1475348 - Getting MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT on development website in localhost

Status: RESOLVED INCOMPLETE

(Core :: Security: PSM, defect)

Description

[David]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

Developing a site that has HSTS enabled, working locally, this works with Chrome and Safari.  But Firefox spits back:  a "Your Connection is not secure" error, with this error code specifically:  MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

This works in production, so it's something specific to the development environment setup.  Again, it works in this development environment with Chrome and Safari, and previously with FF as well.  It started failing in the more recent versions of FF ( past 6 months? )

I've tried: 
-  clearing all history, and deleting any HSTS in the SiteSecurity file under profiles as referenced here:  https://bugzilla.mozilla.org/show_bug.cgi?id=1452411
-  uploaded my own certificate to the MacOS keychain, and set enterprise_roots.enabled to true as referenced here:  https://support.mozilla.org/en-US/questions/1175296
-  imported my own certificate to FireFox as referenced here:  https://support.mozilla.org/en-US/questions/1068675
-  


Actual results:

Trying to access site:   https://www.mywebsite.com:1234/

results in the "Your Connection is not secure" page with the MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT error. 


Expected results:

I expect to be able to access my page since I have a proper self signed certificate that works for both Chrome and Safari.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

(In reply to David from comment #0)
> -  uploaded my own certificate to the MacOS keychain, and set
> enterprise_roots.enabled to true as referenced here: 
> https://support.mozilla.org/en-US/questions/1175296

The enterprise roots feature hasn't been implemented for OS X (see bug 1300420), so this won't work as expected on that platform.

> -  imported my own certificate to FireFox as referenced here: 
> https://support.mozilla.org/en-US/questions/1068675

Which certificate did you import? (That is, make sure you imported and trusted the certificate that *issued* the server's certificate, not the server's certificate itself.)

Comment 2

[David]

(In reply to [:keeler] (use needinfo) from comment #1)
> (In reply to David from comment #0)
> > -  uploaded my own certificate to the MacOS keychain, and set
> > enterprise_roots.enabled to true as referenced here: 
> > https://support.mozilla.org/en-US/questions/1175296
> 
> The enterprise roots feature hasn't been implemented for OS X (see bug
> 1300420), so this won't work as expected on that platform.
> 
> > -  imported my own certificate to FireFox as referenced here: 
> > https://support.mozilla.org/en-US/questions/1068675
> 
> Which certificate did you import? (That is, make sure you imported and
> trusted the certificate that *issued* the server's certificate, not the
> server's certificate itself.)

Hi, thanks for the enterprise_roots info not being implemented on MacOS. That wasn't clear from the earlier bug link.

As for the certificate, I recreated the .pk12 using the cert and private key of the server, as shown here:  https://stackoverflow.com/questions/22327160/openssl-enter-export-password-to-generate-a-p12-certificate

The only way around this for me so far is to downgrade to a version of Firefox that allowed me to "Add Exception" for my site.  This isn't ideal of course, but there doesn't appear to be any workaround otherwise and no way to work in my development environment.   This report also references a similar issue:  https://support.mozilla.org/en-US/questions/1206414

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

The certificate in the .pk12 file is not the one you want to import into Firefox. You need to import the certificate that *issued* that certificate. It looks like that certificate may be self-signed, in which case there is no other certificate that issued it. This won't work in Firefox.

What might work is if you open 'Keychain Access' and create a certificate authority via the menu 'Keychain Access' -> 'Certificate Assistant' -> 'Create a Certificate Authority...'

You'll want to name your CA and make sure you choose 'SSL Server' for the 'User Certificate' item. (You'll also have to enter an email for the CA at the bottom - I'm not sure its value matters.)

After clicking 'Create', close the result window and again go to 'Keychain Access' -> 'Certificate Assistant' and then 'Create a Certificate...' this time.

Name the certificate (this will be your server's certificate), choose 'Leaf' for 'Identity Type', and choose 'SSL Server' for 'Certificate Type'. Check the 'Let me override defaults' box. Click 'Create'.

Click 'Continue' until you get to a screen that asks you to choose which certificate authority to use. Select the certificate authority that you created before, and click 'Create'.

Click 'Continue' until you come to the 'Subject Alternative Name Extension' screen. In 'dNSName', write the domain name(s) you wish to use (separate with spaces if there are more than one). I would clear the iPAddress field if it isn't blank.

Click 'Continue' and then 'Create'.

After all that, you should have a root certificate authority and an end-entity certificate in your keychain. Use the end-entity certificate and key in your server and import the certificate authority into Firefox.

Let me know if that works for you.