Can't skip "This Connection is Untrusted" error page
The SSL certificate for one of the sites I use expired today a couple hours ago, and the devs of that site still haven't had spare time to update it yet. Suppose it's not a big issue, in most (other) browsers you can just review the problem and click on "continue anyway" link or something like that, when you're sure that the certificate was expected to become invalid. So you can visit the page requested with broken certificate in _single_ click. But not in Firefox.
As I remember - some time ago on the Cert Error page there was "I understand the risks" paragraph with the button "Add exception" below. Looks like it got disabled in Firefox 30 as I don't see it there. Okay, I googled around and found out that in about:config page there's a secret option browser.xul.error_pages.expert_bad_cert which was in disabled state by some reason (I personally haven't ever touched it before). Okay, now I'm able to open the ugly "Add exception" window, but when I add exception - nothing happens. Neither temporary not permanent exception option allowes me to view the site. "This Connection is Untrusted", browser says. Period.
After that I've tried to install "Skip cert error" add-on - with no success. Even if I add the site URL to whitelist in add-on options, which "in theory" should bypass ANY security checks for this exactly domain - then I still end up staring at "This Connection is Untrusted" error which simply can't be bypassed by any means.
The sites I've tried to reach are https://lists.openwrt.org and https://forum.openwrt.org. It's interesting though, the certificate is also expired at https://openwrt.org, but that site can be added to exception list and then firefox opens it. However I see completely NO WAY to make firefox open https://lists.openwrt.org or https://forum.openwrt.org.
I've run out of ideas and came here. Hope somebody knows how to workaround this issue.
PS: I wonder why the hell there's no option to bypass the check by some _simple_ means like in other browsers so that I could reach requested site in seconds rather then searching for settings/addons/workarounds for hours. Thank you firefox for such enourmous care for security, you've made me run Internet Explorer again...
---
Update 1:
It appears that in this case the certificate was registered for domain openwrt.org, but was also used for forum and lists subdomains. Now it is expired, but the expiration issue can be ignored by exception list only for openwrt.org itself. Other subdomains are actually added to exception list, but it doesn't work for them, so that browser is stuck at "untrusted connection" error which can't be ignored or skipped. What a shame.
---
Update 2:
I was quiet wrong in Update 1: in fact the SSL certificate for openwrt.org was Level 2 certificate with correcly registered subdomains like forum.openwrt.org and lists.openwrt.org. However when the certificate expired, only openwrt.org exception worked and the site was browseable. All the subdomains could be added to exceptions but regardless of that fact firefox refused to open those sites and was stuck on unskippable "untrusted connection" error page. For now openwrt.org maintainers have already renewed their certificate so the problem can't be observed on those domains anymore. However I believe that the problem in firefox exceptions handling still exists and should be fixed in future firefox releases.
Wot eximido
Wšě wotmołwy (9)
Hi eximido , Thank you for your post and the updates. I understand that there are a few issues. However after the certificate was reissued, was the previous certificated removed? If not, they can be managed in the Certificate Database. Configuring Certificates and Secure Website Certificate are also useful.
However if this is an issue may I also confirm the steps to reproduce this:
- A certificate expires
- when waiting for a new certificate to be issued for [ SSL certificate for openwrt.org was Level 2 certificate with correcly registered subdomains like forum.openwrt.org and lists.openwrt.org.]
- You added an exception for the domain openwrt.org and it worked BUT,
- All subdomains still had the "site untrusted page"
So the issue would be the add exception does not include subdomains.
Update: I think this would cause a big security issue with Single -Origin check out https://developer.mozilla.org/en-US/d.../Same-origin_policy
Wot guigs
Even though there may be many domains covered by a single certificate, Firefox seems to retrieve and analyze the certificate individually for each of them.
(I wasn't able to test thoroughly, though: because I had cached a valid certificate for www.jeffersonscher.com, when I started up the Fiddler proxy, the "Add Exception" dialog kept showing me the real certificate instead of letting me create an exception. I need to test after the cache is cleared, I guess.)
guigs2,
Unfortunately I'm not quiet sure what happened to exceptions I added to those expired certificates, now I don't see them at options->advanced->certificates. Maybe I deleted them at some point, or maybe they are gone because they were temporary - I can't remember. Right now there're no exceptions for openwrt.org in my settings and everything works fine.
Also, some steps are missing from the list you've mentioned. It should read so:
- The certificate expires;
- I add exception to openwrt.org and it works, so I'm able to open this site. Subdomains are still blocked as "untrusted".
- I explicitly add exception to forum.openwrt.org and it doesn't work, forum.openwrt.org subdomain is still blocked as "untrusted" by some unknown reason.
I was able to see all three exceptions in firefox options->advanced->certificates: for openwrt.org, lists.openwrt.org and forum.openwrt.org. However only openwrt.org was available, other domains - were blocked by firefox error message.
Meanwhile I've tried to reproduce the issue by creating a self-signed expired certificate for my test domain with two subdomains and installed it at my test webserver. But the test failed: exceptions worked as expected and allowed me to view the test page. However the error message was different - it was complaining about expired issuer, not the expired certificate itself.
After that I tried to create my own CA certificates (not expired) in order to produce an expired site certificate signed with "good" CA certificate. Then I installed new site certificate to my test webserver and manually imported CA certificate into Firefox. Next I tried to access my test subdomain, and this time the error was the same as it was with openwrt.org - Firefox approved my handmade CA cert as valid authority and said that site certificate was valid but expired like an hour ago. However exceptions still worked as expected and I once again was able to browse my test site. Strange.
Fairly speaking, now I've run out of ideas on how to reproduce the problem.
Obviously the real SSL certificates issued by real CAs use much more different additional field, signatures, options or whatsoever which somehow influences Firefox'es decisions on approving/excepting certificates. I've used all the default openssl options when generating files for my test CA and site certificates. Maybe something crucial for this case was missing in my own-generated certificates, but I just don't know what it could be.
Probably we need to test this issue on some real expired certificate with SAN including some subdomains, but I don't have one like that available.
PS: jscher2000, when experimenting on my self-signed certificates I also noticed firefox caching them. Simply clicking Ctrl+F5 refreshes the page entirely however.
Wot eximido
I asked security and there was a hint if HSTS, would this sound like a culprit?
Yes, as I see in headers from openwrt.org there is "Strict-Transport-Security" line in their nginx response. However adding the same header to my test webserver doesn't help and exceptions still work as expected there - so I'm still unable to reproduce the issue on my test site with self-generated expired certificate.
Hi, like eximido I'd like to learn a way to access (even temporarily) pages on a subdomain with no valid certificate. Does guigs2 answer imply that accessing such pages is presently unfeasible with Mozilla Firefox?
Firefox 33.0.2 Domain: https://anomos.info/ Subdomain: https://forum.anomos.info/
Steps I've done so far:
- Adding an exception on the bottom of the error page is impossible since button does not show up. As in "Connection untrusted" post by GigabitPony on 05/09/14 12:36, the option to "I understand the risks" is not there.
- Add an exception via Tools > Options > Advanced : Encryption: Certificates - View Certificates (Authorities,Servers) does not change the issue at all.
- Made sure that the date, time & timezone are set correctly on your system.
- what is the error code shown under technical details on the error page?
forum.anomos.info utilise un certificat de sécurité invalide. Le certificat n'est valide que pour anomos.info. (Code d'erreur : ssl_error_bad_cert_domain)
- which issuer information does the certificate contain?
CA Cert Signing Authority Root CA http://www.cacert.org SHA-256: 57:22:97:22:6D:F9:E5:75:7D:5B:3C:26:E1:B6:0C:5F:6B:6D:7F:4D:03:49:A2:13:88:DA:31:80:5A:16:87:63 SHA1: 69:74:9F:1C:1F:FF:43:35:BD:A0:AA:44:38:9E:ED:6F:B4:33:7F:2A
Hi kozaki, this thread is about an older version of Firefox. Could you start a new question?
For what it's worth, I see the "I understand the risk" section of this page in Firefox 33.0.3: https://forum.anomos.info/ -- but I have not added an exception for the top level site, so maybe that's a partial explanation for the difference.
Also, a new release of Firefox is out today which makes some changes for certificate issues.
To start a new Q: https://support.mozilla.org/questions/new/desktop/fix-problems
If the suggested articles are not useful, scroll past them to continue with the form.
You can install the Class 1 PKI Key from this web page
Tick the (first) to make Firefox trust the certificate for websites.
Hi, @jscher2000 and @cor-el: thank you for your help! The "Add an exception" is not visible on my main profile on upgraded Firefox 33.1 (nothing shows below "(Error code...)"; displaying the code source shows nothing as well. But it stands on other profiles, perfectly usable to go to the subdomain. Good to know :)
@jscher2000 I added the certificate after I couldn't see the usual "Add an exception" dialog. Also, removing it didn't make it be displayed (main profile). Maybe an add-on is impeding the dialog to be displayed, but I can't see one of the installed that could change page display.
@cor-el: I went to add this certificate and it was already installed in FF.