On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ?
I'm just so annoyed of fighting this all the time.
If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace
EDIT:
I do not wish to manage certificates
I do not want to setup private key infrastructure
I don't want to use real internet domain names
I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines
I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.
.LAN is not an official top level domain. So I assume this is either your home network or work network? In any case your problem has nothing to do with the .LAN doman.
Maybe you have "https everywhere" activated. If so, Firefox will always default to https unless you specify http in the URL. Again, unrelated to .LAN.
For the certificate: what do you mean "when available"? A self signed cert is a self signed cert. There is no "available" or not. You can import the certificate into the Firefox trust store so Firefox will trust that one specific cert but any other self signed cert will cause an error. That is expected and save behaviour (and unrelated to .LAN).
worth repeating the KEEP YOUR PRIVATE KEY SECURE part if you’re trusting a root - if you trust a root, it may be able to issue a TRUSTED cert for other domains - mybank.com, etc and leave you open to attack
But honestly, you shouldn't need to do this, you can just use LetsEncrypt to get a real cert. Here's what I do:
route external traffic to your devices - I use a VPS w/ a VPN because I'm behind CGNAT, but if you have a publicly routable address, you can probably just use your router
configure LetsEncrypt for your services
configure the DNS your router provides to swap the public IP (i.e. the one for your VPS if you have it) to your LAN address, and have all of your devices use that DNS name
Boom, you get all the benefits of a proper TLS setup, along with all of the benefits of local traffic. You can even turn off external access to the services between cert renewals.
IMO it's easiest to just use a real domain for your local network. For example, I use subdomains of int.example.com, where example.com is my blog.
Then, you can get Let's Encrypt or ZeroSSL certificates for all the hosts. Systems do not need to be accessible over the internet - you can use an ACME DNS challenge instead of a HTTP one. Use something like certbot or acme.sh and renewals will be automated.
The only cost is for one domain, and some TLDs are less than $5/year. Check tld-list.com and sort by renewal price, not registration price (as some are only cheap for the first year).
I use a wildcard cert in some places, but most of them are individual certs. You can have multiple ACME DNS challenges on a single domain, for example _acme-challenge.first.int.example.com and _acme-challenge.second.int.example.com for first.int.example.com and second.int.example.com respectively.
The DNS challenge just makes you create a TXT record at that _acme-challenge subdomain. Let's Encrypt follows CNAMES and supports IPv6-only DNS servers, so I'm using some software called "acme-dns" to run a DNS server specifically for ACME DNS challenges. It's just listening on a IPv6 in one of my VPS /64 IPv6 range.
This is the way to do it - actual valid certs, with actual working TLS.
OP's issue is they don't understand how SSL works and fighting Firefox, which is actually trying to protect them and steer they e in the right direction.
Pretty sure there's not a per-domain setting for that. If you have HTTPS-Only Mode turned on in the settings it will always try to use HTTPS first and present a warning before switching to HTTP.
If you want to continue using HTTPS you can setup your own CA certificate to sign certificates for your .LAN domain names. All you need to do then is add the CA certificate to your trusted certificates in Firefox and the signed certificate to the device hosting the HTTPS service.
I don't think you should disable self signed warnings. It would be better to import those than disabling the warning as it is a very important warning.
As for disabling https only mode for certain URLs, I don't know, and it would be a useful feature. Some of my corporate stuff oddly redirects to HTTPS but just gives a blank screen rather than a connection refused or something. Not sure what it is. Probably something is misconfigured somewhere but it's not something in my control. I didn't have time to really inspect it so I just disabled the https only mode for my work laptop.
Install the cert using settings->privacy->certs. Use server option to download and install the cert
For https/hrtp as default either ask google for sertings for prefered protocol, type :80 behind address or specify protocol. I believe they changed it to default to https if none is specified a while back