为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Why can't I add a security exception to my self signed certificate?

more options

You used to be able to add an exception permanently to self signed certificates now it shows me the screen and no longer accepts the exception. Makes using firefox useless. I followed steps to add the certificate but it's beyond frustrating. Enough already. How do I fix it to accept my certificates permanently. The only useful solution that I can find so far is using another browser.

You used to be able to add an exception permanently to self signed certificates now it shows me the screen and no longer accepts the exception. Makes using firefox useless. I followed steps to add the certificate but it's beyond frustrating. Enough already. How do I fix it to accept my certificates permanently. The only useful solution that I can find so far is using another browser.

所有回复 (10)

more options

What version are you using -- Firefox 34.0.5?

Prior to Firefox 33, you could have Firefox overlook certain flaws in self-issued certificates but that code has been removed now.

If this is crucial to your work (or your happiness), you could try switching to the "extended support release" (ESR) version of Firefox. This version is designed for large businesses that need a slower rate of feature changes and is based on Firefox 31. More info: https://www.mozilla.org/firefox/organizations/

In Firefox 31, you can toggle a preference in the about:config preferences editor to revert to the older certificate checker: security.use_mozillapkix_verification (change to false)

The longer term solution is for the developers to learn more about the various problems with self-signed/self-issued/self-certified certificates that PKIX is rejecting and refine its approach. If you want to participate in those discussions, it would be useful to know more about the problem. For example, is it a router or other off-the-shelf device, or is it an internal application, etc. Here are links to the developer mailing list and an article about PKIX.

more options

If you previously made a permanent exception for this certificate then you need to remove this exception.

  • Tools > Options > Advanced > Certificates: View Certificates

You can open this chrome URI by pasting or typing this URI in the location/address bar to open the "Add Security Exception" window and check the certificate:

  • chrome://pippki/content/exceptionDialog.xul

In the location field type/paste the URL of the website

  • retrieve the certificate via the "Get certificate" button
  • inspect the certificate via the "View..." button
more options

Both FF 34 and 35 fail to allow the exception. Firefox was the only software that I allowed automatic updates. I felt that the developers had the user in mind and up to this point nothing broke. PKIX was and is not ready for prime time and should not have been introduced in the production release. This and the search engine switch from Google to Yahoo without asking the user will cause it to be removed from another 50 to 100 systems. This frustration and attitude is what we expect from Apple and Microsoft not from a community supported developer.

more options

Raising security standards for SSL certificates was done with the goal of better protecting the typical user. If you want to have Firefox modified to be more accepting of your self-signed/self-issued/self-certified certificates, please give your feedback using the links I provided earlier (enterprise list and/or developer list and/or bug tracking system) so you can get technical feedback on how to do it or when that might happen.

more options

That's not what this does. This just conditions the user to always click on accept. Because the user cannot add the permanent exception which is safer than having to constantly add the exceptions. This doesn't raise security standards it just becomes inconvenient for the user who has to lower the standard. What is safer plain text passwords over http or a self signed certificates over https?. There is no need to pay someone to tell me who I am and what certificate I wish to accept. Sure, having a certificate authority is more secure than self signed certificates but it doesn't negate the fact that self signed certificates are more secure than plain text.

more options

Hi menext, in my opinion, the typical user would rarely if ever encounter a self-signed certificate in their daily browsing.

The PKIX library does allow you to add an exception for a self-signed certificate (just like any other certificate that can't be chained up to a trusted root) under some circumstances. However, assessing the exact problem with your CA certificate is difficult without access to it. Can you provide a URL?

more options

Unfortunately it's affecting the typical user. I have been convincing people if they valued control of their browser then they should switch to Firefox and keep the automatic updates activated. Now these same people are having issues and using IE or Chrome and they are uninstalling FF. The last 2 months I've stopped trying to convince people to use FF because every new FF release is worse than the last.

I don't know what the PKIX library allows. What I know is that FF does not allow the addition of a permanent exception on a self signed certificate. You have to confirm the exception every time you connect which makes it less than useless. My self signed certificates are behind firewalls so I can't just provide a URL. Nor is it just my certificate it's any self-signed certificate created with OpenSSL as instructed on their site on the creation of self signed certificates. Numerous hardware, applications like Webmin, Plesk and such. It is mentioned countless times on the forums. There are many solutions marked as solved but the solution does not apply or the problem returns, or FF removes the fix/option with the next patch.

When a certificate is not signed by a registered CA then allow the user to accept the certificate for the duration of the certificate. It's not up to FF to tell us to spend money or waste energy just because we don't want information in the hands of script kiddies.

Just look at the time we wasted on this discussion which shouldn't even be happening.

more options

http://blog.dob.sk/2014/07/23/firefox-31-self-signed-certificate-sec_error_ca_cert_invalid/

(In other words, without knowing exactly why the cert doesn't work, I have nothing to add to the previous discussion.)

more options

as noted from your link;

Update: As noted in comments, this should not work in Firefox 33 (or later).

more options

Hi menext, what does not work in Firefox 33 and later is the preference introduced in Firefox 31 to disable use of the PKIX library. That preference only works in Firefox 31 and 32. (Hence the suggestion in my first reply.)