in takes 1–2 years and requires a WebTrust audit.

Is Let's Encrypt in Firefox?

Yes. Cross-signed via ISRG Root X1, which is in the Mozilla store. Works in every modern Firefox.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.