Dealing with self-signed SSL certificates when running Selenium server with Firefox

Selenium is a decent tool for testing web UIs, with good integration with a variety of languages. We use it on Talis Prism for testing the UI, running a Selenium server instance then firing Ruby rspec tests and an older HTML suite at it. Here's the part of the Ant build script which runs the HTML suite using Selenium :

<target name="prism-selenium-tests" description="Run the old Prism Selenium tests">
  <echo message="Running old Selenium tests against Prism" />
  <java jar="test/dependencies/Selenium/selenium-server.jar" fork="true" maxmemory="1024m">
    <arg line="-debug -timeout 500 -htmlSuite '*chrome ${firefox.bin}' http://${prism.host} \
       test/selenium/testSuite.html doc/seleniumResults.html" />
  </java>
</target>

where the variables we interpose are:

${firefox.bin} = path to the Firefox binary to use
${prism.host} = HTTP host to run the tests against

This works without a hitch if you're not using HTTPS; but as soon as your tests redirect to an HTTPS URL on the same host (we serve parts of Prism over SSL), where your SSL certificate is self-signed, things go wrong. As Selenium effectively runs Firefox with a new profile every time, you potentially lose any certificate exceptions you might accept.

One technique we were using was to create a custom profile; run Firefox using that profile; browse to the HTTPS URL and accept the exception into that profile; then close the profile.

This kind of worked, but we still got odd popups from Firefox about new extensions being installed. Just annoying.

I think I've now worked out the solution, which was largely based on http://kapanka.com/2008/12/selenium-rc-firefox-and-the-self-signed-ssl-c.... It's a bit of a pain in the arse, but it does seem to work. Here goes.

  1. Close down any running Firefox instances.
  2. Start Firefox (the one you're going to run your tests with) with the profile manager: firefox -ProfileManager
  3. Create a new profile. You'll be prompted to choose a directory for the profile. Put it somewhere inside the project where you're writing the tests.
  4. Select the profile and run Firefox using it.
  5. Browse to the HTTPS URL (with self-signed certificate) you're going to be testing against.
  6. Accept the self-signed certificate when prompted. This creates an exception for it in the profile.
  7. Close the browser.
  8. Go to the Firefox profile directory.
  9. Delete everything in the directory except for the cert_override.txt and cert8.db files.
  10. When you run your Selenium server (like in my Ant example above), pass a -firefoxProfileTemplate /path/to/profile/dir argument to it. This tells Selenium to use your partial profile (with certificate exceptions) as a basis for minting its new profile. So you get the certificate exceptions, but without any of the other clutter you would get if you used a whole profile.

The Ant task above, with this option, looks like this:

<target name="prism-selenium-tests" description="Run the old Prism Selenium tests">
  <echo message="Running old Selenium tests against Prism" />
  <java jar="test/dependencies/Selenium/selenium-server.jar" fork="true" maxmemory="1024m">
    <arg line="-debug -timeout 500 -firefoxProfileTemplate test/firefoxProfile \
       -htmlSuite '*chrome ${firefox.bin}' http://${prism.host} test/selenium/testSuite.html doc/seleniumResults.html" />
  </java>
</target>

Outside of Ant, the command might look something like:

java -jar test/dependencies/Selenium/selenium-server.jar -firefoxProfileTemplate /path/to/profile \
-htmlSuite '*chrome firefox-bin' http://host.com testSuite.html seleniumResults.html

Works for me.

Comments

Nice

Thanks a lot. It really worked for me. Very nice job.

Hi All, If you are still

Hi All,

If you are still having problems with self-signed SSL certificates in FF, check out my solution.

http://jktechtrip.wordpress.com/2011/04/14/selenium-and-self-signed-ssl-...

Hope this work also for you :)

Regards,
J

Alternative approach

Hi Elliot,

I came up with another way to do this. It's probably not any simpler, but it will handle all SSL certificates, so you won't constantly have to create new Firefox profiles. The article is at:

http://mogotest.com/blog/2010/04/13/how-to-accept-self-signed-ssl-certif...

--
Kevin

even simpler solution...

Just use a (reverse) proxy. You may use Apache for that purpose. Selenium connects via http://your.site to the proxy and the proxy connects to https://your.site.

Set up the reverse proxy on your localhost and put "127.0.0.1 your.site" into /etc/hosts and tell the reverse proxy to use the true IP instead of "your.site".

Should work in most cases...

Kevin, thanks, I'll take a

Kevin, thanks, I'll take a look next time I come across this issue.

This really worked for me..

This really worked for me.. Thanks a lot!!!!!!!!!!

This article really helped

This article really helped me a lot.
I was tired of this problem for many days.
Thanks a lot!

Thanks!!!

Finally it's working! :)
But could you tell me a similar trick for IE (IE6)? Still have to accept the certificates by hand while using Selenium RC.

Sorry, not really sure about

Sorry, not really sure about IE :)

Elliot. Thanks for the post.

Elliot. Thanks for the post. Its working great for me.
Thanks you so mucccccch!

You're more than welcome. It

You're more than welcome. It was very annoying for me, too, while it was broken.

Thanks a lot for this

Thanks a lot for this

You're welcome.

You're welcome.

Worked great for me - thanks.

Worked great for me - thanks.

JUnit approach

for those starting the server from within a JUnit setup, copy a cert_override.txt and cert8.db containing the certificate exceptions to some directory. use the following java code to start the server.

RemoteControlConfiguration rcc = new RemoteControlConfiguration();
rcc.setFirefoxProfileTemplate(new File("path/to/directory/with/cert_override/cert8.db"));
server = new SeleniumServer(rcc);
server.start();

I am using LoggingSelenium,

I am using LoggingSelenium, becuase it generates nice html reports, but your approach doesnt seem to work here. Any thoughts ? I am still struggling get rid of certificate exceptions. Thanks in advance.

protected LoggingSelenium mySelenium;
LoggingCommandProcessor myProcessor = new LoggingCommandProcessor(new HttpCommandProcessor(SELENIUM_SERVER, SELENIUM_PORT, BROWSER_TYPE,BASE_URL), htmlFormatter);
myProcessor.setExcludedCommands(new String[] {});
mySelenium = new LoggingDefaultSelenium(myProcessor);
mySelenium.start();

Just copy the cert_override.txt and cert8.db

Just copying a cert_override.txt and cert8.db that already had the exception into the existing firefoxprofile directory seemed to do the trick for me! Thanks for the pointer.

You're right, that should

You're right, that should have the same effect.

Amazing

That was a very helpful post my friend. I am sure you have done very well to post it on this site as their are a lot people looking out for help on such manners and unable to find it.

works for me too

Thanks a lot - I have spent best part of the day trying to crack this problem and yours was the best and easiest one. Once again thanks,

Cheers,

Thanks, this pointer very

Thanks, this pointer very useful.

I was thinking though, considering you're going to

"Delete everything in the directory except for the cert_override.txt and cert8.db files."

Why not just copy those out of your normal user profile into a new directory?
You might have one or two exceptions you don't want I suppose, but seems
like less work than steps 1-8.

Anyway, I'm testing that approach.

Another solution, too

At the bottom right corner of your Prism window, you've got a cog icon that pops open a menu. If you open that menu and choose tools | error console, you get the Firefox error console, into which you can type in a javascript command.

If you type:

window.open('chrome://pippki/content/pref-certs.xul')

...and click "execute," then you will get the common Firefox Certificates dialog.

If you then click on the "servers" tab, you can type in the https: URL, fetch the certificate and add an exception like normal.

This is a LITTLE less of a pain in the ass than copying config files all over the place.

The chrome: urls that you can get this way are listed here:

http://kb.mozillazine.org/index.php?title=Dev_:_Firefox_Chrome_URLs&prin...

THANKS

Radical to the max! Thank you!

Thanks a million!!!

Works like a charm. You've just ended months of fiddling and hair tearing on my part.

Glad it was useful. Thanks

Glad it was useful. Thanks for letting me know.

Thanks, this pointer very

Thanks, this pointer very useful.

I was thinking though, considering you're going to

"Delete everything in the directory except for the cert_override.txt and cert8.db files."

Why not just copy those out of your normal user profile into a new directory?
You might have one or two exceptions you don't want I suppose, but seems
like less work than steps 1-8.

Anyway, I'm testing that approach.

Let me know how it goes.

Let me know how it goes.

Not able to find the cert_override.txt file

Hi

I have created the new profile and opened the HTTPS URL and accepted the certificate but not able to find the cert_override.txt file any how i am able to find the cert8.db file

Kindly guide me how to create the cert_override.txt file

Regards
tester123tester@gmail.com

You'll only get one of those

You'll only get one of those (I think) once you've created an exception in Firefox for the SSL cert for the self-signed certificate.

Hi, I followed all your

Hi,

I followed all your steps but still hitting the error.
I understand risks ....
Can you please help me? I created a new profile, accepted the certificate, deleted other files, started selenium with trustallcertificates and path of the new profile. But when I run my tests, its hitting the same problem. Can you please help???

Thanks
Ash