Hi eximido , Thank you for your post and the updates. I understand that there are a few issues. However after the certificate was reissued, was the previous certificated removed? If not, they can be managed in the Certificate Database. Configuring Certificates and Secure Website Certificate are also useful.

However if this is an issue may I also confirm the steps to reproduce this:

1. A certificate expires
2. when waiting for a new certificate to be issued for [ SSL certificate for openwrt.org was Level 2 certificate with correcly registered subdomains like forum.openwrt.org and lists.openwrt.org.]

• You added an exception for the domain openwrt.org and it worked BUT,
• All subdomains still had the "site untrusted page"

So the issue would be the add exception does not include subdomains.

Update: I think this would cause a big security issue with Single -Origin check out https://developer.mozilla.org/en-US/d.../Same-origin_policy

Even though there may be many domains covered by a single certificate, Firefox seems to retrieve and analyze the certificate individually for each of them.

(I wasn't able to test thoroughly, though: because I had cached a valid certificate for www.jeffersonscher.com, when I started up the Fiddler proxy, the "Add Exception" dialog kept showing me the real certificate instead of letting me create an exception. I need to test after the cache is cleared, I guess.)

guigs2,

Unfortunately I'm not quiet sure what happened to exceptions I added to those expired certificates, now I don't see them at options->advanced->certificates. Maybe I deleted them at some point, or maybe they are gone because they were temporary - I can't remember. Right now there're no exceptions for openwrt.org in my settings and everything works fine.

Also, some steps are missing from the list you've mentioned. It should read so:

1. The certificate expires;
2. I add exception to openwrt.org and it works, so I'm able to open this site. Subdomains are still blocked as "untrusted".
3. I explicitly add exception to forum.openwrt.org and it doesn't work, forum.openwrt.org subdomain is still blocked as "untrusted" by some unknown reason.

I was able to see all three exceptions in firefox options->advanced->certificates: for openwrt.org, lists.openwrt.org and forum.openwrt.org. However only openwrt.org was available, other domains - were blocked by firefox error message.

Meanwhile I've tried to reproduce the issue by creating a self-signed expired certificate for my test domain with two subdomains and installed it at my test webserver. But the test failed: exceptions worked as expected and allowed me to view the test page. However the error message was different - it was complaining about expired issuer, not the expired certificate itself.

After that I tried to create my own CA certificates (not expired) in order to produce an expired site certificate signed with "good" CA certificate. Then I installed new site certificate to my test webserver and manually imported CA certificate into Firefox. Next I tried to access my test subdomain, and this time the error was the same as it was with openwrt.org - Firefox approved my handmade CA cert as valid authority and said that site certificate was valid but expired like an hour ago. However exceptions still worked as expected and I once again was able to browse my test site. Strange.

Fairly speaking, now I've run out of ideas on how to reproduce the problem.

Obviously the real SSL certificates issued by real CAs use much more different additional field, signatures, options or whatsoever which somehow influences Firefox'es decisions on approving/excepting certificates. I've used all the default openssl options when generating files for my test CA and site certificates. Maybe something crucial for this case was missing in my own-generated certificates, but I just don't know what it could be.

Probably we need to test this issue on some real expired certificate with SAN including some subdomains, but I don't have one like that available.

PS: jscher2000, when experimenting on my self-signed certificates I also noticed firefox caching them. Simply clicking Ctrl+F5 refreshes the page entirely however.

I asked security and there was a hint if HSTS, would this sound like a culprit?

Yes, as I see in headers from openwrt.org there is "Strict-Transport-Security" line in their nginx response. However adding the same header to my test webserver doesn't help and exceptions still work as expected there - so I'm still unable to reproduce the issue on my test site with self-generated expired certificate.

Hi, like eximido I'd like to learn a way to access (even temporarily) pages on a subdomain with no valid certificate. Does guigs2 answer imply that accessing such pages is presently unfeasible with Mozilla Firefox?

Firefox 33.0.2 Domain: https://anomos.info/ Subdomain: https://forum.anomos.info/

Steps I've done so far:

- Adding an exception on the bottom of the error page is impossible since button does not show up. As in "Connection untrusted" post by GigabitPony on 05/09/14 12:36, the option to "I understand the risks" is not there.

- Add an exception via Tools > Options > Advanced : Encryption: Certificates - View Certificates (Authorities,Servers) does not change the issue at all.

- Made sure that the date, time & timezone are set correctly on your system.

- what is the error code shown under technical details on the error page?

forum.anomos.info utilise un certificat de sécurité invalide. Le certificat n'est valide que pour anomos.info. (Code d'erreur : ssl_error_bad_cert_domain)

- which issuer information does the certificate contain?

CA Cert Signing Authority Root CA http://www.cacert.org SHA-256: 57:22:97:22:6D:F9:E5:75:7D:5B:3C:26:E1:B6:0C:5F:6B:6D:7F:4D:03:49:A2:13:88:DA:31:80:5A:16:87:63 SHA1: 69:74:9F:1C:1F:FF:43:35:BD:A0:AA:44:38:9E:ED:6F:B4:33:7F:2A

Hi kozaki, this thread is about an older version of Firefox. Could you start a new question?

For what it's worth, I see the "I understand the risk" section of this page in Firefox 33.0.3: https://forum.anomos.info/ -- but I have not added an exception for the top level site, so maybe that's a partial explanation for the difference.

Also, a new release of Firefox is out today which makes some changes for certificate issues.

To start a new Q: https://support.mozilla.org/questions/new/desktop/fix-problems

If the suggested articles are not useful, scroll past them to continue with the form.

You can install the Class 1 PKI Key from this web page

• http://www.cacert.org/index.php?id=3

Tick the (first) to make Firefox trust the certificate for websites.

Hi, @jscher2000 and @cor-el: thank you for your help! The "Add an exception" is not visible on my main profile on upgraded Firefox 33.1 (nothing shows below "(Error code...)"; displaying the code source shows nothing as well. But it stands on other profiles, perfectly usable to go to the subdomain. Good to know :)

@jscher2000 I added the certificate after I couldn't see the usual "Add an exception" dialog. Also, removing it didn't make it be displayed (main profile). Maybe an add-on is impeding the dialog to be displayed, but I can't see one of the installed that could change page display.

@cor-el: I went to add this certificate and it was already installed in FF.