Firefox certificate problem, relating to HSTS

malmsey · June 18, 2016, 7:40pm

Hello

I had yunohost 2.4 working properly on my VPS but I decided to do a clean install again the other day. I used a fresh, updated debian and ran the install script. Everything went ok as far as I could tell, only now I can’t access my domain in Firefox. Before, I could add an exception to make Firefox accept the self-signed certificate, but now Firefox tells me that

“This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.”

and

“[my domain] uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER”

When I look at the certificate in Firefox, it says

“Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: true HTTP Public Key Pinning: false”

and it shows a certificate chain with two certificates, one after the other (two sets of begin and end markers). I don’t know if this part is relevant but it looked odd to my untrained eyes.

I’ve searched for a fix but have had no luck. I tried removing all relevant certificates in Firefox settings, and I tried deleting secmod.db and cert8.db from my profile folder, but neither make a difference. Interestingly, I can access my server through its IP address, just not the domain.

I can still access my domain through other browsers like chrome/vivaldi but it would be nice of firefox would let me in too. Does anyone have any ideas on where to start troubleshooting this problem?

Thanks

Edit: I should add that before reinstalling on my VPS I was messing around with a local VM instance and I registered a similar domain at nohost.me. I can’t imagine why this would affect the certificate for my other domain but you never know…

ljf · June 19, 2016, 8:15am

Hi malmsey,

You should be able to add a temporary exception by using “private window” feature of Firefox.

If you want remove this message you should search how install “let’s encrypt” certificate. There is several solution to do that on this forum.

I am not sure why Firefox do that, but the idea is that basic user shouldn’t be able to add exception easily. I think the firefox message is different if the certificate change. In your case it changes, because when you have resintalled, a new certificate have been generated.

malmsey · June 19, 2016, 10:53pm

Thanks for the reply. The auto install script for letsencrypt did not work for me so I dove in to the thread for manual installation: How to: Install Let’s Encrypt certificates

It didn’t work the first time so I re-imaged my server and started over, only now I get a

"fatal: repository 'https://github.com/letsencrypt/' not found"

when I try to clone the repo. I tried the same command from a local virtual machine with a clean debian install and I got the same thing… An SSL certificate issue with the repo perhaps? How ironic. I guess I’ll have to try again later. There’s always something!

edit: I’m real dumb and didn’t enter the full URL. Shame on me