Firefox suddenly rejecting webUI certificate

Hi all, as above, Firefox has suddenly started rejecting the SSL certificate for my IPFire WUI, as seen below:

Can someone please advise how I can rectify/bypass this? I only use Firefox on my PC.
Thanking you.

Self Signed Certificate?

@rjschilt Yes, done via the command line as per: - Generate an SSL-Certificate manually
I do need to clarify that up until now, I was able to click “Advanced” and still proceed to the website, but seems something has changed.

If you have created a new self signed certificate then it will now be different from when you first installed it so you will have to accept the change again so that it can store it and remember the new version.

1 Like

@bonnietwin No, I have not created a new self-signed certificate since installation, it it still the same one. I have edited my post above, as this just suddenly started happening.

Sorry, then I misunderstood you.

Normally you select Advanced, accept the certificate and Firefox, or other browser, then remembers that in its store. If that is now saying that something has changed it is because either the certificate exception was deleted from your browser or something has changed in the certificate.

@bonnietwin Correct, that is what I have been doing until now. I have not closed my browser in a few days however, I will do that and clear the cache and see it that helps. Be back soon to update!
EDIT: Ok, all fixed, seems the cache got a bit old.
Just out of curiosity, however, how does one resolve the error that Firefox throws:

Or is it not an error/issue one can fix?

As it is firefox you can also go to the settings page and choose the privacy and security page and then go to Certificates and select View Certificates.

That will open a certificate manager page and will show the exceptions that you have granted. You should then find your home-ipfire… line in that table with the SHA256 fingerprint listed for it.

You can always then check the sha256 fingerprint for the server file and compare that to what Firefox has stored for it.

1 Like

@bonnietwin Thank you, my reply is above, seems sorted now, to a degree.

If you are sure that the specified certificate is the one from your IPFire then you press the button Accept the Risk and Continue. Firefox then stores that sha256 fingerprint for your server certificate in the settings and will accept it in future as long as the fingerprint is the same.

1 Like

@bonnietwin Thank you, yes it is definitely from my IPfire and yes, I do click Accept and Continue, it just seems that it expires after a while. As I explained above, once I closed Firefox completely to clear the cache and went back in, it was sort of fine. It is just the error that comes up every time i go in, the “Mozilla PKIX Error CA Cert used as end entity” that I would love to get rid of, if possible.

The way to check the fingerprint and compare it with what Firefox thinks it is.

Goto your console or ssh terminal and run the command

openssl x509 -in /etc/httpd/server-ecdsa.crt -noout -sha256 -fingerprint

This will give you the sha256 fingerprint for the ecdsa certificate which will likely be what is being used. Firefox will only use the rsa key if there is no ecdsa key.

The above sha256 fingerprint should then be compare to the firefox page for your IPFire. Press the padlock icon and it will say Connection not secure. Click on that and it will have a line More Information. Click that.
Alternatively on the warning page there is also a button View the certficate. That should give you access also to the sha256 fingerprint.

You will then have a page for the web site info and on the page shown there will be a button View Certificate. Press that.

On the page then shown there will be two fingerprints. One of those is the SHA256 fingerprint and you can compare that to what you obtained with the above openssl command.

The above is the way to go if you are not sure if something has changed in the server certs to confirm that the fingerprint is still the same.

1 Like

@bonnietwin Ah OK, will do as you suggested and post back. I am just on my way out to a client, so will only be able to do this later today. Thank you for your assistance.

@bonnietwin OK, just to report back, I did as you suggested and the SHA256 fingerprints are definitely the same, so no issue there. I think I will just leave it alone for now and put up with the initial error that pops up when first opening the IPFire WUI, its not big deal. I will click on the error link, however and see if I can understand more about why I am getting it. Thank you for your assistance.

Ok, so I managed to get rid of the error “Mozilla PKIX Error CA Cert used as end entity”. What I did was as follows (please note this is ONLY for the Firefox error):
1: In openssl.cnf, comment out the two lines that read “basicConstraints=CA:FALSE”. There is one under the heading “user_cert” and one under “v3_req” and save it.
2: When creating the new certificates, there is an instruction in the wiki linked above that creates a v3.ext file in /etc/httpd and then guides one to edit it. When you edit it, you will see in there the line “basicConstraints=CA:FALSE” as well. Remove it completely and save the file.
3: now go ahead and create your server certificates as instructed by the wiki and if you then check your certificate via your web browser, you will see that the “basic constraints” field is no longer present.
Hope this assists anyone who is having the same issue as myself with Firefox.


Great tip Mark. Tx for sharing.

1 Like

@rjschilt Any time, sir, happy to contribute where I can.

1 Like

Firefox can be instructed to “ignore” some security concerns about specific website certificate

I consider this the nicer and most useful approach while managing devices that have https-enabled GUIs (like Ipfire, but not limited to) and “stop bothering” until the certificate is still the same.
When (not if) it will change… exception is no more valid.

Last but not least: while not running simultaneously (unless something changed recently, Thunderbird now allows it), Firefox can handle multiple profiles in the same user account on the system, allowing everyone to create the “device dashboard profile” that can be exported and copied to multiple systems.

Personal opinion: do not sync (automatically) your browser profile among devices: persistent and session cookies (aka tokens) in different os can be stealed and allow access to a lot of “logged in” sessions.
Once stolen… you’re cut off your services.