Closed Bug 1452411 Opened 6 years ago Closed 6 years ago

Allow bypassing warning about self-signed certificate on https localhost

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: ml1900, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180407100152

Steps to reproduce:

Develop a website in ASP.NET Core with HTTPS, hosted with IIS


Actual results:

Unsecured connection which is not skippable, since the certificate is self signed
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT


Expected results:

Be able to ignore the message, since it's selfhosted
Not sure why exactly we removed the possibility to add an exception for self-signed EE certs.

Anyway, the correct approach is:
- create your own self-signed CA
- create an EE (end entity) cert request with "CN=localhost" or whatever domain name you want
- let that EE cert request sign with your CA created in the first step -> you get your server EE cert
- add that CA as trusted for web site identification to Firefox
- use the EE cert on your localhost server

Then there is no need to add exceptions at all.  You can use OpenSSL or NSS tools.
Component: Networking: HTTP → Security: PSM
Summary: https localhost → Allow bypassing warning about self-signed certificate on https localhost
I know, that there are ways around. But I want to be the person in charge that decides which sites I want to see and not my browser, so tbh: I'd rather use a different browser for developing that having to deal with certificate issues while testing on localhost.
Something like a simple config option for skipping this message on localhost would be nice.
Flags: needinfo?(dkeeler)
This functionality wasn't removed. A new error code was added, but it doesn't look like that's the issue here, as I just tested this and overrides do work for certificates that result in this error code.

ml1900 - can you take a screenshot of what you see when you visit the page that results in the error and click "advanced" and post it here? Thanks!
Flags: needinfo?(dkeeler) → needinfo?(ml1900)
The result looks like this https://i.imgur.com/MFNPDdU.png
This image was mage with the build from 2018-04-09.
However, I was not able to reproduce this error message with todays build (2018-04-09)
Flags: needinfo?(ml1900)
Thanks! What that tells me is that at some point your profile visited an https :// localhost URI that had a certificate that chained up to a (presumably imported) trusted root, and that also set an HSTS header ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security ). This means that you now can't visit https :// localhost URIs and add a certificate exception. The easiest way to reset this is to use "clear recent history" (in the history menu) and clear "site preferences" (I think - I could be mis-remembering). You can also close Firefox, open the file "SiteSecurityServiceState.txt" in your profile directory, remove the line with "localhost" in it, save the file, and restart Firefox. Let me know if this fixes it for you.
Flags: needinfo?(ml1900)
I can't reproduce that problem with the same (unchanged) website anymore, so I assume eigher updating firefox or clearning cache solved this problem.
Flags: needinfo?(ml1900)
Great - thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME

I am having this problem with firefox 68.0.2 - clearing data ("Cookies and Site Data" + "Cached Web Content") and refreshing gave the option to add exception again.

(In reply to Honza Bambas (:mayhemer) from comment #1)

Not sure why exactly we removed the possibility to add an exception for
self-signed EE certs.

Anyway, the correct approach is:

  • create your own self-signed CA
  • create an EE (end entity) cert request with "CN=localhost" or whatever
    domain name you want
  • let that EE cert request sign with your CA created in the first step ->
    you get your server EE cert
  • add that CA as trusted for web site identification to Firefox
  • use the EE cert on your localhost server

Then there is no need to add exceptions at all. You can use OpenSSL or NSS
tools.

I still have the issue (Firefox 81), I created my certificates using dotnet dev-certs https and I just keep having SEC_ERROR_INADEQUATE_KEY_USAGE error and not even the possibility to create an exception. As a developer, this is incredibly frustrating, especially since it is yet another example where Chrome works it out out-of-the-box...

Anyway, I am not expert in certificate generation, how do I do the steps described above? Or maybe, is there another more modern procedure since Firefox 68 ?

Thanks

Oh damn, I am so sorry... I fired the gun too soon on Firefox :S
Turns out the problem was me.

The dotnet command line above is not enough, there was a flag missing. The correct command line is dotnet dev-certs https --trust.

On Windows, this command will pop up a window to accept the self-signed certificates. Once accepted, you will be able to access the local web servers started through dotnet.

Flags: needinfo?(romain.failliot)
You need to log in before you can comment on or make changes to this bug.