Error code: sec_error_untrusted_issuer

  • I need help with a security issue concerning this code that has just been popping up recently as I visit my favorite websites. Based on some past history I KNOW something is not right, and I am not only concerned about my security, but really pissed off that my freedom is being controlled by somebody I don't even know.

    I keep getting the error code posted in my title. Please help me fix this!!!

    You have not provided enough information to answer this question. Is your date/time set properly on your clock?

    It would be most helpful to provide you with more information if you posted the output of `openssl s_client -connect $BROKEN_SITE:443 -showcerts` here.

    ... or at least post the certificate info page of a site.

  • Identifying the problem certificate

    When next you visit a site that shows that error, have a look at the certificate chain, it should look something like this:

    Certificate chain for

    If it doesn't, that is, if something in that line is a problem, it should identify the expired issuer certificate or the like.

    Reasons for a problem certificate

    • It is possible that this is evidence of a man-in-the-middle attack, but this shouldn't be your very first thought since it requires an amount of technical difficulty to mount. If someone is attempting something like that - you should see an issue when you click on the certificates 'up the chain' from the site you're on (in the window pictured above).

      If you see something that appears malicious, your connection is not safe and you should move to a different network.

    • It is possible this is a man-in-the-middle attack staged by your network administrator. If you're on a corporate network using a corporate owned machine, it's possible that the administrator overlooked issuing the proxy to your machine as a trusted CA, or that that certificate has expired, etc.

      If you see someone you recognise (your network operator) in the chain above, talk to them. Also, be aware that whilst your connection is likely safe, they are able to listen in.

    • You may have an expired or different version of the same certificate root on your machine for some reason - you may also not trust the root (StartSSL is an issuer that doesn't have great coverage, but there are others). Try update your browser, run Windows Update, etc. if the chain looks to be ok, but show expired certificates.

      Firefox uses a different store to IE - if you don't get the issue in IE, you likely need to check for Firefox updates.

    • You may not be connecting to the site you think you're connecting to. In a corporate environment, or at a public hotspot, there may be a 'click-through' page you need to get past to start using the network, and it may be using a certificate you don't trust, or a self-signed certificate, etc.

    • It may be as simple as your system clock being set wrong, so believing that your CA certificates are expired when they are, in fact, valid.

    You may be interested in this help page at SSL Shopper; they link to all the major CAs with instructions on how to update your root certificates.

  • If you're seeing this error on major websites that you're familiar with, it's may be an indication that somebody is performing some sort of a man-in-the-middle attack. They are presenting you with "valid" certificates for the website that are signed by their own certificate authority which is not trusted.

    That said, there are several configuration errors that could be wrong. If you're seeing this for something on the scale of Google, be concerned. Otherwise, it may be that the website is using a misconfigured identity chain or is using one of the certificate authorities that has been marked as untrusted in the wake of a breach.

    Here's how I verified GMail:

    #Output of `openssl s_client -connect $BROKEN_SITE:443 -showcerts < /dev/null`
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
       i:/C=US/O=Google Inc/CN=Google Internet Authority
    -----END CERTIFICATE-----
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    -----END CERTIFICATE-----
    Server certificate
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority
    No client certificate CA names sent
    SSL handshake has read 2110 bytes and written 348 bytes
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
        Protocol  : TLSv1.1
        Cipher    : ECDHE-RSA-RC4-SHA
        Session-ID: 72257B54ADC216B87F6CDBC74BD6C66EDFB79CDF5BAC478DBE74885759CA7564
        Master-Key: EACF7DDE1B6AF2BD1F274DD9009C718812B8F45B4CDE348CDA2B488C94070B6ABED087B11DF7B74A6EF9A2D6E157F089
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - c2 4f ef 02 39 eb 74 ec-60 c1 97 ee f0 de d6 5d   .O..9.t.`......]
        0010 - 8c 64 96 ad c0 ef a1 8d-49 4d df 7c 3e d7 13 39   .d......IM.|>..9
        0020 - 8c cf 1b db 4b 26 af f4-bc b7 44 95 5b 6c b3 05   ....K&....D.[l..
        0030 - 23 40 81 bf 46 e9 64 32-24 8b 49 73 82 12 14 5b   #@..F.d2$.Is...[
        0040 - 3d eb b1 75 3b 38 c7 9c-3c 21 ac 2c 2a d5 9f 71   =..u;8..<!.,*..q
        0050 - 7c 77 6b fa 44 f7 6a d3-19 10 ba cd f2 8e 7f 73   |wk.D.j........s
        0060 - ba 20 43 7f 83 db 78 6a-42 59 2a b6 bb b2 c5 c3   . C...xjBY*.....
        0070 - f3 71 ee 26 48 82 39 36-9f 96 b1 7e 85 a8 3f 39   .q.&H.96...~..?9
        0080 - 39 82 0e b3 18 cd 45 51-7a 19 ee 56 f8 dd 2d 3c   9.....EQz..V..-<
        0090 - 20 49 b7 69                                        I.i
        Start Time: 1360703474
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)

    You'll notice at the bottom it said "Verify return code: 20 (unable to get local issuer certificate)". That's because the certificate chain expects the client to maintain its own copy of trusted root keys. You can see the list of keys that are included with Firefox at

    There's a whole mess of things going on, but basically Equifax is GeoTrust, so I downloaded that key. You can see the important parts of that in two places:

    1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    and from going a step further and running openssl x509 -text on that certificate to get the signing key id from that second certificate block:

    X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

    So what we need is a copy of the root certificate with the key, and that's one of some kind of trust. ended up being the bundle I chose because exporting from various operating system points is a nuisance at the least.

    Running openssl s_client -connect $BROKEN_SITE:443 -showcerts -CAfile cacert.pem < /dev/null now gives me a favorable return code:

    Start Time: 1360706261
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

    You can also try manually finding that key on your system and exporting it for SSL to verify.

    Please walk me through the independently/manual verification.

    Thank You!!! I'm so glad I found this website. I will let you know how it turns out. Man in the Middle;/ grrr....cowards and trouble makers....

    Hello, I have time to pay attention to this problem today. I went to the website, iheart, where I had this problem, but there was no security alert. If there was a problem once, wouldn't that be considered an ongoing security issue popping up with this code every time, there only a problem when the MIM is present?

    This is my exact problem: I am afraid there is someone manipulating my iheart music. I had a problem with a man on Pandora impersonating a friend with the same name. I'm afraid he's found me on iheart. I made the mistake of sharing songs with someone using the wrong email address for months. For example, Steven Smith vs. Steve Smith with the same carrier.This imposter never told me I was sending it to the wrong person for months. It was really devastating. I felt emotionally raped. How do I protect myself from this imposter? I am scared of the access he has to my computer/web browsing.

    Okay, so I logged onto iheart looking for the security lock that the other person suggested. There is no security icon. Also, I am not getting the security alert with this log on. As I said, if this site was a security risk once, wouldn't it continue to be a risk? Will the security risk code only come up when there is a MIM?

    I just checked out iheart. it is not an encrypted site and can be seen by others.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM