Still in firefox 45, I found this in the console on roundcube:
Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.I’m not sure why as Firefox does accept Let’s Encrypt certificates otherwise…
Last modified | History | Source | Preferences
Keys are properly pinned here
Close the browser
Remove all mentions of
fripost.orgin~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt:~$ sed -i -r ‘/^(+.)?fripost.org:/d’ ~/.mozilla/firefox//SiteSecurityServiceState.txt
Start the browser (without HSTS or HPKP knowledge for
fripost.orgor any of its subdomains)Open
https://mail.fripost.org/in a new tab(After waiting a few seconds to let firefox flush the data.) The HSTS policy and the two pins appear in the file:
~$ grep -E ‘^(+.)?fripost.org:’ ~/.mozilla/firefox//SiteSecurityServiceState.txt mail.fripost.org:HSTS 0 16898 1475812232563,1,1 mail.fripost.org:HPKP 0 16898 1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w=
There is no warning in the log, either.
The root CA (DST Root CA X3) appear in Firefox’s CA store as a “Builtin Object Token”, while the intermediate CA (Let’s Encrypt Authority X3) is supplied by the server and automatically stored by Firefox as a “Software Security Device”.
Do you have default settings for the
security.cert_pinning.*tunables?Please also verify that you have no weird non-default tunables for
security.*.I looked into it a bit more and it seems that it’s a bug in Firefox in fedora (something to do with the nss library being different).
Sorry about the noise.