1

So, I have control over a small webserver that controls a subdomain of an intranet domain; the domain has HSTS turned on, so I can't connect to my subdomain via HTTP; I also can't use self-signed certificates and HTTPS. I've thought about using Let's Encrypt to get a proper certificate, but due to the domain being inaccessible from the internet, I can't do that either.

Is there a way to circumvent HSTS to connect to my server through a browser? (I'm trying to set up a Jupyter instance, if that matters)

1 Answers1

1

Actually, this is addresse in the spec for HSTS, RFC 6797 (emphasis mine):

11.3. Using HSTS in Conjunction with Self-Signed Public-Key Certificates

If all four of the following conditions are true...

o a web site/organization/enterprise is generating its own secure transport public-key certificates for web sites, and

[...]

...then secure connections to that site will fail, per the HSTS design. This is to protect against various active attacks, as discussed above.

[...]

However, if said organization wishes to employ its own CA, and self-signed certificates, in concert with HSTS, it can do so by deploying its root CA certificate to its users' browsers or operating system CA root certificate stores. It can also, in addition or instead, distribute to its users' browsers the end-entity certificate(s) for specific hosts.

So you need to do one of these:

  • sign your self-generated certificate with a CA certificate (which you also generated), and install the CA cert into the browser (or the OS store, if the browser uses that)
  • install the self-signed certificate into the browser or OS store

How to install the certificate depends ont the browser; there are multiple answers here on how to do this.

Actually, this is what you should be doing even without HSTS, as it prevents the usual certificate warnings. However, with HSTS it's actually the only way.

Community
  • 1
sleske
  • 23,525