We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Wannan tattunawa ta zama daɗaɗɗiya. Yi sabuwar tambaya idan ka na bukatar taimako.

Firefox refuses connection to my own server because of cert pinning

  • 3 amsoshi
  • 4 sa na da wannan matsala
  • 1 view
  • Amsa ta ƙarshe daga cor-el

more options

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error:

An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)

A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself?

For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway.

Thanks for the help.

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error: An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself? For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway. Thanks for the help.

All Replies (3)

more options

See:

security.cert_pinning.enforcement_level
0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.
more options

Thanks for your reply @cor-el.

I understand that the default setting is what I need, and I have checked in about:config that my firefox is indeed at the default enforcement level of 1. What I don't see is how am I supposed to tell firefox that my CA is user inserted. I imported the CA root certificate manually into the "autorities" section of the certificate repo, but apparently firefox does not identify it as user inserted, since it is trying to enforce pinning when I visit my website.

So, how do I tell firefox that my certificate is user inserted?

Thanks again.

more options

Best would be to ask experts, either on stackoverflow or via a news group or via IRC.

An gyara daga cor-el