SEC_ERROR_UNKNOWN_ISSUER means Firefox does not trust the SSL certificate issuer. Firefox ships its own Mozilla trust store (≠ system store), so regional or corporate CAs often fail. Causes: self-signed cert, missing intermediate CA, CA not in Mozilla store. Fix: use Let's Encrypt or a commercial CA + the full fullchain bundle.
This error blocks HTTPS access. Below: causes, fixes, working config, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
SSLCertificateChainFile with the intermediate CAcertbot --nginx -d example.comserver {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
}The SEC_ERROR_UNKNOWN_ISSUER error in Firefox indicates that the web browser cannot verify the SSL certificate of the website due to an unrecognized certificate authority (CA). To resolve this issue, ensure that the SSL certificate is issued by a trusted CA, check your system's certificate store, or manually add the certificate to Firefox's trusted certificates. For immediate resolution, verify the certificate chain and ensure that all intermediate certificates are correctly installed.
The SEC_ERROR_UNKNOWN_ISSUER error occurs when Firefox encounters an SSL certificate that it cannot validate against its list of trusted certificate authorities. This can happen for several reasons:
To ensure SSL certificates are valid, they should be issued by recognized CAs such as DigiCert, Let's Encrypt, or GlobalSign. In practice, you can check the validity of a certificate using the openssl command-line tool.
openssl s_client -connect example.com:443 -showcertsThis command retrieves the SSL certificate from the specified domain and displays the certificate chain. Verify that all certificates in the chain are present and correctly linked.
To address the SEC_ERROR_UNKNOWN_ISSUER error, follow these steps:
openssl command to check the SSL certificate chain.SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate_certificate.crtabout:preferences#privacy in the address bar, scroll down to the Certificates section, and click on View Certificates. From there, check if the CA is listed under the Authorities tab.After making these changes, restart Firefox and revisit the website. If the issue persists, consider checking server configurations or consulting with your SSL provider for further assistance.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeChrome and Firefox ship different trusted-CA lists. Chrome since 2023 ships its own chrome-root-store. If your CA is only in the Chrome store — Firefox shows SEC_ERROR_UNKNOWN_ISSUER.
Click "Advanced → Accept the Risk and Continue". Works only for ad-hoc visits. Not recommended for production sites.
The public list of CAs Firefox trusts. ~150 CAs. Getting in takes 1–2 years and requires a WebTrust audit.
Yes. Cross-signed via ISRG Root X1, which is in the Mozilla store. Works in every modern Firefox.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.