So I had done some tests with “real” certificates, so I used the Comodo free SSL certificate for 90 days offer. I put some TLSA records in the dns for nohats.ca, and this allowed me to test the firefox plugin I was testing that deals with CA backed and DNSSEC backed certificates.
So of course, the SSL certificate expired, and I did not want to pay $99 to renew it. So I replaced it with a self-signed certificate and updated the TLSA record.
Then neither firefox or chrome would connect to my website. They both threw an error about the certification being invalid. And they both refused to give me the override option. They knew better then me. This is exactly what you get when the publisher of the certificate is not in control of telling you if the new certificate is valid. If these browsers had confirmed via DNS and DNSSEC that this is in fact the new real certificate, they wouldn’t have had to block my access (or witheld the override option from me)
The way to fix this, is to delete all the browser history. Then it will have forgotten the pinned certificate and it will re-ask you with the familiar “untrusted, do you want to continue anyway” dialog. I had to spend about 10 minutes to figure out how to do this. There go your website visitors. Both Chrome and Firefox acted in this way.
Expect many such false positives when you are dealing with certificate pinning, such as TACK
Ironically, many of you will have to do exactly this, before you can read this blog entry. How long did it take you?