Homeblog

Dealing with self-signed SSL certificates when running Selenium server with Firefox

Wed, 2009-01-14 18:58 — elliot

Selenium is a decent tool for testing web UIs, with good integration with a variety of languages. We use it on Talis Prism for testing the UI, running a Selenium server instance then firing Ruby rspec tests and an older HTML suite at it. Here's the part of the Ant build script which runs the HTML suite using Selenium :

<target name="prism-selenium-tests" description="Run the old Prism Selenium tests">
  <echo message="Running old Selenium tests against Prism" />
  <java jar="test/dependencies/Selenium/selenium-server.jar" fork="true" maxmemory="1024m">
    <arg line="-debug -timeout 500 -htmlSuite '*chrome ${firefox.bin}' http://${prism.host} \
       test/selenium/testSuite.html doc/seleniumResults.html" />
  </java>
</target>

where the variables we interpose are:

${firefox.bin} = path to the Firefox binary to use
${prism.host} = HTTP host to run the tests against

This works without a hitch if you're not using HTTPS; but as soon as your tests redirect to an HTTPS URL on the same host (we serve parts of Prism over SSL), where your SSL certificate is self-signed, things go wrong. As Selenium effectively runs Firefox with a new profile every time, you potentially lose any certificate exceptions you might accept.

One technique we were using was to create a custom profile; run Firefox using that profile; browse to the HTTPS URL and accept the exception into that profile; then close the profile.

This kind of worked, but we still got odd popups from Firefox about new extensions being installed. Just annoying.

I think I've now worked out the solution, which was largely based on http://kapanka.com/2008/12/selenium-rc-firefox-and-the-self-signed-ssl-c.... It's a bit of a pain in the arse, but it does seem to work. Here goes.

  1. Close down any running Firefox instances.
  2. Start Firefox (the one you're going to run your tests with) with the profile manager: firefox -ProfileManager
  3. Create a new profile. You'll be prompted to choose a directory for the profile. Put it somewhere inside the project where you're writing the tests.
  4. Select the profile and run Firefox using it.
  5. Browse to the HTTPS URL (with self-signed certificate) you're going to be testing against.
  6. Accept the self-signed certificate when prompted. This creates an exception for it in the profile.
  7. Close the browser.
  8. Go to the Firefox profile directory.
  9. Delete everything in the directory except for the cert_override.txt and cert8.db files.
  10. When you run your Selenium server (like in my Ant example above), pass a -firefoxProfileTemplate /path/to/profile/dir argument to it. This tells Selenium to use your partial profile (with certificate exceptions) as a basis for minting its new profile. So you get the certificate exceptions, but without any of the other clutter you would get if you used a whole profile.

The Ant task above, with this option, looks like this:

<target name="prism-selenium-tests" description="Run the old Prism Selenium tests">
  <echo message="Running old Selenium tests against Prism" />
  <java jar="test/dependencies/Selenium/selenium-server.jar" fork="true" maxmemory="1024m">
    <arg line="-debug -timeout 500 -firefoxProfileTemplate test/firefoxProfile \
       -htmlSuite '*chrome ${firefox.bin}' http://${prism.host} test/selenium/testSuite.html doc/seleniumResults.html" />
  </java>
</target>

Outside of Ant, the command might look something like:

java -jar test/dependencies/Selenium/selenium-server.jar -firefoxProfileTemplate /path/to/profile \
-htmlSuite '*chrome firefox-bin' http://host.com testSuite.html seleniumResults.html

Works for me.

Comments

Wed, 2010-01-20 09:25 — Guest (not verified)

This article really helped

This article really helped me a lot.
I was tired of this problem for many days.
Thanks a lot!

Tue, 2009-10-20 11:43 — Guest (not verified)

Thanks!!!

Finally it's working! :)
But could you tell me a similar trick for IE (IE6)? Still have to accept the certificates by hand while using Selenium RC.

Wed, 2009-11-04 00:12 — elliot

Sorry, not really sure about

Sorry, not really sure about IE :)

Mon, 2009-10-12 17:31 — Guest (not verified)

Elliot. Thanks for the post.

Elliot. Thanks for the post. Its working great for me.
Thanks you so mucccccch!

Mon, 2009-10-12 20:31 — elliot

You're more than welcome. It

You're more than welcome. It was very annoying for me, too, while it was broken.

Wed, 2009-10-07 14:54 — Guest (not verified)

Thanks a lot for this

Thanks a lot for this

Mon, 2009-10-12 20:32 — elliot

You're welcome.

You're welcome.

Thu, 2009-09-17 19:13 — Guest (not verified)

Worked great for me - thanks.

Worked great for me - thanks.

Tue, 2009-08-04 09:37 — moodgorning (not verified)

JUnit approach

for those starting the server from within a JUnit setup, copy a cert_override.txt and cert8.db containing the certificate exceptions to some directory. use the following java code to start the server.

RemoteControlConfiguration rcc = new RemoteControlConfiguration();
rcc.setFirefoxProfileTemplate(new File("path/to/directory/with/cert_override/cert8.db"));
server = new SeleniumServer(rcc);
server.start();

Sat, 2009-09-05 05:36 — Sss (not verified)

I am using LoggingSelenium,

I am using LoggingSelenium, becuase it generates nice html reports, but your approach doesnt seem to work here. Any thoughts ? I am still struggling get rid of certificate exceptions. Thanks in advance.

protected LoggingSelenium mySelenium;
LoggingCommandProcessor myProcessor = new LoggingCommandProcessor(new HttpCommandProcessor(SELENIUM_SERVER, SELENIUM_PORT, BROWSER_TYPE,BASE_URL), htmlFormatter);
myProcessor.setExcludedCommands(new String[] {});
mySelenium = new LoggingDefaultSelenium(myProcessor);
mySelenium.start();

Fri, 2009-05-22 18:10 — Guest (not verified)

Just copy the cert_override.txt and cert8.db

Just copying a cert_override.txt and cert8.db that already had the exception into the existing firefoxprofile directory seemed to do the trick for me! Thanks for the pointer.

Wed, 2009-05-27 08:11 — elliot

You're right, that should

You're right, that should have the same effect.

Thu, 2009-04-30 05:11 — Lava Lamps (not verified)

Amazing

That was a very helpful post my friend. I am sure you have done very well to post it on this site as their are a lot people looking out for help on such manners and unable to find it.

Wed, 2009-04-22 15:48 — Shahid (not verified)

works for me too

Thanks a lot - I have spent best part of the day trying to crack this problem and yours was the best and easiest one. Once again thanks,

Cheers,

Tue, 2009-05-05 20:24 — dan23 (not verified)

Thanks, this pointer very

Thanks, this pointer very useful.

I was thinking though, considering you're going to

"Delete everything in the directory except for the cert_override.txt and cert8.db files."

Why not just copy those out of your normal user profile into a new directory?
You might have one or two exceptions you don't want I suppose, but seems
like less work than steps 1-8.

Anyway, I'm testing that approach.

Wed, 2009-04-15 21:59 — Guest (not verified)

Another solution, too

At the bottom right corner of your Prism window, you've got a cog icon that pops open a menu. If you open that menu and choose tools | error console, you get the Firefox error console, into which you can type in a javascript command.

If you type:

window.open('chrome://pippki/content/pref-certs.xul')

...and click "execute," then you will get the common Firefox Certificates dialog.

If you then click on the "servers" tab, you can type in the https: URL, fetch the certificate and add an exception like normal.

This is a LITTLE less of a pain in the ass than copying config files all over the place.

The chrome: urls that you can get this way are listed here:

http://kb.mozillazine.org/index.php?title=Dev_:_Firefox_Chrome_URLs&prin...

Mon, 2009-02-16 21:54 — Guest (not verified)

THANKS

Radical to the max! Thank you!

Fri, 2009-02-13 16:40 — Ido (not verified)

Thanks a million!!!

Works like a charm. You've just ended months of fiddling and hair tearing on my part.

Sun, 2009-02-15 12:01 — elliot

Glad it was useful. Thanks

Glad it was useful. Thanks for letting me know.

Fri, 2009-01-23 15:14 — Guest (not verified)

Thanks, this pointer very

Thanks, this pointer very useful.

I was thinking though, considering you're going to

"Delete everything in the directory except for the cert_override.txt and cert8.db files."

Why not just copy those out of your normal user profile into a new directory?
You might have one or two exceptions you don't want I suppose, but seems
like less work than steps 1-8.

Anyway, I'm testing that approach.

Tue, 2009-02-17 23:30 — elliot

Let me know how it goes.

Let me know how it goes.

Mon, 2009-02-23 13:53 — Guest (not verified)

Not able to find the cert_override.txt file

Hi

I have created the new profile and opened the HTTPS URL and accepted the certificate but not able to find the cert_override.txt file any how i am able to find the cert8.db file

Kindly guide me how to create the cert_override.txt file

Regards
tester123tester@gmail.com

Thu, 2009-02-26 20:58 — elliot

You'll only get one of those

You'll only get one of those (I think) once you've created an exception in Firefox for the SSL cert for the self-signed certificate.