Error code: sec_error_untrusted_issuer

  • I need help with a security issue concerning this code that has just been popping up recently as I visit my favorite websites. Based on some past history I KNOW something is not right, and I am not only concerned about my security, but really pissed off that my freedom is being controlled by somebody I don't even know.

    I keep getting the error code posted in my title. Please help me fix this!!!

    You have not provided enough information to answer this question. Is your date/time set properly on your clock?

    It would be most helpful to provide you with more information if you posted the output of `openssl s_client -connect $BROKEN_SITE:443 -showcerts` here.

    ... or at least post the certificate info page of a site.

  • Identifying the problem certificate

    When next you visit a site that shows that error, have a look at the certificate chain, it should look something like this:

    Certificate chain for mail.google.com

    If it doesn't, that is, if something in that line is a problem, it should identify the expired issuer certificate or the like.

    Reasons for a problem certificate

    • It is possible that this is evidence of a man-in-the-middle attack, but this shouldn't be your very first thought since it requires an amount of technical difficulty to mount. If someone is attempting something like that - you should see an issue when you click on the certificates 'up the chain' from the site you're on (in the window pictured above).

      If you see something that appears malicious, your connection is not safe and you should move to a different network.

    • It is possible this is a man-in-the-middle attack staged by your network administrator. If you're on a corporate network using a corporate owned machine, it's possible that the administrator overlooked issuing the proxy to your machine as a trusted CA, or that that certificate has expired, etc.

      If you see someone you recognise (your network operator) in the chain above, talk to them. Also, be aware that whilst your connection is likely safe, they are able to listen in.

    • You may have an expired or different version of the same certificate root on your machine for some reason - you may also not trust the root (StartSSL is an issuer that doesn't have great coverage, but there are others). Try update your browser, run Windows Update, etc. if the chain looks to be ok, but show expired certificates.

      Firefox uses a different store to IE - if you don't get the issue in IE, you likely need to check for Firefox updates.

    • You may not be connecting to the site you think you're connecting to. In a corporate environment, or at a public hotspot, there may be a 'click-through' page you need to get past to start using the network, and it may be using a certificate you don't trust, or a self-signed certificate, etc.

    • It may be as simple as your system clock being set wrong, so believing that your CA certificates are expired when they are, in fact, valid.

    You may be interested in this help page at SSL Shopper; they link to all the major CAs with instructions on how to update your root certificates.

  • If you're seeing this error on major websites that you're familiar with, it's may be an indication that somebody is performing some sort of a man-in-the-middle attack. They are presenting you with "valid" certificates for the website that are signed by their own certificate authority which is not trusted.

    That said, there are several configuration errors that could be wrong. If you're seeing this for something on the scale of Google, be concerned. Otherwise, it may be that the website is using a misconfigured identity chain or is using one of the certificate authorities that has been marked as untrusted in the wake of a breach.

    Here's how I verified GMail:

    #Output of `openssl s_client -connect $BROKEN_SITE:443 -showcerts < /dev/null`
    
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority
    -----BEGIN CERTIFICATE-----
    MIIDgjCCAuugAwIBAgIKGIsINwAAAAB3YjANBgkqhkiG9w0BAQUFADBGMQswCQYD
    VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
    dGVybmV0IEF1dGhvcml0eTAeFw0xMzAxMDMxMjEyMzlaFw0xMzA2MDcxOTQzMjda
    MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
    b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgwFgYDVQQDEw9tYWls
    Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKdLhbKA5ZQD
    b8pK5WypcYChZ/e5Rugmtem9WU973RpQaMc633MVzqhpANQnCanN4dFuLcaj6TvW
    qpRjgxpkJ7/+h5DU5rjkiah2IxUT4CdrOAr6H7HscQrsNP8NnByn1kcP7HBsKmuJ
    kPXeWOlOrk1v8PHKfXLAenmUKP6FAVjJAgMBAAGjggFSMIIBTjAdBgNVHSUEFjAU
    BggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ5FvWMPpHBCSLtVaEiEPHcH
    2+iUMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIw
    UKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRo
    b3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFow
    WDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRl
    cm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0T
    AQH/BAIwADAaBgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wDQYJKoZIhvcNAQEF
    BQADgYEAbzIEqZ5I7hoo9UX0i17B5A5MEui0Sv8HxgExC14AP/iUF1WKZSTEi7UH
    IF9EPMUyCGT0hK08DYXTIED2XkOYj/CvyidAneH6OVR//iRdDIFu15DrCIpEZVnN
    QZ+NXQL0kU1Dwj+VMLPYXDogHNX2/dfCc/Tf5oWj+n5fJ/crv6g=
    -----END CERTIFICATE-----
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    -----BEGIN CERTIFICATE-----
    MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3
    WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
    NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
    qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
    oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk
    MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
    Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
    Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
    BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
    0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
    UUIuOss4jHg7y/j7lYe8vJD5UDI=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2110 bytes and written 348 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.1
        Cipher    : ECDHE-RSA-RC4-SHA
        Session-ID: 72257B54ADC216B87F6CDBC74BD6C66EDFB79CDF5BAC478DBE74885759CA7564
        Session-ID-ctx: 
        Master-Key: EACF7DDE1B6AF2BD1F274DD9009C718812B8F45B4CDE348CDA2B488C94070B6ABED087B11DF7B74A6EF9A2D6E157F089
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - c2 4f ef 02 39 eb 74 ec-60 c1 97 ee f0 de d6 5d   .O..9.t.`......]
        0010 - 8c 64 96 ad c0 ef a1 8d-49 4d df 7c 3e d7 13 39   .d......IM.|>..9
        0020 - 8c cf 1b db 4b 26 af f4-bc b7 44 95 5b 6c b3 05   ....K&....D.[l..
        0030 - 23 40 81 bf 46 e9 64 32-24 8b 49 73 82 12 14 5b   #@..F.d2$.Is...[
        0040 - 3d eb b1 75 3b 38 c7 9c-3c 21 ac 2c 2a d5 9f 71   =..u;8..<!.,*..q
        0050 - 7c 77 6b fa 44 f7 6a d3-19 10 ba cd f2 8e 7f 73   |wk.D.j........s
        0060 - ba 20 43 7f 83 db 78 6a-42 59 2a b6 bb b2 c5 c3   . C...xjBY*.....
        0070 - f3 71 ee 26 48 82 39 36-9f 96 b1 7e 85 a8 3f 39   .q.&H.96...~..?9
        0080 - 39 82 0e b3 18 cd 45 51-7a 19 ee 56 f8 dd 2d 3c   9.....EQz..V..-<
        0090 - 20 49 b7 69                                        I.i
    
        Start Time: 1360703474
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    

    You'll notice at the bottom it said "Verify return code: 20 (unable to get local issuer certificate)". That's because the certificate chain expects the client to maintain its own copy of trusted root keys. You can see the list of keys that are included with Firefox at http://www.mozilla.org/projects/security/certs/included/.

    There's a whole mess of things going on, but basically Equifax is GeoTrust, so I downloaded that key. You can see the important parts of that in two places:

    1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    and from going a step further and running openssl x509 -text on that certificate to get the signing key id from that second certificate block:

    X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

    So what we need is a copy of the root certificate with the key, and that's one of some kind of trust. http://curl.haxx.se/ca/cacert.pem ended up being the bundle I chose because exporting from various operating system points is a nuisance at the least.

    Running openssl s_client -connect $BROKEN_SITE:443 -showcerts -CAfile cacert.pem < /dev/null now gives me a favorable return code:

    Start Time: 1360706261
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
    

    You can also try manually finding that key on your system and exporting it for SSL to verify.

    Please walk me through the independently/manual verification.

    Thank You!!! I'm so glad I found this website. I will let you know how it turns out. Man in the Middle;/ grrr....cowards and trouble makers....

    Hello, I have time to pay attention to this problem today. I went to the website, iheart, where I had this problem, but there was no security alert. If there was a problem once, wouldn't that be considered an ongoing security issue popping up with this code every time, or...is there only a problem when the MIM is present?

    This is my exact problem: I am afraid there is someone manipulating my iheart music. I had a problem with a man on Pandora impersonating a friend with the same name. I'm afraid he's found me on iheart. I made the mistake of sharing songs with someone using the wrong email address for months. For example, Steven Smith vs. Steve Smith with the same carrier.This imposter never told me I was sending it to the wrong person for months. It was really devastating. I felt emotionally raped. How do I protect myself from this imposter? I am scared of the access he has to my computer/web browsing.

    Okay, so I logged onto iheart looking for the security lock that the other person suggested. There is no security icon. Also, I am not getting the security alert with this log on. As I said, if this site was a security risk once, wouldn't it continue to be a risk? Will the security risk code only come up when there is a MIM?

    I just checked out iheart. it is not an encrypted site and can be seen by others.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM