Firefox + HSTS + Self-signed certs + Intranet

apache-http-servercertificatefirefoxSecurityssl

I have a Windows 10 computer that operates usually without an internet connection. I have an Apache server (version 2.4) that runs on that machine (ServerName localhost), and it virtually hosts various websites (e.g., www.youtube.com – I know…humor me). There are several domains, but I'll use that one as my example.

I resolve these domains to 127.0.0.1 in the %WINDIR%\system32\drivers\etc\hosts file and I can resolve/ping them just fine.

I have defined www.youtube.com as a VirtualHost in httpd.conf and I've defined it as a domain in an SSL config file, as well. A few months ago, this all worked fine, i.e., in Firefox I was able to browse http://www.youtube.com AND https://www.youtube.com just fine. For the https version of the sites, I did have to create self-signed certificates, and install them to Firefox's cert db, but it all did work.

Well now it doesn't work anymore. I'm running Firefox version 57.0.1 (32-bit). I get this error we've all seen:

Your connection is not secure

The owner of [DOMAIN] has configured their website improperly. To
protect your information from being stolen, Firefox has not connected
to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox may only connect to it securely. As a result, it is not
possible to add an exception for this certificate.

And when I click Advanced…

[DOMAIN] uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: SEC_ERROR_UNKNOWN_ISSUER

I have tried so many solutions…generating new certs, disabling Firefox's Query OCSP responder servers to confirm the current validity of certificates setting, clearing cache, starting Firefox with a new profile, deleting the cert8.db file, using the Windows trust store instead, trying to fudge with about:config and changing security.* settings, etc. but nothing has worked.

I know it is insecure what I want..but not really, b/c this computer does NOT connect to the internet, I just want to connect to my "fake" domains that my own Apache server is hosting locally.

Is this truly impossible?

FWIW, I've tried Chrome, and it doesn't work either, but I'd rather stick w/Firefox anyway.

Best Answer

I don't think this will ever be feasible with a modern version of the Firefox browser.

However, using an older version of FirefoxPortable (51.0.1) I am able to serve up secure sites using self-signed certificates. As this is a stand-alone computer (no internet connection), I am not concerned about the security implications and am satisfied with the solution. Thanks all for the input.

Related Solutions

Firefox – How to make Firefox ignore all SSL certification errors

Firefox has no such setting.

That's a terribly terse answer, but I'm afraid it's all there is. Firefox usually errs on the side of not letting you view a site at all in case of some problems rather than letting you override it even if you want to.

That said, if you're getting cert warnings for everything on a private network, it's almost certain that the local IT group is running an SSL interception proxy. You're not going to get to the internet without accepting their certificate, so here's how you do that:

Open up the certificate properties for one of the pages you get an error on (after adding the exception in Firefox) by clicking the lock in the address bar, the right arrow, and then "more information".
In the Security tab, click on View Certificate, and then the Details tab on the new window.
Under Certificate Hierarchy, examine the name of the topmost certificate. It's probably going to be from a security vendor of some kind like Symantec or Barracuda.
Click on it, and then go to Export at the bottom.
Save the file somewhere accessible
Close the security and certificate windows, and open your Firefox settings (top right hamburger menu, Options)
Click Advanced on the bottom left, and then click View Certificates
Click the Authorities tab, and then Import
Locate the file you just saved
Accept the warning.

It is very important you don't get into a habit of doing this procedure, and only to do it when you know with COMPLETE certainty that the certificate is legitimate. I cannot emphasize this enough - call the IT people and have them verify the name on the certificate if you're even slightly unsure, since now you've just told Firefox to accept any and all certificates that the CA you just imported signed. You will receive no more warnings of that sort for this cert. If you import a malicious certificate, you've just shot yourself in the foot.

Ubuntu – ‘Not a Certification Authority’ while importing self-signed certificate

Just to make sure we're covering our bases... Have you tried the processes outlined here? https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate

That used to work for me, but as of this morning, after updating to Chrome 58.0.3029.81, I also get the following error in the console for a self-signed cert that used to work on Ubuntu 16.04:

Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

EDIT:

I've just had success with one of the methods from the link I referenced above. It completely goes around Chrome because it seems like something has changed with Chrome and it's not working right anymore.

To dump the cert using OpenSSL client (probably not necessary, but in case you want to be very thorough):

$ echo QUIT | openssl s_client -connect $DOMAIN_TO_FETCH_FROM:443 | sed -ne '/BEGIN CERT/,/END CERT/p' > my-cert

To install the dumped cert using certutil. If you didn't dump your cert with openssl, replace my-cert with whatever filename is appropriate:

$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n my-cert -i my-cert

Check the installation of the cert with certutil (if you feel so inclined):

$ certutil -d sql:$HOME/.pki/nssdb -L

# Certificate Nickname                                         Trust Attributes
#                                                              SSL,S/MIME,JAR/XPI
#
# my-cert                                                      P,,

Completely close and restart Chrome, and maybe you will find success. Worked for me on both 58 and 59-beta.

Best Answer

Related Solutions

Firefox – How to make Firefox ignore all SSL certification errors

Ubuntu – ‘Not a Certification Authority’ while importing self-signed certificate

Related Question