SEC_ERROR_UNKNOWN_ISSUER (Firefox: issuer not trusted)

What’s actually happening

Firefox shows "Potential Security Risk Ahead" and the issuer-unknown text. A telling clue: Chrome or Safari may load the same site without complaint, because they can pull a missing intermediate from cache or AIA fetching while Firefox is stricter. The leaf cert itself is fine; the chain to a trusted root is broken.

Common causes

• Server installed only the leaf cert and omitted the intermediate(s), so Firefox can't reach a root
• Certificates concatenated in the wrong order, or the bundle points at the wrong intermediate
• A genuinely self-signed cert with no public CA behind it
• Antivirus HTTPS scanning or a corporate proxy re-signing traffic with a root Firefox doesn't know (see MITM error)
• An expired or recently cross-signed intermediate that the server never updated

How to fix it

1. Inspect the chain the server actually sendsRun `openssl s_client -connect example.com:443 -showcerts`. You should see the leaf plus every intermediate up toward the root. If only one certificate comes back, the intermediate is missing. https://www.ssllabs.com/ssltest/ flags this as 'Chain issues: Incomplete'.
2. Install the full chain on the serverRebuild the cert file as leaf + intermediate(s) in that order (your CA provides the bundle). nginx wants them concatenated into the `ssl_certificate` file; Apache uses `SSLCertificateFile` with the chain appended (or `SSLCertificateChainFile` on older builds). Reload and re-test.
3. Rule out local interceptionIf only this machine is affected, check the issuer in the cert viewer (click the padlock > Connection not secure > More information > View Certificate). An issuer named 'Avast', 'Kaspersky', 'BitDefender', or your company is AV/proxy interception, not a server fault — handle it as MOZILLA_PKIX_ERROR_MITM_DETECTED.
4. Update FirefoxOlder builds ship an older root store. Update to current Firefox so newly added CAs are trusted, then reload.