Firefox – How to fix Firefox 59 no longer accepting the self signed SSL certificate on .dev virtualhost


On my local Apache environment I have a site that requires SSL for development, so I have been using a self signed certificate. The local site has worked fine in Firefox and Chrome until now, but after updating Firefox to version 59 today I can't get it to accept the security exception (on Chrome the self signed certificate continues to work).

Firefox gives me this additional info in the blocked page:

… uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER

There is no option to allow the exception here as there used to be, but I went to the Firefox Preferences under Certificates, then in the "Server" tab I've added an exception for the local domain. The certificate is then listed in the correct local server name, details show my certificate settings of Issued by and Issued to being the same, with a valid timespan.

Anybody experiencing similar problems with FF 59 or might have a clue what to try to get the self signed certificate working again locally?

Edit: I don't see any mention of this in the FF 59 release notes but something in the new version causes all my local virtual hosts on *.dev domains to automatically try to establish a https connection (that is to say, all http requests for *.dev get automatically sent to the https URL). Maybe something about this behavior is also what is causing these problems for my actual https virtual hosts.

Best Answer

There is an easy way around this.

  1. Go to about:config
  2. Search for "network.stricttransportsecurity.preloadlist".
  3. Set it to false.

WARNING: This will disable HSTS entirely. Take a look at the comments on this answer for some discussion about the downsides of this method. I personally think the benefit outweighs the risk, but you are responsible for your own security.

enter image description here

Edit 2020: We've now had a .dev TLD for multiple years. It's time to move away from using .dev as a local URL. This workaround still works, but you are robbing yourself of increased security.