How to fix Firefox 59 no longer accepting my self signed SSL certificate on .dev virtualhost

There is an easy way around this.

  1. Go to about:config
  2. Search for "network.stricttransportsecurity.preloadlist".
  3. Set it to false.

WARNING: This will disable HSTS entirely. Take a look at the comments on this answer for some discussion about the downsides of this method. I personally think the benefit outweighs the risk, but you are responsible for your own security.

enter image description here

Edit 2020: We've now had a .dev TLD for multiple years. It's time to move away from using .dev as a local URL. This workaround still works, but you are robbing yourself of increased security.


I still am not entirely clear on how this all fits together exactly, but as pointed out in this answer .dev domains are now official TLDs. As such, it seems that browsers force some kind of HSTS behavior and force https connections. For those TLDs it seems my self-signed certificate no longer was accepted in Firefox. Changing my virtual hosts to use .test solved the problem without having to change anything in my self-signed certificates at all.

It is worth noting that in Firefox also my non-SSL virtual hosts acted up since version 59 today, because the HSTS behavior seemed to force SSL on virtual hosts I had not set up as serving via SSL. On Chrome this still used to work, but either way it's safe to say moving away from the now officially used .dev TLD will resolve many headaches.


Setting security.enterprise_roots.enabled to true on the about:config page solved this for me and allowed my self-signed certificate to work during development.

There's a bit of discussion around the merits of this being on by default here:
Set security.enterprise_roots.enabled to true by default.

Although the intent of this flag is to allow Firefox to use the machine-wide CA root store as a valid source for certificate authorities, this fixed the situation for my own use case where I have a self-signed multi-domain certificate that I use locally for testing (subjectAltName's). Even after I added the cert to the Firefox certificate list, it wasn't until I turned this on that it allowed the local site to load.