Your connection is not secure

[Domundi]

Hello,

Part of a corp helpdesk. New images being created for future roll out for all IT/IS personnel.

"Your connection is not secure" is returned for every secure site I attempt to visit excluding Mozilla.org, mozillazine.org, & subdomains. This behavior started with FF version 54

Google:
_________________
www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

https://www.google.com/search?q=test&ie=utf-8&oe=utf-8

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: true

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIRAK+Do46Y3r8StsC2XzsUYcIwDQYJKoZIhvcNAQELBQAw
KzELMAkGA1UEBhMCRU4xHDAaBgNVBAMME0FkZ3VhcmQgUGVyc29uYWwgQ0EwHhcN
MTcwNjIxMTQzNTUwWhcNMTcwOTEzMTM1MzAwWjBoMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UE
CgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMff6d6+RromjLTvRwKK74AbEb0q8TFM0R+E24GF
8fhhYATr859l/IAkTsiZOdBjBUSAmdNbdSd3Sdr+06lhvAGbMNTpobSTNZSe1jNt
znVBRwM1Q2++ENfWY45zK3QqnSM6G6iTDhdalw7SQW/8DfCXhCjOaqGxP9gTSc6M
+Mn3AgMBAAGjSjBIMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
CwUAA4IBAQBy7Ohi6E/Lyr5jEQcJx4p+pjKV2Nk/cL1egRxO3tuXdPOTVD5tulbg
SqCu0m5lFkN7uHvozURP4WEcYOLr2szeP6Dqnxg2krOx1UqHy5UglVDJclE/eadE
lKFnarb9LFonheY73g2lO+yslQ670KGb1incS5uqFaBuNwyR0vA5dt8+nZxY0jYZ
zde69ssxw5mehsaXeJ5V+cHf2fRkgzzHVdb83dbx1+48mNQHkxKh7doTo0L8ITOW
Qp1hHnyUBh3/f5RlC5xENnBOoC0SAMjdQwMZIZeVsEpzLtTwrDGYz9cxLBDHVsGt
TE9kJXsTNlr98RfbpZzczMSy8pYTK7R+
-----END CERTIFICATE-----


Yahoo
_________
yahoo.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

https://yahoo.com/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIHOzCCBiOgAwIBAgIRANz95jIjLfyW+nJBvazqHPUwDQYJKoZIhvcNAQELBQAw KzELMAkGA1UEBhMCRU4xHDAaBgNVBAMME0FkZ3VhcmQgUGVyc29uYWwgQ0EwHhcN MTUxMDMxMDAwMDAwWhcNMTcxMDMwMjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxEzAR BgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTETMBEGA1UECgwK WWFob28gSW5jLjEfMB0GA1UECwwWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEWMBQG A1UEAwwNd3d3LnlhaG9vLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 1IUGqFeEWraAlUE/YKcg8n5wg8vaHFOYH+GLhYsAQHzdLl5HYbIBw0xxqouoI7mR Su4CJDnK17CbemnhoABPYrZU6ENbIq5uC7MgzmywefH+9yCK3MegS/PDmqtOeagQ cBDMnqiRRjvbO8CquKmlQXP0qfZ9rUBSA/yKvoJRjp0CAwEAAaOCBIIwggR+MIIE UAYDVR0RBIIERzCCBEOCDXd3dy55YWhvby5jb22CCXlhaG9vLmNvbYIOaHNyZC55 YWhvby5jb22CDHVzLnlhaG9vLmNvbYIMZnIueWFob28uY29tggx1ay55YWhvby5j b22CDHphLnlhaG9vLmNvbYIMaWUueWFob28uY29tggxpdC55YWhvby5jb22CDGVz LnlhaG9vLmNvbYIMZGUueWFob28uY29tggxjYS55YWhvby5jb22CDHFjLnlhaG9v LmNvbYIMYnIueWFob28uY29tggxyby55YWhvby5jb22CDHNlLnlhaG9vLmNvbYIM YmUueWFob28uY29tgg9mci1iZS55YWhvby5jb22CDGFyLnlhaG9vLmNvbYIMbXgu eWFob28uY29tggxjbC55YWhvby5jb22CDGNvLnlhaG9vLmNvbYIMdmUueWFob28u Y29tghFlc3Bhbm9sLnlhaG9vLmNvbYIMcGUueWFob28uY29tggxpbi55YWhvby5j b22CDHNnLnlhaG9vLmNvbYIMaWQueWFob28uY29tghJtYWxheXNpYS55YWhvby5j b22CDHBoLnlhaG9vLmNvbYIMdm4ueWFob28uY29tghFtYWt0b29iLnlhaG9vLmNv bYIUZW4tbWFrdG9vYi55YWhvby5jb22CD2NhLm15LnlhaG9vLmNvbYIMZ3IueWFo b28uY29tgg1hdHQueWFob28uY29tggxhdS55YWhvby5jb22CDG56LnlhaG9vLmNv bYIMdHcueWFob28uY29tggxoay55YWhvby5jb22CDWJyYi55YWhvby5jb22CDG15 LnlhaG9vLmNvbYIQYWRkLm15LnlhaG9vLmNvbYISZnJvbnRpZXIueWFob28uY29t ghF2ZXJpem9uLnlhaG9vLmNvbYITY2Eucm9nZXJzLnlhaG9vLmNvbYIWZnItY2Eu cm9nZXJzLnlhaG9vLmNvbYIUdGF0YWRvY29tby55YWhvby5jb22CEHRpa29uYS55 YWhvby5jb22CF2lkZWFuZXRzZXR0ZXIueWFob28uY29tghJtdHNpbmRpYS55YWhv by5jb22CE3NtYXJ0ZnJlbi55YWhvby5jb22CDyouYXR0LnlhaG9vLmNvbYISKi5w ZW9wbGUueWFob28uY29tghUqLmNlbGVicml0eS55YWhvby5jb22CFyoudmlkYS1l c3RpbG8ueWFob28uY29tghEqLnN0eWxlLnlhaG9vLmNvbYISKi5tb3ZpZXMueWFo b28uY29tghEqLnN0YXJzLnlhaG9vLmNvbYIQKi5raW5vLnlhaG9vLmNvbYIQKi5j aW5lLnlhaG9vLmNvbYISKi5jaW5lbWEueWFob28uY29tghgqLmNlbGVicmlkYWRl cy55YWhvby5jb22CECoubGl2ZS55YWhvby5jb22CEiouYmVhdXR5LnlhaG9vLmNv bTAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq hkiG9w0BAQsFAAOCAQEASs/skIfGsP3BdjFwJjzeRQCHotZaBQ0tlN8YHzUiiExH GNtxdRJmK74XcKV96FlLT8E2YH+Z5F7+8EHFN0tCh2+hyubuwUrfPiGRwEkU48uq NKi/NPe6NcwArFKegKEdPRPeOAj6AgjGA5Xw+H2K0OSOmFtkkYvP65CkQThbtRNP 93tyvChJpPMLmk4hvLLratzo27FDo1PeoRbTvQ7/EPQhmi4EwlQ1TlyN3ej7cFdF aeITggDqkhB9V+dMpWJQtdQkH3ifOLL4gHdPoU01xN70pbijiy8zFHjx0V2Nmkf0 kskfZsvf9Px6xZc6BmnAOqWBjMi7bvwP/n1INRds/w== -----END CERTIFICATE-----

Google.com (and most sites) do not have the option to add an exception while yahoo.com is the only site that does so far.

I have tried all the known solutions: safe-mode, fresh install, wiping cert8.db, new profiles, insured correct time is set, etc. Nothing works.

OS: Windows 10 Ent LTSB 14393.1358
Name: Firefox
Version: 54.0
Build ID: 20170608105825
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
OS: Windows_NT 10.0
Multiprocess Windows: 0/1 (Disabled by accessibility tools)
Google Key: Found
Mozilla Location Service Key: Found
Safe Mode: false
Default base installed extensions.

AV/Malware: None installed yet. (Default Windows Defender until ESET is installed)
VPN Client: None installed yet.

Note.. this is ONLY being produced in browsers based on FF v54.0. Chromium-based & IE-based browsers are not having this issue. And we did not see this behavior in previous versions of FF.

I'm on a deadline so any helpful response that doesn't simply repeat steps already tried or links to KBs that are of no help are highly appreciated.

[therube]

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites

[Domundi]

I am not attempting to be rude BUT see my last line in the original post. The part that states "..... or links to KBs that are of no help..." was included for this very purpose.

The information on that page was my first choice before trying other purposed solutions. It and they DID NOT resolve the issue. Result... I created my original post as the information presented on that page, other forum post, other websites, etc still has not provided a working solution.

[therube]

Have you tested with a new, clean Profile?

Are you using an "https-everywhere" type of extension?

Are you using a Proxy?

Have you retested with FF 53 to verify that is still not affected?

What A/V are you using?
Have you tested with A/V removed from the situation?

You mention mozillazine.org.
mozillazine.org does not use https: AFAIK.

[Domundi]

Please... I know people become eager when assisting... especially with something they are passionate about BUT SLOW DOWN. I appreciate it when people help, but it becomes annoying on any platform of communication when they do not take in information that is already present or are so rigid in their process that they do not step away from their scripts when it is needed.

All of that information save the use of a proxy is in the original post.

"..... This behavior started with FF version 54." <-------------- So No. This was not a problem until v54. IE... it didn't and still doesn't present in v53. We are not reverting as v54 addresses some issues impacting a couple of projects.

"I have tried all the known solutions: safe-mode, fresh install, wiping cert8.db, new profiles, insured correct time is set, etc. Nothing works." <-------------- So YES to a clean profile.

"Default base installed extensions." <-------------- So NO extensions or any other add-ons that are not part of the standard install.

"AV/Malware: None installed yet. (Default Windows Defender until ESET is installed)" <-------------- So NO.. NO AV is in use as I have yet to install one. This problem presents even with Defender disabled.

"VPN Client: None installed yet." <-------------- We install one for mobile users but that has not been installed yet. Repeated just incase it's going to be asked.

There is NO proxy in use.

[mightyglydd]

I appreciate it when people help, but it becomes annoying..........

Don't like the service?.....https://support.mozilla.org/en-US/products/firefox

[trolly]

You may look into the presented certificate to check the issuer. The name of the issuer may give us a hint.

[James]

What about Firewalls?. There has been some instances of certificates or secure site issues in past caused by firewalls though not as much as with some anitivirus clients.

If this was indeed an issue with Fx 54.0 from http://www.mozilla.org/firefox/all/ specifically then there would be other threads about it since it's release on June 13.

Also if you are doing multiple PC's then maybe the Firefox 52 ESR would be better. ESR generally gets eight main updates (for security and allowed stability fixes, no features) and Fx 52.8.0esr will be out May 2018 when Fx 60.0 is Released. The next ESR Release will be based on Fx 59.0.
https://www.mozilla.org/firefox/organizations/faq/
https://www.mozilla.org/firefox/organizations/all/

[Domundi]

I appreciate it when people help, but it becomes annoying..........

Don't like the service?.....https://support.mozilla.org/en-US/products/firefox

It's just your service. Pointing out areas of improvement is how people improve. I'm not highly sensitive and don't coddle. If you can't stand to be corrected and simply take the points at face value that is your lost. Enjoy staying mediocre.

Have to love the net brave. Thanks for wasting time and creating useless clutter.

Now...

@therube... It's resolved. I decided against including FF in the image then installed our AV (ESET). What do you know... everything started working right AFTER the install. This is even with the HTTPs scanning on (something we ALWAYS disabled in the past due to the hell it caused).

Not sure if the install "fixed" something in the process or what. Either way... it's solved.

Don't take my bluntness for rudeness (this time). Correction is how we improve. I help on a number of forums. Far too often I've had to step into a thread ten times as long as this because the person(s) attempting to help missed a detail that was provided. If that detail was considered the person seeking assistance could have received a solution in the first 2-3 responses. Add years in IT/IS and having to do the same thing in person and it's easy to see why I'm a cut to the chase "I've (the end-user) already provided that info d@mn it" kind of guy.

Thanks for the attempt.

@ James....

No changes with our infrastructure period (other than these images being created using latest Win10 LTSB).

Will be looking into your suggestions for some of our guys. The that's basically LTSB for FF.

Our webdev crew is crazy about their browsers and tend to QA against the latest genpop browsers. They'll update when new versions are pushed but for now... 54 is the latest.

As of now... consider this resolved even though I REALLY would have preferred to discover why it happened from the start. Especially since the only thins that was installed was Chromes latest & MS Office.

I'll revisit if it happens when building the other images.