How to fix Firefox 59 no longer accepting my self signed SSL certificate on .dev virtualhost

Question

On my local Apache environment I have a site that requires SSL for development, so I have been using a self signed certificate. The local site has worked fine in Firefox and Chrome until now, but after updating Firefox to version 59 today I can't get it to accept the security exception (on Chrome the self signed certificate continues to work).

Firefox gives me this additional info in the blocked page:

... uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER

There is no option to allow the exception here as there used to be, but I went to the Firefox Preferences under Certificates, then in the "Server" tab I've added an exception for the local domain. The certificate is then listed in the correct local server name, details show my certificate settings of Issued by and Issued to being the same, with a valid timespan.

Anybody experiencing similar problems with FF 59 or might have a clue what to try to get the self signed certificate working again locally?

---

Edit: I don't see any mention of this in the FF 59 release notes but something in the new version causes all my local virtual hosts on *.dev domains to automatically try to establish a https connection (that is to say, all http requests for *.dev get automatically sent to the https URL). Maybe something about this behavior is also what is causing these problems for my actual https virtual hosts.

Answer 1

There is an easy way around this.

1. Go to about:config
2. Search for "network.stricttransportsecurity.preloadlist".
3. Set it to false.

WARNING: This will disable HSTS entirely. Take a look at the comments on this answer for some discussion about the downsides of this method. I personally think the benefit outweighs the risk, but you are responsible for your own security.

Edit 2020: We've now had a .dev TLD for multiple years. It's time to move away from using .dev as a local URL. This workaround still works, but you are robbing yourself of increased security.

Answer 2

I still am not entirely clear on how this all fits together exactly, but as pointed out in this answer .dev domains are now official TLDs. As such, it seems that browsers force some kind of HSTS behavior and force https connections. For those TLDs it seems my self-signed certificate no longer was accepted in Firefox. Changing my virtual hosts to use .test solved the problem without having to change anything in my self-signed certificates at all.

It is worth noting that in Firefox also my non-SSL virtual hosts acted up since version 59 today, because the HSTS behavior seemed to force SSL on virtual hosts I had not set up as serving via SSL. On Chrome this still used to work, but either way it's safe to say moving away from the now officially used .dev TLD will resolve many headaches.

Answer 3

Setting security.enterprise_roots.enabled to true on the about:config page solved this for me and allowed my self-signed certificate to work during development.

There's a bit of discussion around the merits of this being on by default here:
Set security.enterprise_roots.enabled to true by default.

Although the intent of this flag is to allow Firefox to use the machine-wide CA root store as a valid source for certificate authorities, this fixed the situation for my own use case where I have a self-signed multi-domain certificate that I use locally for testing (subjectAltName's). Even after I added the cert to the Firefox certificate list, it wasn't until I turned this on that it allowed the local site to load.

Answer 4

Had the same problem on basilisk Web Browser. I tried to change Network Proxy settings, or to modify "network.stricttransportsecurity.preloadlist" or "security.enterprise_roots.enabled" flags... but it did not resolve the missing button to add certificate for the blocked web-site. Only this made it through:

1. Go to about:support.
2. Click Open Directory of your Browser profile.
3. Close Browser completely.
4. Edit file " SiteSecurityServiceState.txt " in the above directory.
5. Find and remove the entire line which contain the blocked HSTS site.
6. Save the file, and reopen your Browser on that site.

Answer 5

I went for "Let's Encrypt"

https://letsencrypt.org/

Only valid for 3 months at a time, but the refresh can be automated.

As you can see in the remarks, there is a catch. Our development and test domains are called dev-www.example.com and test-www.example.com. We use the wildcard certificate from production.