this post was submitted on 14 Sep 2024
49 points (91.5% liked)

Firefox

20357 readers
66 users here now

/c/firefox

A place to discuss the news and latest developments on the open-source browser Firefox.

Rules

1. Adhere to the instance rules

2. Be kind to one another

3. Communicate in a civil manner

Reporting

If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
golden_zealot@lemmy.ml
49
On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ? (lemmy.ml)
submitted 10 months ago* (last edited 10 months ago) by interdimensionalmeme@lemmy.ml to c/firefox@lemmy.ml
22 comments fedilink hide all child comments
 

I'm just so annoyed of fighting this all the time.

If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don't want to use real internet domain names I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

you are viewing a single comment's thread
view the rest of the comments
[–] cmnybo@discuss.tchncs.de 21 points 10 months ago (2 children)

You can get rid of the certificate errors by adding your CA to Firefox. Just make sure you keep the private key secure.

Set browser.fixup.fallback-to-https to false to stop Firefox from trying https if http doesn't work.

[–] pupbiru@aussie.zone 3 points 10 months ago

worth repeating the KEEP YOUR PRIVATE KEY SECURE part if you’re trusting a root - if you trust a root, it may be able to issue a TRUSTED cert for other domains - mybank.com, etc and leave you open to attack

[–] sugar_in_your_tea@sh.itjust.works 2 points 10 months ago

But honestly, you shouldn't need to do this, you can just use LetsEncrypt to get a real cert. Here's what I do:

  1. route external traffic to your devices - I use a VPS w/ a VPN because I'm behind CGNAT, but if you have a publicly routable address, you can probably just use your router
  2. configure LetsEncrypt for your services
  3. configure the DNS your router provides to swap the public IP (i.e. the one for your VPS if you have it) to your LAN address, and have all of your devices use that DNS name

Boom, you get all the benefits of a proper TLS setup, along with all of the benefits of local traffic. You can even turn off external access to the services between cert renewals.