Login/Register
Is there a way to make Firefox ignore invalid ssl-certificates?
Asked Answered
Solved debuggingsslfirefoxssl-certificateweb-development-server
H

10

129

I am maintaining a few web applications. The development and qa environments use invalid/outdated ssl-certificates.

Although it is generally a good thing, that Firefox makes me click like a dozen times to accept the certificate, this is pretty annoying.

Is there a configuration-parameter to make Firefox (and possibly IE too) accept any ssl-certificate?

EDIT: I have accepted the solution, that worked. But thanks to all the people that have advised to use self-signed certificates. I am totally aware, that the accepted solution leaves me with a gaping security hole. Nonetheless I am to lazy to change the certificate for all the applications and all the environments...

But I also advice anybody strongly to leave validation enabled!

Homomorphism answered 21/8, 2008 at 14:31 Comment(2)
I will point out that this question applies to web servers that have valid certificates for their domains, but can only (at some given time) be reached via IP address. Being able to visit https ://123.45.67.89/ without clicking 4 extra times is a great blessing to me.Propensity
I use firefox and couldn't find a solution but as of 07.07.2023 chrome.exe --ignore-certificate-errors works as a workaround for expired certs (I know that is not firefox)Insistence
C
26

Go to Tools > Options > Advanced "Tab"(?) > Encryption Tab

Click the "Validation" button, and uncheck the checkbox for checking validity

Be advised though that this is pretty unsecure as it leaves you wide open to accept any invalid certificate. I'd only do this if using the browser on an Intranet where the validity of the cert isn't a concern to you, or you aren't concerned in general.

Charmainecharmane answered 21/8, 2008 at 14:37 Comment(10)
I'm confused: I can't find that option on FF2 or FF3. There is only an option to switch the use of OCSP. In what version of FF did see what you describe?Miliaria
@Miliaria OCSP is how certificates are checked. Switching the use of this will turn on or off the check for certificates depending on what you prefer.Charmainecharmane
This seems like a Very Bad Idea.Pregnancy
@Greg, I agree. I would definitely recommend your solution over mine as the correct practice.Charmainecharmane
OCSP is how certificate revocation is checked, not how certificates are checked.Cosh
Is this option set permanently in the profiles? Is there any documentation for it? I need to set it programmatically.Zildjian
@Zildjian I really hope it's not able to be changed programmatically. Certificates checks should not be able to get disabled automatically as it's a huge security vulnerability.Charmainecharmane
Well I really hope they can. I need to program the browser to do automated scraping. Security by obscurity is not security anyway.Zildjian
Is there a solution for the Latest Firefox? (44 and above)? Thank You.Yokoyokohama
@Drazick The option is now a checkbox under Preferences -> Advanced -> Certificates, it's labeled "Query OCSP responder servers to confirm the current validity of certificates"Engedus
M
83

Try Add Exception: FireFox -> Tools -> Advanced -> View Certificates -> Servers -> Add Exception.

Montane answered 11/1, 2010 at 16:53 Comment(7)
Can't add exception when "HTTP Strict Transport Security (HSTS)" is specified, so answer won't always work.Mansoor
I'm getting "This site provides a valid, verified identification. There is no need for an exception" for the SAME site that gives me this error: "SSL Certificate Hostname Mismatch ssl_domain_invalid"Pareu
+1 for much better answer, accepted answer is incredibly insecure. I encounter this often using self-signed certificates for local development and it's much better to add exceptions on a case-by-case basis. Related Q/A on mozilla's support forum: support.mozilla.org/en-US/questions/1055526Sobriety
Just for fun, here is a little shortcut to get to the same screen that @Montane points you to: "chrome://pippki/content/exceptionDialog.xul" Just paste that into Firefox's address field. For reference, I found that here: support.mozilla.org/en-US/questions/1094104Laodicean
There is no such option Advanced at ToolsRumpus
"There is no such option Advanced at Tools" I don't even have a "Tools". Perhaps there was in 2010 when this answer was authored.Samathasamau
On some platforms Tools is called Preferences or Settings. As of 2023, go into the user settings, find Privacy and Security, then scroll down until you see the View Certificates button. Click that and you will see the Add Exception button.Fredela
P
39

I ran into this issue when trying to get to one of my companies intranet sites. Here is the solution I used:

  1. enter about:config into the firefox address bar and agree to continue.
  2. search for the preference named security.ssl.enable_ocsp_stapling.
  3. double-click this item to change its value to false.

This will lower your security as you will be able to view sites with invalid certs. Firefox will still prompt you that the cert is invalid and you have the choice to proceed forward, so it was worth the risk for me.

Potemkin answered 24/8, 2015 at 17:56 Comment(4)
THIS is the real correct answer. When you are on a public WLAN which redirects to a registration page and all you have is Firefox, then you KNOW the page is not google.com/ncr and want to be given the possibility to accept temporarily the ISP wrong certificate. without configuring a permanent exception in the certificates configuration. Then you uncheck the "Permanently store this exception" checkbox and off you go.Annettannetta
Not working for me in Firefox 53.0 for Mac. Probably because they change entirely how this browser works every few weeks.Zephan
I am trying to use https on localhost for development. I tried this but it didnt work. Screenshot - i.imgur.com/1LVqLQw.pngDistaff
@AlainPannetier I am not a computer security expert but I don’t find this a valid use case to accept an invalid certificate. If you are redirected to the original URL after passing the WLAN welcome page, you could still be using the invalid certificate and therefore unarmed for a MITM attack. A much better solution is to open a webpage that does not require a certificate, e.g. neverssl.com.Arezzo
C
26

Go to Tools > Options > Advanced "Tab"(?) > Encryption Tab

Click the "Validation" button, and uncheck the checkbox for checking validity

Be advised though that this is pretty unsecure as it leaves you wide open to accept any invalid certificate. I'd only do this if using the browser on an Intranet where the validity of the cert isn't a concern to you, or you aren't concerned in general.

Charmainecharmane answered 21/8, 2008 at 14:37 Comment(10)
I'm confused: I can't find that option on FF2 or FF3. There is only an option to switch the use of OCSP. In what version of FF did see what you describe?Miliaria
@Miliaria OCSP is how certificates are checked. Switching the use of this will turn on or off the check for certificates depending on what you prefer.Charmainecharmane
This seems like a Very Bad Idea.Pregnancy
@Greg, I agree. I would definitely recommend your solution over mine as the correct practice.Charmainecharmane
OCSP is how certificate revocation is checked, not how certificates are checked.Cosh
Is this option set permanently in the profiles? Is there any documentation for it? I need to set it programmatically.Zildjian
@Zildjian I really hope it's not able to be changed programmatically. Certificates checks should not be able to get disabled automatically as it's a huge security vulnerability.Charmainecharmane
Well I really hope they can. I need to program the browser to do automated scraping. Security by obscurity is not security anyway.Zildjian
Is there a solution for the Latest Firefox? (44 and above)? Thank You.Yokoyokohama
@Drazick The option is now a checkbox under Preferences -> Advanced -> Certificates, it's labeled "Query OCSP responder servers to confirm the current validity of certificates"Engedus
O
15

In the current Firefox browser (v. 99.0.1) I was getting this error when looking at Web Developer Tools \ Network tab:

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

enter image description here

I was trying to debug an Angular app which is served at https://localhost:4200... however the real port it's pointing to and being debugged from in Visual Studio 2022 is 44322.

I had to follow these steps to fix the issue:

  1. Open Firefox Settings;

  2. Look for Privacy & Security tab on the left;

  3. Scroll down to the bottom and look for Certificates;

  4. View Certificates;

  5. In this window you must click Add Exception and enter the location. In my case it was:

    https://localhost:44322

  6. Click Get Certificate button;

  7. Click Confirm Security Exception button.

After that, try reloading your page.

enter image description here

Orvilleorwell answered 16/4, 2022 at 1:22 Comment(2)
This answer gets my vote. However, there may be times when the certificate cannot be imported using Settings, and a policies.json may need to be created: https://mcmap.net/q/35970/-how-to-get-ssl-certificate-to-work-with-localhost-on-firefoxRed
Does not (always) work. everspin.com, www.everspin.com, currently has a revoked link in it's chain, and FF does not offer any option to proceed anyway. Trying to follow this recipe, FF says "This site provides valid, verified identification. There is no need to add an exception." and the confirm button is unclickable. Yeah ok, so now what? I'm just trying to download a datasheet for a chip. I will risk some government feeding me a modified data sheet with the wrong pinout. FFS FF!Samathasamau
C
3

Using a free certificate is a better idea if your developers use Firefox 3. Firefox 3 complains loudly about self-signed certificates, and it is a major annoyance.

Comestible answered 21/8, 2008 at 14:37 Comment(0)
H
2

Create some nice new 10 year certificates and install them. The procedure is fairly easy.

Start at (1B) Generate your own CA (Certificate Authority) on this web page: Creating Certificate Authorities and self-signed SSL certificates and generate your CA Certificate and Key. Once you have these, generate your Server Certificate and Key. Create a Certificate Signing Request (CSR) and then sign the Server Key with the CA Certificate. Now install your Server Certificate and Key on the web server as usual, and import the CA Certificate into Internet Explorer's Trusted Root Certification Authority Store (used by the Flex uploader and Chrome as well) and into Firefox's Certificate Manager Authorities Store on each workstation that needs to access the server using the self-signed, CA-signed server key/certificate pair.

You now should not see any warning about using self-signed Certificates as the browsers will find the CA certificate in the Trust Store and verify the server key has been signed by this trusted certificate. Also in e-commerce applications like Magento, the Flex image uploader will now function in Firefox without the dreaded "Self-signed certificate" error message.

Halley answered 11/5, 2012 at 5:43 Comment(0)
K
1

Instead of using invalid/outdated SSL certificates, why not use self-signed SSL certificates? Then you can add an exception in Firefox for just that site.

Kherson answered 21/8, 2008 at 14:35 Comment(0)
K
1

If you have a valid but untrusted ssl-certificates you can import it in Extras/Properties/Advanced/Encryption --> View Certificates. After Importing ist as "Servers" you have to "Edit trust" to "Trust the authenticity of this certifikate" and that' it. I always have trouble with recording secure websites with HP VuGen and Performance Center

Kelantan answered 5/6, 2013 at 11:37 Comment(0)
C
0

For a secure alternative, try the Perspectives Firefox add-on

If this link doesn't work try this one: https://addons.mozilla.org/en-US/firefox/addon/perspectives/

Chickenlivered answered 16/9, 2008 at 10:59 Comment(2)
Unfortunately this is not available for FF v57 and above.Ellenaellender
Answer is outdatedCreamy
B
-1

The MitM Me addon will do this - but I think self-signed certificates is probably a better solution.

Bethesde answered 21/8, 2008 at 14:37 Comment(1)
Error: "This add-on has been disabled by an administrator." on the Mozilla Addons site.Ellenaellender

© 2022 - 2024 — McMap. All rights reserved.