5

How do I tell Firefox 112 that it is fine to visit a specific site containing a self-signed certificate?

The 'I understand the risk' button is no longer available, clicking 'Advanced' again shows 'Go Back':

screenshot of Firefox' warning that website uses self-signed certificate

I can click on 'View Certificate' which gives me:

screenshot of 'View Certificate' window

but then what?

Adding the site to Settings -> Privacy & Security -> View certificates -> Servers manually, as Destroy666 suggested, did not help. I see domain names in that list that were added there in the past when I clicked 'I understand the risk'.

BTW If I click on the Mozilla error code, I get this:

screenshot of self-signed certificate warning with censored certificate

I tried to Google for it, but everything I find is about accepting my self-signed cert, not theirs.

Improve this question
0

2 Answers 2

Reset to default
5

In case you have a website with a valid DNS configuration and a self-signed certificate, you can add a certificate exception. This does not work on localhost afaik.

What I did is add a certificate exception:

  1. visit about:preferences#privacy in firefox
  2. Click on view certificates Click View certificates
  3. Add your server as an exception View certificates->Servers->add exception->https://nextcloud.wur.pm:8080 ->get certificate
Improve this answer
7
  • 2
    You can add the domain but it won't help in case of self signed certificates.
    – progonkpa
    Commented Jul 21, 2023 at 10:05
  • What? In my head, adding a domain means: "I trust certificates that are signed by this domain", thus it should work in the case of self-signed certificates, because I trust certificates signed by that domain? Or are certificates not based on a domain?
    – Fee
    Commented Jul 24, 2023 at 8:44
  • Apologies, my comment is incomplete. In my case, it doesn't work for self signed certificates with the server on local machine (docker), and with an entry for the domain in /etc/hosts. Firefox only processes self signed certificates for the "domain" localhost. mydomain.local pointing to 127.0.0.1 will be rejected by Firefox on all accounts in my experience atm.
    – progonkpa
    Commented Jul 24, 2023 at 10:25
  • Ah yes, in my case I had it running on an external test server. Not really an idea how to solve for that... sorry
    – Fee
    Commented Jul 27, 2023 at 9:44
  • Adding the cert to the certificate manager this way does not work: the entry is added but the site is still blocked.
    – Jan Doggen
    Commented Sep 24, 2023 at 7:42
4

While you can normally trust otherwise insecure certificates, this is not possible if the website is or was sending as HSTS (HTTP Strict Transport Security) header. Keep in mind that HSTS is cached once received and sticks until it expires, which can be quite far in the future.

As per this answer on Security SE, you can find the Firefox HSTS cache in your Firefox profile in a file called SiteSecurityServiceState.txt. Before continuing, create a backup copy of the file. You then have two options: Delete the file entirely, losing HSTS protection entirely for all sites until you visit them again. Or just remove the conflicting line(s). This file has Linux/Unix line breaks, so make sure to use an appropriate editor.

If you do not control the site, there is nothing you can do. Methods still exist, of course, like MITM’ing the connection using a proxy to replace the certificate and/or remove the header. However, I would not consider this an appropriate solution.

Instead, the site operator must fix their site. It’s 2023. They should be using Let’s Encrypt or a similar service. If they are unwilling to, they must not send HSTS headers.

Obsolete answer content:

You must also make sure this site of yours does not send as HSTS header. If you want to continue using HSTS, you may be better off creating a proper CA that then issues site certificates. Firefox can then trust the CA.

Improve this answer
4
  • Thanks. I edited the relevant lines out of SiteSecurityServiceState.txt, no success. BTW, your last paragraph: I have no control over the site in question
    – Jan Doggen
    Commented Apr 23, 2023 at 18:46
  • Ah, I see. You are out of luck then, I’m afraid. Modern browsers won’t let you bypass HSTS. Other methods (HTTPS interception proxy etc) are way to hacky. Your best bet may be to contact the site operator. (In the first place, there is no excuse for not using Let’s Encrypt or a similar service today.)
    – Daniel B
    Commented Apr 23, 2023 at 19:35
  • I think you might have misunderstood what HSTS is for. You can (and should) have HSTS and signed certificates. Apache's mod_md, for example, by default uses Let's Encrypt, and then responds to https requests with Strict-Transport-Security to tell the browser not to make http: requests to this domain. Accepting self-signed certificates should be orthogonal to this process, but appears not to be. See MDRequireHttps.
    – EML
    Commented Jun 9 at 15:51
  • @EML What might you be referring to? This question isn't about HSTS in general but about the OP wanting to access an HSTS-enabled site with an improper HTTPS setup.
    – Daniel B
    Commented Jun 9 at 18:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .