Cerca nel supporto

Attenzione alle mail truffa. Mozilla non chiederà mai di chiamare o mandare messaggi a un numero di telefono o di inviare dati personali. Segnalare qualsiasi attività sospetta utilizzando l'opzione “Segnala abuso”.

Learn More

Questa discussione è archiviata. Inserire una nuova richiesta se occorre aiuto.

No "Add exception" button

  • 18 risposte
  • 2 hanno questo problema
  • 18649 visualizzazioni
  • Ultima risposta di Alex

more options

In the instructions (here: https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER?as=u&utm_source=inproduct) I can see "Add exception" button that allow me to continue visiting website. However this button does not exists. So I'm not able to do this. I'm using Firefox Quantum. And I'm designing a website (project, for example https://someproject.dev) with self-singing certificate ('cause I want to use https). All suggestions from everywhere I googled was not worked (including settings in about:config or adding exclusions in settings page)

So my question, obviously, how to achieve using self-signed certificate.

Soluzione scelta

Hi Alex, perhaps you missed this in one of the articles linked earlier in this thread, but the .dev top level domain is owned by Google now (IANA delegation record). Google wants browsers to use HSTS for .dev sites, and Microsoft and Mozilla are following Google's lead in forcing HSTS for any .dev domain by preloading .dev as one of the many domains site owners have requested to force HSTS.

While you cannot selectively load only part of that list, it appears you can instruct Firefox not to load it at all. Here's how:

It's not recommended because HSTS preloading provides a layer of protection against forged websites. But if you can't change your internal site's TLD immediately, it's an option.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste prelo and pause while the list is filtered

(3) Double-click the network.stricttransportsecurity.preloadlist preference to switch the value from true to false

You might need to exit/restart Firefox to see an effect.

Does that work for you?

Alex said

I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

You could code that submit a bug for it. https://bugzilla.mozilla.org/

Leggere questa risposta nel contesto 👍 1

Tutte le risposte (18)

more options

hi alexslipknot, please don't use .dev as local development environment - that's a top level domain belonging to google and enforcing a valid ssl certificate since recently: https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/ https://medium.engineering/use-a-dev-domain-not-anymore-9521977

Modificato da philipp il

more options

Ya, Hi. Yes that looks a little old, but when you Click in the Address Bar, left side, forgot what it is called the circle around the i (Show information, but there is another name) brings up that area ( i think ) and the right face arrow head is now Advanced.

I am working on self signed also though I have a feeling browsers will not like it. I have uncovered these 2 URL's but have yet to dive into it. A news article : https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/ and the link from in it https://letsencrypt.org/ will let you know how to install it on the website.

So to add a/the certificate into Firefox Copy/Paste about:preferences#privacy into the Address Bar and Enter Then down to Certificates then View Certificates then am not to sure. Your Certificates then Import.

Please let us know if this solved your issue or if need further assistance.

more options

Alright. Thanks guys. Anyway, in standard Firefox button still exists. And I can continue using self-signed cert.

But! In my opinion, I think there might be way to using local-sites on https. For example, if I have a website in the world (somename.com) but I want to check functionality with maximum real environment locally - I just have to add records for my domain in the hosts-file. I'm using Firefox since 2014 but due to restrictions I can't do this anymore. Now I'm using chrome with flag --ignore-certificate-error. Does Firefox have flag like this?

more options

Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser

Please let us know if this solved your issue or if need further assistance.

more options

Hi Alex, the Add Exception button is suppressed when the host uses HTTP Strict Transport Security (HSTS). In some cases, Firefox learns of HSTS using an internal list, and in other cases, from having previously been served that header by the site.

I don't know whether you can work around this by importing the signing certificate. It's worth a try.

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate.

When asked, I suggest allowing the certificate for websites only.

more options

Pkshadow said

Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance.

Thanks, but I have NO button [Add exception] jscher2000 said

  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. When asked, I suggest allowing the certificate for websites only.

Nope, thanks, I've tried that

more options

Alex said

Pkshadow said
Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance.

Thanks, but I have NO button [Add exception] jscher2000 said

  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. When asked, I suggest allowing the certificate for websites only.

Nope, thanks, I've tried that

Hi, in the image you sent I can see the Advanced Button next to the Blue one. Please Click on Advanced.

more options

In screenshot I showed you that button is present but hidden.

When I removed the "hidden"-attribute and clicked "Add Exception" - modal window appeared as expected, but adding exception will not do anything. It always redirect me to the same page (refreshing the page) and again I see error.

more options

Hello again. Should I report a bug or something?

more options

Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS?

more options

jscher2000 said

Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS?

Hi. Sure, I can use another domain with my home projects. Unfortunately I can't rename our legacy-projects in the company I work.

more options

Hello everyone again! I'm still pretty sure that this is a bug. Why I think so? Ok, take a look at the screenshots. I've added into hosts-file two records. Both of them linked to local server. But when I try to open even ".com" local domain - it allows me to add exception. So I'm still confused why Mozilla decided to remove "Exception"-button for only .dev domains?

Thanks in advance.

more options

HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1

more options

philipp said

HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1

I'm sorry. Did you see screenshots? I still can add exception with another domain (for example in screenshot with ".com") but cannot do this with ".dev".

Thus I'm sure that something goes wrong. Maybe "add exception" button shouldn't appear at all? But it does on local ".com"

more options

the "add an exception" button shouldn't appear on domains making use of HSTS.

the .dev top-level domain belongs to google. they have recently introduced HSTS there and this made its way into the preloaded lists of HSTS sites that browsers ship with out of the box.

there is no such thing for a random .com domain...

more options

First of all thank you for helping me with this issue. I assure you that I'm completely understand why there is no button "Add Exception" on sites with HSTS.

But I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

Thanks!

more options

Soluzione scelta

Hi Alex, perhaps you missed this in one of the articles linked earlier in this thread, but the .dev top level domain is owned by Google now (IANA delegation record). Google wants browsers to use HSTS for .dev sites, and Microsoft and Mozilla are following Google's lead in forcing HSTS for any .dev domain by preloading .dev as one of the many domains site owners have requested to force HSTS.

While you cannot selectively load only part of that list, it appears you can instruct Firefox not to load it at all. Here's how:

It's not recommended because HSTS preloading provides a layer of protection against forged websites. But if you can't change your internal site's TLD immediately, it's an option.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste prelo and pause while the list is filtered

(3) Double-click the network.stricttransportsecurity.preloadlist preference to switch the value from true to false

You might need to exit/restart Firefox to see an effect.

Does that work for you?

Alex said

I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

You could code that submit a bug for it. https://bugzilla.mozilla.org/

more options

Thank you so much! This flag I've been search for! And ok, I'll report suggestion about environment-detection for HSTS.