Vous êtes sur la page 1sur 5

certificates - Error code: sec_error_untrusted_issuer - IT Security Stack Exchange

sign up log in





Ask Question

Tell me more IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.

Error code: sec_error_untrusted_issuer

I need help with a security issue concerning this code that has just been popping up recently as I visit my favorite websites. Based on some past history I KNOW something is not right, and I am not only concerned about my security, but really pissed off that my freedom is being controlled by somebody I don't even know. I keep getting the error code posted in my title. Please help me fix this!!!
certificates web-browser certificate-authority man-in-the-middle firefox firefox 37

certificates 404 web-browser 358 certificate-authority 168 man-in-the-middle 125


improve this question

edited Feb 13 at 9:43

Bob Watson 2,019 5 24

asked Feb 12 at 20:31

Charlie 9 12

asked 7 months ago viewed 4183 times active 7 months ago

1 You have not provided enough information to answer this question. Is your date/time set properly on your
clock? Rook Feb 12 at 20:48

Community Bulletin
Feb 12 at 20:56
blog Stump the Chump with Auditd 01

1 It would be most helpful to provide you with more information if you posted the output of openssl
s_client -connect $BROKEN_SITE:443 -showcerts here. Jeff Ferland

1 ... or at least post the certificate info page of a site. Jeff Ferland Feb 12 at 21:59

Get the weekly newsletter!

2 Answers




Top questions and answers Important announcements Unanswered questions

Sign up for the newsletter

Identifying the problem certificate

When next you visit a site that shows that error, have a look at the certificate chain, it should something like:

see an example newsletter

Certificate Authority hack for 'the average user'? extension prone to error for browsers? certificates? Why would someone partition a certificate by reason codes?

12 What are the risks of a 4 Is changing image's 2 What are attribute

-1 Request/Creating a Code
Signing Certificate mixed encrypted and unencrypted content correctly? usage for code signing purposes

3 Do most browsers handle 1 Self-signed certificates

4 What is the severity of a

fake certificate?

http://security.stackexchange.com/questions/30810/error-code-sec-error-untrusted-issuer[29-09-2013 22:08:37]

certificates - Error code: sec_error_untrusted_issuer - IT Security Stack Exchange

2 How do I diagnose clientside SSL errors? website

2 Identify code being run on

malicious 302 redirect from a embedded image resource?

1 Configure Firefox against

If it doesn't, that is, if something in that line is a problem, it should identify the expired issuer certificate or the like. Reasons for a problem certificate It is possible that this is evidence of a man-in-the-middle attack, but this shouldn't be your very first thought since it requires an amount of technical difficulty to mount. If someone is attempting something like that - you should see an issue when you click on the certificates 'up the chain' from the site you're on (in the window pictured above). If you see something that appears malicious, your connection is not safe and you should move to a different network. It is possible this is a man-in-the-middle attack staged by your network administrator. If you're on a corporate network using a corporate owned machine, it's possible that the administrator overlooked issuing the proxy to your machine as a trusted CA, or that that certificate has expired, etc. If you see someone you recognise (your network operator) in the chain above, talk to them. Also, be aware that while your connection is likely safe; they are able to listen in. You may have an expired or different version of the same certificate root on your machine for some reason - you may also not trust the root (StarSSL is an issuer that doesn't have great coverage, but there are others). Try update your browser, run Windows Update, etc. if the chain looks to be ok, but show expired certificates. Firefox uses a different store to IE - if you don't get the issue in IE, you likely need to check for Firefox updates. You may not be connecting to the site you think you're connecting to. In a corporate environment, or at a public hotspot, there may be a 'click-through' page you need to get past to start using the network, and it may be using a certificate you don't trust, or a self-signed certificate, etc. It may be as simple as your system clock being set wrong, so believing that your CA certificates are expired when they are, in fact, valid. You may be interested in this help page at sslshopper; they link to all the major CAs with instructions on how to update your root certificates.
share improve this answer edited Feb 13 at 9:40 answered Feb 12 at 21:31
Bob Watson 2,019 5 24

http://security.stackexchange.com/questions/30810/error-code-sec-error-untrusted-issuer[29-09-2013 22:08:37]

certificates - Error code: sec_error_untrusted_issuer - IT Security Stack Exchange

Thank you very much for your expertise!!! Charlie Feb 12 at 23:28

If you're seeing this error on major websites that you're familiar with, it's may be an indication that somebody is performing some sort of a man-in-the-middle attack. They are presenting you with "valid" certificates for the website that are signed by their own certificate authority which is not trusted. That said, there are several configuration errors that could be wrong. If you're seeing this for something on the scale of Google, be concerned. Otherwise, it may be that the website is using a misconfigured identity chain or is using one of the certificate authorities that has been marked as untrusted in the wake of a breach. Here's how I verified GMail:
#Output of `openssl s_client -connect $BROKEN_SITE:443 -showcerts < /dev/null` CONNECTED(00000003) --Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority -----BEGIN CERTIFICATE----MIIDgjCCAuugAwIBAgIKGIsINwAAAAB3YjANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMzAxMDMxMjEyMzlaFw0xMzA2MDcxOTQzMjda MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgwFgYDVQQDEw9tYWls Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKdLhbKA5ZQD b8pK5WypcYChZ/e5Rugmtem9WU973RpQaMc633MVzqhpANQnCanN4dFuLcaj6TvW qpRjgxpkJ7/+h5DU5rjkiah2IxUT4CdrOAr6H7HscQrsNP8NnByn1kcP7HBsKmuJ kPXeWOlOrk1v8PHKfXLAenmUKP6FAVjJAgMBAAGjggFSMIIBTjAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ5FvWMPpHBCSLtVaEiEPHcH 2+iUMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIw UKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRo b3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFow WDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRl cm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0T AQH/BAIwADAaBgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wDQYJKoZIhvcNAQEF BQADgYEAbzIEqZ5I7hoo9UX0i17B5A5MEui0Sv8HxgExC14AP/iUF1WKZSTEi7UH IF9EPMUyCGT0hK08DYXTIED2XkOYj/CvyidAneH6OVR//iRdDIFu15DrCIpEZVnN QZ+NXQL0kU1Dwj+VMLPYXDogHNX2/dfCc/Tf5oWj+n5fJ/crv6g= -----END CERTIFICATE----1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3 WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk MB8GA1UdI QYMB AFEj Pk 0 KV10fYI AQT OYkJ/UMBIGA1UdE EB/ QIMAYB

You'll notice at the bottom it said "Verify return code: 20 (unable to get local issuer certificate)". That's because the certificate chain expects the client to maintain its own copy of trusted root keys. You can see the list of keys that are included with Firefox at http://www.mozilla.org/projects/security/certs/included/. There's a whole mess of things going on, but basically Equifax is GeoTrust, so I downloaded that key. You can see the important parts of that in two places:

1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

and from going a step further and running openssl x509 -text on that certificate to get the signing key id from that second certificate block:

http://security.stackexchange.com/questions/30810/error-code-sec-error-untrusted-issuer[29-09-2013 22:08:37]

certificates - Error code: sec_error_untrusted_issuer - IT Security Stack Exchange

X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

So what we need is a copy of the root certificate with the key, and that's one of some kind of trust. http://curl.haxx.se/ca/cacert.pem ended up being the bundle I chose because exporting from various operating system points is a nuisance at the least. Running openssl s_client -connect $BROKEN_SITE:443 -showcerts -CAfile cacert.pem < /dev/null now gives me a favorable return code:
Start Time: 1360706261 Timeout : 300 (sec) Verify return code: 0 (ok)

You can also try manually finding that key on your system and exporting it for SSL to verify.
share improve this answer edited Feb 12 at 21:58 answered Feb 12 at 20:57
Jeff Ferland 22.5k 3 35 92

Please walk me through the independently/manual verification. Charlie Feb 12 at 21:05 Thank You!!! I'm so glad I found this website. I will let you know how it turns out. Man in the Middle;/ grrr....cowards and trouble makers.... Charlie Feb 12 at 23:24 Hello, I have time to pay attention to this problem today. I went to the website, iheart, where I had this problem, but there was no security alert. If there was a problem once, wouldn't that be considered an ongoing security issue popping up with this code every time, or...is there only a problem when the MIM is present? Charlie Feb 13 at 23:41 This is my exact problem: I am afraid there is someone manipulating my iheart music. I had a problem with a man on Pandora impersonating a friend with the same name. I'm afraid he's found me on iheart. I made the mistake of sharing songs with someone using the wrong email address for months. For example, Steven Smith vs. Steve Smith with the same carrier.This imposter never told me I was sending it to the wrong person for months. It was really devastating. I felt emotionally raped. How do I protect myself from this imposter? I am scared of the access he has to my computer/web browsing. Charlie Feb 14 at 0:20

1 I just checked out iheart. it is not an encrypted site and can be seen by others. Charlie Feb 14 at 2:55
show 1 more comment

Your Answer

Sign up or login
Sign up using Google Sign up using Facebook Sign up using Stack Exchange

Post as a guest

http://security.stackexchange.com/questions/30810/error-code-sec-error-untrusted-issuer[29-09-2013 22:08:37]

certificates - Error code: sec_error_untrusted_issuer - IT Security Stack Exchange



Post Your Answer

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged certificates certificate-authority man-in-the-middle firefox or ask your own question.


question feed








privacy policy


advertising info


contact us

feedback Other


Life / Arts

Culture / Recreation


1. Stack Overflow 2. Server Fault 3. Super User 4. Web Applications 5. Ask Ubuntu 6. Webmasters 7. Game Development 8. TeX - LaTeX

1. Programmers 2. Unix & Linux 3. Ask Different (Apple) 4. WordPress Answers 5. Geographic Information Systems 6. Electrical Engineering 7. Android Enthusiasts 8. IT Security

1. Database Administrators 2. Drupal Answers 3. SharePoint 4. User Experience 5. Mathematica 6. more (13)

1. Photography 2. Science Fiction & Fantasy 3. Seasoned Advice (cooking) 4. Home Improvement 5. more (13)

1. English Language & Usage 2. Skeptics 3. Mi Yodeya (Judaism) 4. Travel 5. Christianity 6. Arqade (gaming) 7. Bicycles 8. Role-playing Games 9. more (21)

1. Mathematics 2. Cross Validated (stats) 3. Theoretical Computer Science 4. Physics 5. MathOverflow 6. more (7)

1. Stack Apps 2. Meta Stack Overflow 3. Area 51 4. Stack Overflow Careers

site design / logo 2013 stack exchange inc; user contributions licensed under cc-wiki with attribution required

rev 2013.9.27.1039

http://security.stackexchange.com/questions/30810/error-code-sec-error-untrusted-issuer[29-09-2013 22:08:37]