How do I tell Firefox 112 that it is fine to visit a specific site containing a self-signed certificate? The 'I understand the risk' button is no longer available, clicking 'Advanced' again shows 'Go Back': I can click on 'View Certificate' which gives me: but then what? Adding the site to Settings -> Privacy & Security -> View certificates -> Servers manually, as Destroy666 suggested, did not help. I see domain names in that list that were added there in the past when I clicked 'I understand the risk'. BTW If I click on the Mozilla error code, I get this: I tried to Google for it, but everything I find is about accepting my self-signed cert, not theirs.
1,400 1 1 gold badge 19 19 silver badges 30 30 bronze badges asked Apr 22, 2023 at 21:08 Jan Doggen Jan Doggen 4,259 11 11 gold badges 40 40 silver badges 53 53 bronze badgesIn case you have a website with a valid DNS configuration and a self-signed certificate, you can add a certificate exception. This does not work on localhost afaik.
What I did is add a certificate exception:
What? In my head, adding a domain means: "I trust certificates that are signed by this domain", thus it should work in the case of self-signed certificates, because I trust certificates signed by that domain? Or are certificates not based on a domain?
Commented Jul 24, 2023 at 8:44Apologies, my comment is incomplete. In my case, it doesn't work for self signed certificates with the server on local machine (docker), and with an entry for the domain in /etc/hosts. Firefox only processes self signed certificates for the "domain" localhost. mydomain.local pointing to 127.0.0.1 will be rejected by Firefox on all accounts in my experience atm.
Commented Jul 24, 2023 at 10:25Ah yes, in my case I had it running on an external test server. Not really an idea how to solve for that. sorry
Commented Jul 27, 2023 at 9:44Adding the cert to the certificate manager this way does not work: the entry is added but the site is still blocked.
Commented Sep 24, 2023 at 7:42While you can normally trust otherwise insecure certificates, this is not possible if the website is or was sending as HSTS (HTTP Strict Transport Security) header. Keep in mind that HSTS is cached once received and sticks until it expires, which can be quite far in the future.
As per this answer on Security SE, you can find the Firefox HSTS cache in your Firefox profile in a file called SiteSecurityServiceState.txt . Before continuing, create a backup copy of the file. You then have two options: Delete the file entirely, losing HSTS protection entirely for all sites until you visit them again. Or just remove the conflicting line(s). This file has Linux/Unix line breaks, so make sure to use an appropriate editor.
If you do not control the site, there is nothing you can do. Methods still exist, of course, like MITM’ing the connection using a proxy to replace the certificate and/or remove the header. However, I would not consider this an appropriate solution.
Instead, the site operator must fix their site. It’s 2023. They should be using Let’s Encrypt or a similar service. If they are unwilling to, they must not send HSTS headers.
Obsolete answer content:
You must also make sure this site of yours does not send as HSTS header. If you want to continue using HSTS, you may be better off creating a proper CA that then issues site certificates. Firefox can then trust the CA.