2

Yesterday, a certificate for Let's Encrypt expired, see e.g. https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

That causes an error message in older versions of Firefox (44 or older) to display an error message when a site is called which uses a certificate purchased from Letsecrypt:

Your connection is not secure The owner of valid-isrgrootx1.letsencrypt.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Updating FF is NOT an option. Opening the website with a different browser works, but in contrast to the description in the article linked above does not lead to FF loading the site correctly.

Are there any tricks to get FF working with the new Letsencrypt certificate?

Bernhard Hiller
  • 141

1 Answers1

2

It should be enough to install the stand-alone ISRG Root X1 certificate (as opposed to the cross-signed version). Your version of Firefox supports multiple validation paths and will recognize that this is the same X1 in both cases. (Same situation as this post, for example.)

Use another browser to download the "Self-signed" ISRG Root X1 from letsencrypt.org, then go to Options → Advanced → Certificates → View Certificates → Authorities. Click "Import", select the downloaded .der or .pem file, and mark it as trusted for verifying websites.

(Alternatively, use the 'certutil' tool that comes with NSS; see certutil -H -A.)

This isn't guaranteed to work with all Firefox and Mozilla versions ever released (in particular Firefox 31 got a brand new "mozilla::pkix" certificate validation module), but in my testing, even Firefox 24.7 accepts the installed ISRG root for websites that still send the DST cross-signed one. (Older versions don't even support TLS 1.2, so I did not test further.)

grawity
  • 501,077