starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #6] Firefox Support? #2

New issue
Closed
opened 2026-02-25 22:32:21 +03:00 by kerem · 7 comments
kerem commented 2026-02-25 22:32:21 +03:00
Owner
Copy link

Originally created by @troyxmccall on GitHub (Jun 27, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/6

This works flawlessly with Chrome, Safari, & Opera - so thank you for that.

Firefox doesn't seem to trust the issuer - I can add an exception to Firefox as a workaround (which I've done in the past for local cert authorities)

test.vm uses an invalid security certificate. 
The certificate is not trusted because the issuer certificate is unknown. 
The server might not be sending the appropriate intermediate certificates. 
An additional root certificate may need to be imported. 
Error code: SEC_ERROR_UNKNOWN_ISSUER


Peer’s Certificate issuer is not recognized. 
HTTP Strict Transport Security: false 
HTTP Public Key Pinning: false

would be happy to supply more details if needed,

rootCA is installed on my host machine (OSX) and is in a NFS mounted folder shared with a vagrant Centos7/Apache 2.4.6 box

Originally created by @troyxmccall on GitHub (Jun 27, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/6 This works flawlessly with Chrome, Safari, & Opera - so thank you for that. Firefox doesn't seem to trust the issuer - I can add an exception to Firefox as a workaround (which I've done in the past for local cert authorities) ``` test.vm uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false ``` would be happy to supply more details if needed, rootCA is installed on my host machine (OSX) and is in a NFS mounted folder shared with a vagrant Centos7/Apache 2.4.6 box
kerem closed this issue 2026-02-25 22:32:21 +03:00
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@troyxmccall commented on GitHub (Jun 27, 2018):

update: I manually installed the rootCA in firefox through firefox's cert manager

screenshot 2018-06-27 11 52 52

Prefences -> Privacy & Security -> Certificates -> View Certificates -> Authorities (Tab) -> Import

and that works, not sure if that can be automated.

<!-- gh-comment-id:400728536 --> @troyxmccall commented on GitHub (Jun 27, 2018): update: I manually installed the rootCA in firefox through firefox's cert manager ![screenshot 2018-06-27 11 52 52](https://user-images.githubusercontent.com/129784/41985238-bf6327ba-7a00-11e8-993a-0c506f03a48e.png) Prefences -> Privacy & Security -> Certificates -> View Certificates -> Authorities (Tab) -> Import and that works, not sure if that can be automated.
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@adamdecaf commented on GitHub (Jun 27, 2018):

This will need done with certutil from NSS. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil

An aside: I've been [slowly] working on a tool to add/list/delete certificates across platforms/apps, but doing this for NSS is petty simple.

https://github.com/adamdecaf/cert-manage/blob/master/pkg/store/nss.go#L359-L383

Edit: That code is setup for cert8.db formats, but firefox has switched to cert9.db. The bash command works fine, but you need to discover the cert9.db directories a bit differently.

@FiloSottile how interested are you in a library to better handle cert CRUD operations?

<!-- gh-comment-id:400734014 --> @adamdecaf commented on GitHub (Jun 27, 2018): This will need done with `certutil` from NSS. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil An aside: I've been [slowly] working on a tool to add/list/delete certificates across platforms/apps, but doing this for NSS is petty simple. https://github.com/adamdecaf/cert-manage/blob/master/pkg/store/nss.go#L359-L383 Edit: That code is setup for cert8.db formats, but firefox has switched to cert9.db. The bash command works fine, but you need to discover the cert9.db directories a bit differently. @FiloSottile how interested are you in a library to better handle cert CRUD operations?
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@kanlukasz commented on GitHub (Feb 21, 2020):

Hello @troyxmccall. Does your method still work in Firefox?

<!-- gh-comment-id:589548818 --> @kanlukasz commented on GitHub (Feb 21, 2020): Hello @troyxmccall. Does your method still work in Firefox?
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@troyxmccall commented on GitHub (Feb 21, 2020):

@kanlukasz this has been automated per the docset (you need NSS) - macOS and Linux support only

https://github.com/FiloSottile/mkcert#macos

<!-- gh-comment-id:589739997 --> @troyxmccall commented on GitHub (Feb 21, 2020): @kanlukasz this has been automated per the docset (you need NSS) - macOS and Linux support only https://github.com/FiloSottile/mkcert#macos
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@kanlukasz commented on GitHub (Feb 21, 2020):

Thanks for reply. I solved it with this https://github.com/FiloSottile/mkcert/issues/239 for Windows 😉

<!-- gh-comment-id:589745325 --> @kanlukasz commented on GitHub (Feb 21, 2020): Thanks for reply. I solved it with this https://github.com/FiloSottile/mkcert/issues/239 for Windows 😉
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@DanielSiepmann commented on GitHub (May 20, 2020):

I'm wondering what I'm doing wrong.
I've installed mkcert via nix-env on Ubuntu and had it setup through custom compilation beforehand.
It generated a new files in ~/.local/share/mkcert/ and added them to the browsers.

I'm able to use wget, but Firefox and Chromium still show Error code: SEC_ERROR_UNKNOWN_ISSUER. When following the older comment, Firefox tells me: This certificate is already installed as a certificate authority.

Would be cool to become a hint what's wrong with my setup.

Older certificates (generated via custom compiled mkcert) are still valid inside of Firefox.

<!-- gh-comment-id:631383923 --> @DanielSiepmann commented on GitHub (May 20, 2020): I'm wondering what I'm doing wrong. I've installed mkcert via nix-env on Ubuntu and had it setup through custom compilation beforehand. It generated a new files in `~/.local/share/mkcert/` and added them to the browsers. I'm able to use `wget`, but Firefox and Chromium still show `Error code: SEC_ERROR_UNKNOWN_ISSUER`. When following the older comment, Firefox tells me: `This certificate is already installed as a certificate authority.` Would be cool to become a hint what's wrong with my setup. Older certificates (generated via custom compiled mkcert) are still valid inside of Firefox.
kerem commented 2026-02-25 22:32:21 +03:00
Author
Owner
Copy link

@kanlukasz commented on GitHub (May 20, 2020):

I'm wondering what I'm doing wrong.
I've installed mkcert via nix-env on Ubuntu and had it setup through custom compilation beforehand.
It generated a new files in ~/.local/share/mkcert/ and added them to the browsers.

I'm able to use wget, but Firefox and Chromium still show Error code: SEC_ERROR_UNKNOWN_ISSUER. When following the older comment, Firefox tells me: This certificate is already installed as a certificate authority.

Would be cool to become a hint what's wrong with my setup.

Older certificates (generated via custom compiled mkcert) are still valid inside of Firefox.

This issue is closed
I think you should create a new separate issue

<!-- gh-comment-id:631385737 --> @kanlukasz commented on GitHub (May 20, 2020): > > > I'm wondering what I'm doing wrong. > I've installed mkcert via nix-env on Ubuntu and had it setup through custom compilation beforehand. > It generated a new files in `~/.local/share/mkcert/` and added them to the browsers. > > I'm able to use `wget`, but Firefox and Chromium still show `Error code: SEC_ERROR_UNKNOWN_ISSUER`. When following the older comment, Firefox tells me: `This certificate is already installed as a certificate authority.` > > Would be cool to become a hint what's wrong with my setup. > > Older certificates (generated via custom compiled mkcert) are still valid inside of Firefox. This issue is closed I think you should create a new separate issue
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#2
No description provided.