When running Fiddler with HTTPS decryption enabled, browsing to Google (and many other sites) results in a Firefox error page "This Connection is Untrusted", with the following error info:
"This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
The Technical details say:
"www.google.com uses an invalid security certificate. The certificate is only valid for *.google.com (Error code: ssl_error_bad_cert_domain)"
I've already imported the Fiddler root cert into Firefox's CA store. The problem has only started occurring with recent Firefox versions.
Does anyone know how to resolve this?
Thanks,
--- John.
6 Answers, 1 is accepted
Yes, this problem is now understood. Please switch to CertEnroll to resolve this problem and avoid problems with future browsers: http://www.telerik.com/community/forums/firefox-36-0-breaks-fiddler-https-decryption
Regards,
Eric Lawrence
Telerik
Rank 1
I tried following all the steps for the "Best Choice" workaround (several times), but the problem persisted. However, the "OK Choice" workaround (using MakeCert and disabling "Use Wildcards") seems to be working. Are there any potential problems with the "OK Choice" approach?
Thanks,
--- John.
Are you sure the error page you saw in Firefox was *exactly* the same in both cases? And that you had clicked REMOVE INTERCEPTION CERTIFICATES before restarting? And that, this being Firefox, you retrusted the new CertEnroll root certificate after restarting, reenabling decryption, and exporting it?
I use the "Best Choice" approach with Firefox 40, Firefox 41, and Firefox 44 and have not encountered any problems.
The problem with staying on the "MakeCert" provider is that the certificates it generates will soon not work in Chrome (due to the lack of SubjectAltName) and it's expected that Firefox and other clients may follow suit.
Regards,
Eric Lawrence
Telerik
Rank 1
I finally seem to have it working after following all the steps numerous times, although I'm not sure what suddenly triggered it to start working.
In Firefox's Certificate Manager, I noticed there was a cert for "www.google.com" listed under "The USERTRUST Network" with Security Device listed as "Builtin Object Token". At some point I deleted this cert, but I've no idea whether this contributed to fixing the problem.
When I did have the problem, Firefox showed a "Secure Connection Failed" page whenever I visited google, with the text:
An error occurred during a connection to www.google.com. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Rank 1
The sec_error_bad_signature message strongly suggests that the root certificate Firefox was configured to trust was not the actual root certificate that Fiddler was using. This can happen if you recreate the Fiddler root certificate, for instance. The problem arises because Firefox compares the signature on the site's certificate using the root certificate it trusts and finds that the signature doesn't match.
http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/ explains the procedure used to fully reset Fiddler's certificates if you need to in the future.
Regards,
Eric Lawrence
Telerik