X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

No "Add exception" button

Được đăng

In the instructions (here: https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER?as=u&utm_source=inproduct) I can see "Add exception" button that allow me to continue visiting website. However this button does not exists. So I'm not able to do this. I'm using Firefox Quantum. And I'm designing a website (project, for example https://someproject.dev) with self-singing certificate ('cause I want to use https). All suggestions from everywhere I googled was not worked (including settings in about:config or adding exclusions in settings page)

So my question, obviously, how to achieve using self-signed certificate.

In the instructions (here: https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER?as=u&utm_source=inproduct) I can see "Add exception" button that allow me to continue visiting website. However this button does not exists. So I'm not able to do this. I'm using Firefox Quantum. And I'm designing a website (project, for example https://someproject.dev) with self-singing certificate ('cause I want to use https). All suggestions from everywhere I googled was not worked (including settings in about:config or adding exclusions in settings page) So my question, obviously, how to achieve using self-signed certificate.

Giải pháp được chọn

Hi Alex, perhaps you missed this in one of the articles linked earlier in this thread, but the .dev top level domain is owned by Google now (IANA delegation record). Google wants browsers to use HSTS for .dev sites, and Microsoft and Mozilla are following Google's lead in forcing HSTS for any .dev domain by preloading .dev as one of the many domains site owners have requested to force HSTS.

While you cannot selectively load only part of that list, it appears you can instruct Firefox not to load it at all. Here's how:

It's not recommended because HSTS preloading provides a layer of protection against forged websites. But if you can't change your internal site's TLD immediately, it's an option.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste prelo and pause while the list is filtered

(3) Double-click the network.stricttransportsecurity.preloadlist preference to switch the value from true to false

You might need to exit/restart Firefox to see an effect.

Does that work for you?

Alex said

I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

You could code that submit a bug for it. https://bugzilla.mozilla.org/

Đọc câu trả lời này trong ngữ cảnh 1

Chi tiết hệ thống bổ sung

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

Thông tin chi tiết

philipp
  • Top 25 Contributor
  • Moderator
5348 giải pháp 23619 câu trả lời
Được đăng

hi alexslipknot, please don't use .dev as local development environment - that's a top level domain belonging to google and enforcing a valid ssl certificate since recently: https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/ https://medium.engineering/use-a-dev-domain-not-anymore-9521977

hi alexslipknot, please don't use .dev as local development environment - that's a top level domain belonging to google and enforcing a valid ssl certificate since recently: https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/ [https://medium.engineering/use-a-dev-domain-not-anymore-9521977]

Được chỉnh sửa bởi philipp vào

Shadow110 1072 giải pháp 14836 câu trả lời
Được đăng

Câu trả lời hữu ích

Ya, Hi. Yes that looks a little old, but when you Click in the Address Bar, left side, forgot what it is called the circle around the i (Show information, but there is another name) brings up that area ( i think ) and the right face arrow head is now Advanced.

I am working on self signed also though I have a feeling browsers will not like it. I have uncovered these 2 URL's but have yet to dive into it. A news article : https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/ and the link from in it https://letsencrypt.org/ will let you know how to install it on the website.

So to add a/the certificate into Firefox Copy/Paste about:preferences#privacy into the Address Bar and Enter Then down to Certificates then View Certificates then am not to sure. Your Certificates then Import.

Please let us know if this solved your issue or if need further assistance.

Ya, Hi. Yes that looks a little old, but when you Click in the Address Bar, left side, forgot what it is called the circle around the i (Show information, but there is another name) brings up that area ( i think ) and the right face arrow head is now Advanced. I am working on self signed also though I have a feeling browsers will not like it. I have uncovered these 2 URL's but have yet to dive into it. A news article : https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/ and the link from in it https://letsencrypt.org/ will let you know how to install it on the website. So to add a/the certificate into Firefox Copy/Paste about:preferences#privacy into the Address Bar and Enter Then down to Certificates then View Certificates then am not to sure. Your Certificates then Import. Please let us know if this solved your issue or if need further assistance.
Được đăng

Câu trả lời hữu ích

Alright. Thanks guys. Anyway, in standard Firefox button still exists. And I can continue using self-signed cert.

But! In my opinion, I think there might be way to using local-sites on https. For example, if I have a website in the world (somename.com) but I want to check functionality with maximum real environment locally - I just have to add records for my domain in the hosts-file. I'm using Firefox since 2014 but due to restrictions I can't do this anymore. Now I'm using chrome with flag --ignore-certificate-error. Does Firefox have flag like this?

Alright. Thanks guys. Anyway, in standard Firefox button still exists. And I can continue using self-signed cert. But! In my opinion, I think there might be way to using local-sites on https. For example, if I have a website in the world (somename.com) but I want to check functionality with maximum real environment locally - I just have to add records for my domain in the hosts-file. I'm using Firefox since 2014 but due to restrictions I can't do this anymore. Now I'm using chrome with flag --ignore-certificate-error. Does Firefox have flag like this?
Shadow110 1072 giải pháp 14836 câu trả lời
Được đăng

Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser

Please let us know if this solved your issue or if need further assistance.

Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance.
jscher2000
  • Top 10 Contributor
8960 giải pháp 73412 câu trả lời
Được đăng

Hi Alex, the Add Exception button is suppressed when the host uses HTTP Strict Transport Security (HSTS). In some cases, Firefox learns of HSTS using an internal list, and in other cases, from having previously been served that header by the site.

I don't know whether you can work around this by importing the signing certificate. It's worth a try.

  • Windows: "3-bar" menu button (or Tools menu) > Options
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate.

When asked, I suggest allowing the certificate for websites only.

Hi Alex, the Add Exception button is suppressed when the host uses HTTP Strict Transport Security (HSTS). In some cases, Firefox learns of HSTS using an internal list, and in other cases, from having previously been served that header by the site. I don't know whether you can work around this by importing the signing certificate. It's worth a try. * Windows: "3-bar" menu button (or Tools menu) > Options * Mac: "3-bar" menu button (or Firefox menu) > Preferences * Linux: "3-bar" menu button (or Edit menu) > Preferences * Any system: type or paste '''about:preferences''' into the address bar and press Enter/Return to load it In the search box near the top of the page, type ''cert'' and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. ''When asked, I suggest allowing the certificate for websites only.''
Được đăng

Người tạo câu hỏi

Pkshadow said

Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance.

Thanks, but I have NO button [Add exception] jscher2000 said

  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. When asked, I suggest allowing the certificate for websites only.

Nope, thanks, I've tried that

''Pkshadow [[#answer-1087361|said]]'' <blockquote> Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance. </blockquote> Thanks, but I have '''NO button [Add exception]''' ''jscher2000 [[#answer-1087367|said]]'' <blockquote> * Any system: type or paste '''about:preferences''' into the address bar and press Enter/Return to load it In the search box near the top of the page, type ''cert'' and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. ''When asked, I suggest allowing the certificate for websites only.'' </blockquote> Nope, thanks, I've tried that
Shadow110 1072 giải pháp 14836 câu trả lời
Được đăng

Alex said

Pkshadow said
Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance.

Thanks, but I have NO button [Add exception] jscher2000 said

  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box near the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. When asked, I suggest allowing the certificate for websites only.

Nope, thanks, I've tried that

Hi, in the image you sent I can see the Advanced Button next to the Blue one. Please Click on Advanced.

''Alex [[#answer-1087452|said]]'' <blockquote> ''Pkshadow [[#answer-1087361|said]]'' <blockquote> Yes, it is in the page under Advanced as per : https://superuser.com/questions/1298054/ignore-invalid-ssl-certificate-chrome-ff-or-other-browser Please let us know if this solved your issue or if need further assistance. </blockquote> Thanks, but I have '''NO button [Add exception]''' ''jscher2000 [[#answer-1087367|said]]'' <blockquote> * Any system: type or paste '''about:preferences''' into the address bar and press Enter/Return to load it In the search box near the top of the page, type ''cert'' and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the signing certificate. ''When asked, I suggest allowing the certificate for websites only.'' </blockquote> Nope, thanks, I've tried that </blockquote> Hi, in the image you sent I can see the Advanced Button next to the Blue one. Please Click on Advanced.
Được đăng

Người tạo câu hỏi

In screenshot I showed you that button is present but hidden.

When I removed the "hidden"-attribute and clicked "Add Exception" - modal window appeared as expected, but adding exception will not do anything. It always redirect me to the same page (refreshing the page) and again I see error.

In screenshot I showed you that button is present but hidden. When I removed the "hidden"-attribute and clicked "Add Exception" - modal window appeared as expected, but adding exception will not do anything. It always redirect me to the same page (refreshing the page) and again I see error.
Được đăng

Người tạo câu hỏi

Hello again. Should I report a bug or something?

Hello again. Should I report a bug or something?
jscher2000
  • Top 10 Contributor
8960 giải pháp 73412 câu trả lời
Được đăng

Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS?

Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS?
Được đăng

Người tạo câu hỏi

jscher2000 said

Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS?

Hi. Sure, I can use another domain with my home projects. Unfortunately I can't rename our legacy-projects in the company I work.

''jscher2000 [[#answer-1088416|said]]'' <blockquote> Hi Alex, your last screenshot showed use of a .dev domain. Can you use a different TLD that doesn't have forced HSTS? </blockquote> Hi. Sure, I can use another domain with my home projects. Unfortunately I can't rename our legacy-projects in the company I work.
Được đăng

Người tạo câu hỏi

Hello everyone again! I'm still pretty sure that this is a bug. Why I think so? Ok, take a look at the screenshots. I've added into hosts-file two records. Both of them linked to local server. But when I try to open even ".com" local domain - it allows me to add exception. So I'm still confused why Mozilla decided to remove "Exception"-button for only .dev domains?

Thanks in advance.

Hello everyone again! I'm still pretty sure that this is a bug. Why I think so? Ok, take a look at the screenshots. I've added into hosts-file two records. Both of them linked to local server. But when I try to open even ".com" local domain - it allows me to add exception. So I'm still confused '''why Mozilla decided to remove "Exception"-button for only .dev domains?''' Thanks in advance.
philipp
  • Top 25 Contributor
  • Moderator
5348 giải pháp 23619 câu trả lời
Được đăng

HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1

HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1
Được đăng

Người tạo câu hỏi

philipp said

HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1

I'm sorry. Did you see screenshots? I still can add exception with another domain (for example in screenshot with ".com") but cannot do this with ".dev".

Thus I'm sure that something goes wrong. Maybe "add exception" button shouldn't appear at all? But it does on local ".com"

''philipp [[#answer-1089391|said]]'' <blockquote> HSTS sites aren't supposed to provide a way to add an exception: https://tools.ietf.org/html/rfc6797#section-12.1 </blockquote> I'm sorry. Did you see screenshots? I still can add exception with another domain (for example in screenshot with ".com") but cannot do this with ".dev". Thus I'm sure that something goes wrong. Maybe "add exception" button shouldn't appear at all? But it does on local ".com"
philipp
  • Top 25 Contributor
  • Moderator
5348 giải pháp 23619 câu trả lời
Được đăng

the "add an exception" button shouldn't appear on domains making use of HSTS.

the .dev top-level domain belongs to google. they have recently introduced HSTS there and this made its way into the preloaded lists of HSTS sites that browsers ship with out of the box.

there is no such thing for a random .com domain...

the "add an exception" button shouldn't appear on domains making use of [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS]. the .dev top-level domain belongs to google. they have recently introduced HSTS there and this made its way into the preloaded lists of HSTS sites that browsers ship with out of the box. there is no such thing for a random .com domain...
Được đăng

Người tạo câu hỏi

First of all thank you for helping me with this issue. I assure you that I'm completely understand why there is no button "Add Exception" on sites with HSTS.

But I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

Thanks!

First of all thank you for helping me with this issue. I assure you that I'm completely understand why there is no button "Add Exception" on sites with HSTS. But I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy. Thanks!
jscher2000
  • Top 10 Contributor
8960 giải pháp 73412 câu trả lời
Được đăng

Giải pháp được chọn

Hi Alex, perhaps you missed this in one of the articles linked earlier in this thread, but the .dev top level domain is owned by Google now (IANA delegation record). Google wants browsers to use HSTS for .dev sites, and Microsoft and Mozilla are following Google's lead in forcing HSTS for any .dev domain by preloading .dev as one of the many domains site owners have requested to force HSTS.

While you cannot selectively load only part of that list, it appears you can instruct Firefox not to load it at all. Here's how:

It's not recommended because HSTS preloading provides a layer of protection against forged websites. But if you can't change your internal site's TLD immediately, it's an option.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste prelo and pause while the list is filtered

(3) Double-click the network.stricttransportsecurity.preloadlist preference to switch the value from true to false

You might need to exit/restart Firefox to see an effect.

Does that work for you?

Alex said

I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy.

You could code that submit a bug for it. https://bugzilla.mozilla.org/

Hi Alex, perhaps you missed this in one of the articles linked earlier in this thread, but '''the .dev top level domain is owned by Google now''' ([https://www.iana.org/domains/root/db/dev.html IANA delegation record]). Google wants browsers to use HSTS for .dev sites, and Microsoft and Mozilla are following Google's lead in forcing HSTS for any .dev domain by ''preloading'' .dev as one of the many domains site owners have requested to force HSTS. While you cannot selectively load only part of that list, it appears you can instruct Firefox not to load it at all. Here's how: ''It's not recommended because HSTS preloading provides a layer of protection against forged websites. But if you can't change your internal site's TLD immediately, it's an option.'' (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''prelo''' and pause while the list is filtered (3) Double-click the '''network.stricttransportsecurity.preloadlist''' preference to switch the value from true to false You might need to exit/restart Firefox to see an effect. Does that work for you? ''Alex [[#answer-1089404|said]]'' <blockquote>I think that Firefox shouldn't show this warning when I'm using local environment. I think Firefox should detect address of website to apply this policy. </blockquote> You could code that submit a bug for it. https://bugzilla.mozilla.org/
Được đăng

Người tạo câu hỏi

Thank you so much! This flag I've been search for! And ok, I'll report suggestion about environment-detection for HSTS.

Thank you so much! This flag I've been search for! And ok, I'll report suggestion about environment-detection for HSTS.