That’s interesting—the error code MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE could be a sign of a TLS MITM attack. If possible, I would like you to get a copy of (1) the certificate chain and (2) an HTTP response from the server.
Use this command to get the certificate chain:
openssl s_client -connect download.mozilla.org:443 -showcerts
This is the certificate chain that I see:
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Mozilla Corporation, CN = download.mozilla.org
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Mozilla Corporation, CN = download.mozilla.org
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIHDDCCBfSgAwIBAgIQBwgJoGf7v/qUtwhgkhOdGjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAzMDIwMDAwMDBa
Fw0yMzAzMDkyMzU5NTlaMHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENv
cnBvcmF0aW9uMR0wGwYDVQQDExRkb3dubG9hZC5tb3ppbGxhLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALLo0TUmq39gBb2sYlImkTqqoKv1As8N
xDnK6VlOUteDjmfmBXiubu6zyVuBArYAwDqI5U7sl2Sm3XnG23WX6RQAA+U02zWV
JT6KDvkGFzCW7+iBzeSb0J9K/miWcjNX13HpWFSfRqfrkbwTbXa4vg8GHTA5sZCV
c/ZIY38mBSbGYQWYMccWjxAgS1gHmDXwkQgtJxU7VX0DWZE/S28YvEwz82KGLKEw
P7JFKzQ1IZJxbrPmCKSQWjHq7DxT20GtdopcMoocecB4GlrM5GfGU5IOZa+53sus
wWWO04FcgEj6bGTLPXCKfbbWFUXLFY4R8oPRBBZ/fVh6OU0ejSRfDUMCAwEAAaOC
A7owggO2MB8GA1UdIwQYMBaAFLdrouqoqoSMeeq02g+YssWVdrn0MB0GA1UdDgQW
BBSxxM8dHE/tEwunIoCJFWPTaWlF0DBlBgNVHREEXjBcghRkb3dubG9hZC5tb3pp
bGxhLm9yZ4IfYm91bmNlci1ib3VuY2VyLnByb2QubW96YXdzLm5ldIIjYm91bmNl
ci1ib3VuY2VyLWVsYi5wcm9kLm1vemF3cy5uZXQwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8
hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYy
MDIwQ0ExLTQuY3JsMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGln
aUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EM
AQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB/
BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAJBgNVHRMEAjAAMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTK
hYY069yCigAAAX9MEnxFAAAEAwBGMEQCIFjaj2gv/GodM2PixH/7xCDFqWGvQGe7
QodqAF3sdpifAiB35R53zPr6oKh0W13rza2Llck6uqOjzAfM0NuLfnxnDgB2ADXP
GRu/sWxXvw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABf0wSfCAAAAQDAEcwRQIh
ALQul2lytE9SeXkRQ98FqzzW+MuQrdNdxALQdPcnqoSRAiADPxR2UTfd1If+vDDe
RtyQ6DOinLQdWCB1ecx71B2G0QB3ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zw
Aw55NqWaAAABf0wSfDoAAAQDAEgwRgIhAOHrJ+ANDMLhyqodTwrAGp72hqzz+jIo
Ctz6hQt5K2ZLAiEAuCuJlhXKHXnkFgRXnQR7o5LEffrGUWLeyd5AeOMxfOAwDQYJ
KoZIhvcNAQELBQADggEBAKtRBmkN3rhbAQv2b8E841Em4jbFMzdUf1+euxwTfH1B
x9qTTm9D8UlSUcCW8DQYjUzsQc0fVJBGzmLroI+HTiOA67QAHBBTiG7tUg7F5PlH
bpvFEx/YinKFEHaM0mVpCcMSPipTfAzKOdLJXuDVjWQF9aNE8VKzEYyRUrvU/cT6
UAWkCEJBpHqnDAxHJfxEr0lebEeL8Ap+pHkA8o6prTX/MazfuVL3AgZVp9CWUzjL
ASR8RwbURxIoYpVvlGMqCSKHB3dKP+seR+9FVhSMLK6pSSM0mV84PKHaUV9rIUdV
DBqqW/kmHnZ/ywWM90I/7hRLof40QwwFfxTaKEaj7q4=
-----END CERTIFICATE-----
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----
Use this command to ignore the certificate error and download a URL from the server:
curl -i -o test.output --insecure 'https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US'
For me, the curl command returns a redirect:
HTTP/1.1 302 Found
Cache-Control: max-age=60
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Jan 2023 22:12:24 GMT
Location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/108.0.2/linux-x86_64/en-US/firefox-108.0.2.tar.bz2
Content-Length: 137
Connection: keep-alive
<a href="https://download-installer.cdn.mozilla.net/pub/firefox/releases/108.0.2/linux-x86_64/en-US/firefox-108.0.2.tar.bz2">Found</a>.
Speaking of which, do you also get a certificate error when accessing https://download-installer.cdn.mozilla.net/ ?