How to Get SSL Certificate to Work With Localhost on Firefox

Question

I'm working on getting a website running on a local apache webserver and encounter errors when I click on certain links in the website. Firefox displays an "unable to connect" error page and appends a https:// to the front of the URL.

I first thought it was a browser configurations issue and have tried all of the solutions suggested here: Firefox redirects to https

and here: How do I stop Firefox from forcing https:// on local development server?

Suggestions in those links that I've tried include:

• Clearing the cache
• Forgetting the website
• Using/not using private mode
• Setting up browser.fixup.fallback-to-https to false
• Setting network.stricttransportsecurity.preloadlist to false

I now think its some kind of SSL certificate issue. Pressing the information button next to the URL displays a message that says connection not secure

So, I made a certificate using openssl req -nodes -new -x509 -keyout server.key -out server.cert and imported it to Firefox's certificate manager.

My certificate is now visible under the Authorities tab. However, the Servers tab is still empty. When I try to add an exception it prompts me for a location. I've tried localhost, http://localhost and https://localhost, but in each case it says that it is unable to obtain identification for this website.

I would appreciate any suggestions or direction.

Thanks.

Update: 12/2/20

After further research, I still believe this is an SSL error. But I don’t believe that Firefox is causing it. I have followed a variety of tutorials such as these to no avail:

Getting Chrome to accept self-signed localhost certificate

How to create a self-signed certificate with OpenSSL

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb26656c4f8

All of which contain roughly the same pattern of using openSSL commands to generate a CA in some file location and then placing it in Keychain Access and turning permissions on.

In each case, I am unable to get Firefox to load https pages or get it to recognize identification for local host in it’s Certificate Manager’s Servers tab.

I have also downloaded Chrome. I believe I am correct in saying that Chrome looks to Keychain Access for localhost certification, and though my localhost certification is there and is trusted, Chrome can’t access https pages either. This persists even when I change the configuration chrome://flags/#allow-insecure-localhost to enable.

Because both browsers (and Safari too) give the same error, I think this is not a browser issue. I now think that this error has to do with apache configurations, and though the tutorial I found here: https://gist.github.com/nrollr/4daba07c67adcb30693e was not effective, I will continue to pursue this idea.

As always, any thought or insights as to the origin of this issue would be valued.

Answer 1

This might not be the only issue here, but the certificate, as well as being trusted, needs a Common Name record embedded inside it that matches the localhost domain.

Give this a go: openssl req -nodes -new -x509 -keyout server.key -out server.cert -subj "/CN=localhost"

Answer 2

It was an apache issue after all. I believe the problem I faced was rather niche, but in the hopes of helping someone in the future, here are the steps I took to fix it:

I had to place the server.cert and server.key files into usr > local > etc > httpd The .cert and .key files were generated using openssl req -nodes -new -x509 -keyout server.key -out server.cert

I had to edit httpd.conf to include:

LoadModule socache_shmcb_module lib/httpd/modules/mod_socache_shmcb.so

LoadModule ssl_module lib/httpd/modules/mod_ssl.so

Include /usr/local/etc/httpd/extra/httpd-ssl.conf

I had to edit httpd-ssl.conf, which is located inside usr > local > etc > httpd > extras to listen on port 443 instead of the default 8443 and change the name of

SSLCertificateFile “/usr/local/etc/httpd/server.crt” to SSLCertificateFile "/usr/local/etc/httpd/server.cert"

After these steps, I did not have to add localhost to the list of server exceptions in Firefox’s Certificate Manager, localhost was trusted and accepted https.

Answer 3

After much similar frustration, in trying to get https://localhost/ working in Firefox without any horrible security warnings, I wanted to share that it can be done -- the steps can be somewhat arcane, and many instructions currently available are solving a different problem, out-of-date, or simply do not work.

---

My first attempts generated the same message you were getting. I believe this was fixed in Apache by generating a certificate with a SAN -- Subject Alt Name -- with the instructions from Let's Encrypt below.

For me, the more difficult error was the Firefox-specific: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

---

There are really only 3 steps (generate the certificate, install on the server, add to the trust store of the client). The instructions below are for Apache2 and Firefox 102.5 ESR on Debian 11.

This first step will be generating the localhost self-signed certificate with a SAN:

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

Source: https://letsencrypt.org/docs/certificates-for-localhost/

Copy the certificate & private key under "/usr/local/share/ca-certificates" (create subdirectories for separate sites).
The symlinks in "/etc/ssl/certs/" must be refreshed with:

sudo update-ca-certificates  

Source: https://grumpytechie.net/2020/02/25/adding-custom-root-ca-certificates-to-debian/

This next step will be installing the localhost self-signed certificate on the Apache2 server. Make sure to enable the virtual host for HTTPS in Apache. (On Debian 11, this can be done with the command a2ensite) The Apache configuration file /etc/apache2/sites-available/default-ssl.conf will need to be modified, to point to the certificate & private key:

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>

      [ ... ]

      SSLCertificateFile    /usr/local/share/ca-certificates/localhost/localhost.crt
      SSLCertificateKeyFile /usr/local/share/ca-certificates/localhost/localhost.key

This next step will be installing the localhost self-signed certificate on the Firefox client.

Various errors will be encounted by trying to add the self-signed certificate though "Settings" > "Privacy & Security". In particular, when using the "Your Certificates" tab, I was unable to import because it said I did not own the corresponding private key, which seems irrelevant as the browser shouldn't have the private key, and besides both files were created and owned by my user. When using the "Authorities" tab, it simply would not import because it is self-signed. Maybe there are other ways to import anyway, maybe using a PKCS12 file, but I could not get past this part.

If you cannot get past the above errors, you may need to setup a policy file to allow certificate authorities to be trusted.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Create a file "policies.json" in "/usr/share/firefox-esr/distribution/", and point it to the certificate location (not the private key):

{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true,
      "Install": ["localhost.crt","/etc/ssl/certs/localhost.pem"]
    }
  }
}

https://github.com/mozilla/policy-templates/blob/master/README.md#certificates--install

---

Certificate should now be trusted by both the OS and browser.