Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER Topic is solved

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 16:03

Recent previous threads on the topic from older to newer:
viewtopic.php?f=3&t=19190
viewtopic.php?f=3&t=20719
viewtopic.php?f=4&t=21193
viewtopic.php?f=3&t=21430
viewtopic.php?f=4&t=21433
viewtopic.php?f=3&t=24374
viewtopic.php?f=3&t=24546
viewtopic.php?f=5&t=25282

Site in question: https://portal.fccms.dss.sc.gov/
Error code: SEC_ERROR_UNKNOWN_ISSUER

Checking the site on another computer that works (still using Pale Moon), I see that Go Daddy is the certificate issuer. If that matters.

Image

I'm at a client's office with multiple computers setup nearly identically, and just this one is exhibiting this behavior, so I'm planning to re-install Pale Moon to see what happens. I've never actually backed up a profile before, so I'm going to give the back-up tool here a try: https://www.palemoon.org/backuptool.shtml

I'll back up the bookmarks as well in case that tool is somehow out of date (last post was from 2015 | viewtopic.php?f=25&t=758), since really those are the important things. If I have to re-install from scratch with no back-up, at least I'll have the bookmarks.

I have confirmed they are all running the same anti-virus (Microsoft Security Essentials) but may look into this as well.
Although the certificate chain works with Firefox on this computer, so I doubt it is an anti-virus issue.

If this does not work, I will be looking for some help.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 10176
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by New Tobin Paradigm » 2021-06-23, 16:18

Even if you weren't having issues.. Why would someone ever trust a government website with a cert signed by GoDaddy. I mean fuckin hell. BTW it works for me.

See also: https://www.ssllabs.com/ssltest/analyze.html?d=portal.fccms.dss.sc.gov
Face facts, people simply need to go to the next level and MAINTAIN these extensions not selfishly JustOff them to oblivion.
Image

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 16:20

Well, I backed up the bookmarks on their own, and the entire profile.
I uninstalled Pale Moon, restarted the computer, re-installed PM from a fresh download, and interestingly enough I didn't have to restore the profile to get things back to the way they were. So that tells me the program data was not removed during the uninstall. I'll make sure to remove that stuff too during another refresh, since the certificate issue still exists.

But maybe I'll give PM Portable a try first.
Last edited by BenFenner on 2021-06-23, 16:22, edited 1 time in total.

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 16:21

New Tobin Paradigm wrote:
2021-06-23, 16:18
Even if you weren't having issues.. Why would someone ever trust a government website with a cert signed by GoDaddy. I mean fuckin hell. BTW it works for me.
You're preaching to the choir here.
This lawyer's office basically requires the use of this site, and avoiding it is not an option for them. :(
Thank you. I'd forgotten I should probably have run it through SSL Labs. You saved me the time. :thumbup:

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 16:31

Interesting results from Pale Moon Portable. The same error occurs, but I was not expecting the ability to by-pass the issue.
I'm actually not even sure what this tells me about the situation. I was expecting the site to just work on PM Portable...

Image

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 10176
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by New Tobin Paradigm » 2021-06-23, 16:53

We have a window of time where you can edit your previous post.. I suggest you use it.
Face facts, people simply need to go to the next level and MAINTAIN these extensions not selfishly JustOff them to oblivion.
Image

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 17:01

Off-topic:
I'm aware, and have been using it to group things appropriately in all of my threads/posts here, including this one.
IMO the PM Portable results were not related to my initial replies to you, so I made a new post. Similarly my replies to you were not related to my previous reply either. I've been on forums since 1996 (ezboard), I know my way around, and the etiquette.

Edit: Sorry I did not apply one of these notices to the first post when I edited it. I was sort of expecting this forum to have a little "edited" marker as many do now to signify (along with my own forum software that I've written from scratch), but I guess not.

Edit 2: Oh, apparently there is an "edited" notification, but like most good forums, this one doesn't apply that unless the edit happens a good bit after the initial post, maybe 120 seconds? So this post shows up as edited, which is nice. But if a post is edited very quickly after posting, it does not show as edited. Also nice.
But just to be clear, I have edited the initial post of this thread, it was just very quickly after posting it. Same goes for a few other posts in this thread. :thumbup:
Last edited by BenFenner on 2021-06-23, 17:39, edited 3 times in total.

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 17:16

Oh yah, one thing I tried was to rebuild the certificate store as mentioned in one of the related threads. But that didn't work to fix the issue (and interestingly enough the cert8.db file was never re-created by the application).


Directions to rebuild the certificate store on Windows:
viewtopic.php?f=3&t=5594&p=35364&hilit= ... old#p35364
Last edited by BenFenner on 2021-06-23, 17:19, edited 1 time in total.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 10176
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by New Tobin Paradigm » 2021-06-23, 17:19

cert8 isn't used by Pale Moon anymore.
Face facts, people simply need to go to the next level and MAINTAIN these extensions not selfishly JustOff them to oblivion.
Image

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 17:20

Great info Tobin. That explains why that [tip from 2014] didn't work. :thumbup:

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 17:27

On a lark, I tried setting security.enterprise_roots.enabled to true in about:config to use the OS certificate store instead of Pale Moon's built-in certificate store. That did not change the behavior or improve anything, so I've changed the setting back.

This technique was described by Moonchild in a related thread here: viewtopic.php?f=5&t=25282#p200312

Edit (as suggested by Tobin, even though this is new information, unrelated to this post, and unlikely to be read or seen by anyone since it won't bump the thread and those who have already read this post likely won't return to it to re-read it):

I've exported the root, intermediary, and terminal certificate for the site in question from a computer/PM process that does work.
I can't import the root certificate on this computer because it already exists. I can't import the terminal certificate because it is not from a known chain (or similar) but I can import the intermediary certificate. At least it seems like I can. But then it never shows up in the certificate list, and I am able to repeatedly import it, which feels odd. Regardless, the site does not work even after doing this.
I then saw were I could apply a temporary work-around to checking the cert for that site domain, which I applied, and STILL could not visit the site. This is a fun one.

I'm leaving this office for now, and may revisit this issue later in the week.

Edit 2: I'm back at home now and testing on my Linux/Windows machines here. They all are working fine. Something is obviously wrong with just that one installation. I'll need to try uninstalling again, but this time really deleting all of the program files before reinstalling. But I'm not 100% sure that will work, since PM Portable didn't work either. Which actually gives me an idea. I'll try PM Portable on one of my machines here at home that I know works. That will be a good test IMO. Hang tight.

Edit 3: A-ha! Installing PM Portable on a computer that is known to be able to access the site on a regular PM installation reproduces the problem! This means any one of you should be able to do the same thing to see the issue. Does anyone else want to try to visit https://portal.fccms.dss.sc.gov on a fresh copy of PM Portable to confirm?
(If you ever see this, since again, I'm editing when I feel a new post is appropriate.)
Last edited by BenFenner on 2021-06-23, 18:35, edited 5 times in total.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 10176
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by New Tobin Paradigm » 2021-06-23, 17:32

New Tobin Paradigm wrote:
2021-06-23, 16:53
We have a window of time where you can edit your previous post.. I suggest you use it.
Face facts, people simply need to go to the next level and MAINTAIN these extensions not selfishly JustOff them to oblivion.
Image

Michaell
Fanatic
Fanatic
Posts: 164
Joined: 2018-05-26, 18:13

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by Michaell » 2021-06-23, 19:51

Ben, I didn't need a fresh copy; I run portable all the time. And yes I get the unsafe negotiation error. But I think this is the important part:
Peer attempted old style (potentially vulnerable) handshake.
That indicates to me you need to allow old SSL 3.0, TLS 1.0 or one of the RCA, DES, etc protocols. Just a guess, but this one is worth a shot:
security.ssl3.rsa_des_ede3_sha
Of course reset it to false when done.
DISCLAIMER: My suggestions are use at your own risk, and no approval or disapproval from the PM PTB is applicable or relevant.

p.s. I know that agency and they aren't the sharpest tools in the shed.
Win10home(1709), PM29.x-port

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30527
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by Moonchild » 2021-06-23, 21:35

I tried visiting the site. No problems seen.

WORKSFORME

Update: SSLLabs states the certificate chain is incomplete. So I must have visited a different site that had a complete chain with the same issuer certificate before.
So.. webmaster error. Solution: provide a complete chain in the server certificate.
They need to include the following cert on their server's TLS setup.

Code: Select all

Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=
RSA 2048 bits (e 65537) / SHA256withRSA 
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-23, 21:55

This all makes sense, and is a clearer description of what I'd found earlier.

However, wouldn't you think I could export that certificate from one working setup and import it to the other, non-working setup? Because I tried that, and it didn't work...
What am I missing?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30527
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by Moonchild » 2021-06-24, 00:41

You must have made a mistake exporting or importing, because just exporting the CA cert and importing it in the other setup would complete the trust chain in the browser.
That's a kludgy workaround though, the gov site just needs to fix their certs.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2756
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by coffeebreak » 2021-06-24, 01:51

BenFenner wrote:
2021-06-23, 21:55
wouldn't you think I could export that certificate from one working setup and import it to the other, non-working setup? Because I tried that, and it didn't work...
Moonchild wrote:
2021-06-23, 21:35
I must have visited a different site that had a complete chain with the same issuer certificate before.
@BenFenner,
As a work around, you should be able to complete the chain by visiting onshape.com.
(I completed it by following an onshape link that was posted in a Web Compatibility Support thread):

Code: Select all

Web Compatibility Support board -> "onshape.com - Your browser is not fully compatible with Onshape"  
[ https://forum.palemoon.org/viewtopic.php?f=70&t=26999 ] -> 
https://cad.onshape.com/check

BenFenner
Lunatic
Lunatic
Posts: 285
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: Another certificate issue - SEC_ERROR_UNKNOWN_ISSUER

Unread post by BenFenner » 2021-06-24, 14:42

Thank you for the help everyone.
coffeebreak, I was excited to try your solution as I thought it would surely work. However, it does not, because I think this installation of Pale Moon refuses to accept the required intermediary certificate. Visiting the site you mentioned worked, but did not install the intermediary certificate. I can't import it from the other computers (it doesn't work) and I even exported it from this computer's installation of Firefox with the same result (the certificate just doesn't seem to want to apply/install).

So, I'm going to try completely uninstalling Pale Moon. It seems my best option right now. I'll report back.

Edit: I have had some success! I uninstalled Pale Moon, then removed the related stuff from the AppData Local/Roaming directories. Now with a proper fresh install, I visited the site and got the error (but was allowed to add an exception this time if I wanted, which I did not do, but find very strange). I then visited the site coffeebreak mentioned, which loaded and must have applied the intermediary certificate properly, because now when I visit the original site in question it is working! If I can find contact info for them, I will try to get them to fix it properly.
Now I'm going to restore the profile I backed up and see how that goes. :thumbup:

Edit 2: Well, it seems the user of this computer deleted the profile backup, and the bookmark backup I'd made yesterday. :lol:
Just now when I removed the directories from the Local/Roaming spots, I actually moved them elsewhere instead of deleting them. So I will try to put them back, or some of their files, to get the profile back. I figure if I restore them completely I might be back where I started, so I'm going to look for what I believe are the pertinent files...

Edit 3: I didn't find anything useful in Local, so I copied these files and directories from the Roaming directory:
bookmarkbackups/
extensions/
extensions.ini
extensions.json
extensions.sqlite
prefs.js
xulstore.json


I may have copied over one or two files I didn't need, but after doing all of those I had things back just as I remember them on this profile. I restored the bookmarks from the backup, and now all is perfect! The site still works as well.
That should be it for this issue.
Thank you all who provided help and encouragement.

Post Reply