Stefan Sperling wrote on Fri, 19 Jul 2019 18:45 +00:00: > It looks like the interactive prompt omits an option to save the cert > if it sees a certificate failure of class 'other' from the above list. > I am not sure why this decision was made but that's what the current > code seems to do.
The rationale is that if we don't know what the failure reason _is_, we don't know whether it's safe to ignore it permanently. In other words, it only offers "permanently" if the failure bits are all whitelisted. The downside is that there's no easy way for a user to say "I know what I'm doing, and I _do_ want to ignore this permanently; make it so", such as a utility that takes a PEM form certificate (on, say, stdin) and marks it as permanently trusted. > So I suspect your SSL cert is failing for some reason > other than unknown-ca, cn-mismatch, expired, not-yet-valid.
