Firefox shows "Warning: Potential Security Risk Ahead" with a triangle icon when it can't establish a trusted connection to a site. This guide covers what the warning means, the most common error codes underneath it, and how to fix it - whether you're a visitor or the site owner.
What Firefox is checking
Before showing you a website over HTTPS, Firefox verifies the SSL certificate the server presents. Three checks must all pass:
- The certificate is still valid - the current time is between the certificate's
notBeforeandnotAfterdates. - The certificate covers the hostname - the domain you're visiting is listed in the certificate's Subject Alternative Names.
- The certificate's issuer is trusted - the certificate chains up to a CA in Firefox's trust store (Mozilla maintains its own, separate from operating-system stores).
When any check fails, you see the "Potential Security Risk" warning. The specific error code (visible by clicking "Advanced") tells you which check failed.
The error codes you'll see
SEC_ERROR_EXPIRED_CERTIFICATE- the certificate has expired.SSL_ERROR_BAD_CERT_DOMAIN- the certificate doesn't match the hostname.SEC_ERROR_UNKNOWN_ISSUER- the certificate's issuer isn't in Firefox's trust store. Often a self-signed certificate or an internal CA.SEC_ERROR_CA_CERT_INVALID- the chain of trust is broken - a certificate in the chain is invalid.MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT- explicitly a self-signed certificate.SSL_ERROR_NO_CYPHER_OVERLAP- server doesn't support any cipher Firefox is willing to use.SEC_ERROR_REVOKED_CERTIFICATE- the certificate has been revoked.
If you're a visitor seeing this warning
The default action is to leave the site. The warning exists because Firefox can't verify the connection is secure - entering passwords or payment information is risky.
Reasonable exceptions:
- The site is yours. Use the site-owner fixes below.
- The site is an internal tool with a known internal-CA certificate. Your IT team can add the CA to Firefox's trust store; don't click through ad hoc.
- Your system clock is wrong. A wrong clock makes valid certificates look expired. Check and correct your system time.
If you own the site and need to fix it
For SEC_ERROR_EXPIRED_CERTIFICATE
The certificate has expired. Issue a new one as fast as possible - a free Let's Encrypt certificate via Beacon is the quickest path:
Need a working certificate right now?
Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.
Get a free certificate from BeaconFor SSL_ERROR_BAD_CERT_DOMAIN
Your certificate doesn't cover the hostname visitors are using. Either:
- Issue a new certificate that includes the affected hostname on its SAN list.
- Configure your server's SNI to map the right hostname to the right certificate.
- Check for wildcard-depth issues -
*.example.comdoesn't coverapi.eu.example.com.
For SEC_ERROR_UNKNOWN_ISSUER
Firefox doesn't trust the issuer. Usually a self-signed certificate, an internal CA, or (rarely) a previously-trusted CA that Mozilla has since distrusted. The fix is to use a publicly-trusted CA like Let's Encrypt, DigiCert, or Sectigo.
For SEC_ERROR_CA_CERT_INVALID (broken chain)
Your server isn't sending the full intermediate certificate chain. The fix is to install fullchain.pem (leaf + intermediates) rather than just cert.pem (leaf only). All major CAs provide intermediate certificates alongside the leaf - check their documentation if you're not sure where they live.
For SSL_ERROR_NO_CYPHER_OVERLAP
Your server's TLS configuration is too restrictive. Update to support TLS 1.2 minimum (1.3 preferred) and modern cipher suites. Mozilla's own SSL Configuration Generator produces ready-to-paste configs for nginx, Apache, HAProxy, and other web servers.
Note: Firefox uses Mozilla's own trust store
Unlike Chrome (which uses the OS trust store on most platforms) or Safari (which uses macOS's trust store), Firefox maintains its own CA trust store independent of the operating system. This means a certificate that's accepted by your OS but rejected by Firefox specifically - or vice versa - is possible. Test in both if you support a broad audience.
Prevent the next warning
Stop this from happening again
TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.