Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error with HTTP Strict Transport Security (HSTS)

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Michele Trotta
      last edited by

      Hello guys,
      i have configured pfsense / squid with certificates and it works fine.

      Since yesterday and in particular "only one site" I have this error on the certificate

      "www.sito.com uses a security policy called HTTP Strict Transport Security (HSTS). This means that Firefox can only connect securely and it is not possible to add an exception to visit this site."

      9060441b-2354-4b36-8142-491a1f2ed92e-image.png

      and more specifically

      9aa265f0-3025-4bff-aefc-edad134ebe94-image.png

      The pfsense certificate has been distributed online and has been running for about 1 year.

      Has anyone encountered the same problem?

      Greetings

      Michele

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Michele Trotta
        last edited by

        @michele-trotta said in Error with HTTP Strict Transport Security (HSTS):

        Has anyone encountered the same problem?

        Noop.
        You've hidden the site's name, so how can I/we test ?

        If the site's administrator used a certificate authority that has fallen into disgrace, then browsers quickly will remove their root certs from their internal "trusted list". All certificates signed (created) with this root certificate will become not rusted.
        And worse : getting a new certificate from another certificate authority and putting that in place wouldn't help much, as the, now retired, certificate info, according to HSTS rules, will get stored deep down in the browser's HSTS cache.
        I guess the site's admin has to go through the certificate revocation procedure.

        And we all take note : before asking for that HSTS flag to be set on a certificate, better be sure
        all the down side aspects are understood 😊

        It's nice to have all green marks everywhere 'this is an example of one of my own 'dummy/fool-around' sites, but when things go down hill, the slope gets steep.

        Btw : maybe I should lower this a bit :

        66e2da00-abff-438c-8d2b-26482404fb8c-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • M
          Michele Trotta
          last edited by

          @gertjan said in Error with HTTP Strict Transport Security (HSTS):

          It's nice to have all green marks everywhere 'this is an example of one of my own 'dummy/fool-around' sites, but when things go down hill, the slope gets steep.
          Btw : maybe I should lower this a bit :

          Hi gertjan,

          thanks for the quick response!!!
          the external site is www.arcafondi.it

          Greetings

          Michele

          M 1 Reply Last reply Reply Quote 0
          • M
            Michele Trotta @Michele Trotta
            last edited by

            Hi gertjan,

            now the site is reachable with pfsense without errors and most likely the administrator has changed the certificates correctly.

            Thanks for the explanation!

            Michele

            1 Reply Last reply Reply Quote 0
            • M
              Michele Trotta
              last edited by

              Hi guys

              since this morning I have the exact same problem with another site https://www.regione.lombardia.it

              To temporarily solve the problem, I added the site to the ACLs withelist of the Squid proxy Server.

              I wanted to understand what actions to take and if I can improve my setup.
              @Gertjan can I lower the parameter you highlighted after that?

              Thanks again and good job

              Michele

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.