# HTTP/3 with a private CA

Languages
=> /posts/http3-private-ca/ 🇬🇧English



I had a successful deployment of HTTP/3 on my main domain. Then I deployed the exact same config on a private domain (`.dn42`) with a self-signed certificate, and my browser wouldn't connect over HTTP/3. The config was the same, and curl --http3 worked fine.

HTTP/3 REQUIRES TLS. But that's in the protocol. It turns out that browsers also requires a valid PUBLIC certificat (signed by a certificate authority in the CA/Browser Forum).
This means that with a self-signed certificate, Firefox won't connect over HTTP/3 event if you add the CA to the trust store !

### The fix

For Firefox, go the the page `about:config` and change `network.http.http3.disable_when_third_party_roots_found` to `true`.; then restart the browser.

For Chrome you need to use command-line-flag, for each domain ...
```bash
chromium-browser --origin-to-force-quic-on=your.domain.tld:443
```

* https://www.smashingmagazine.com/2021/09/http3-practical-deployment-options-part3/#additional-issues
* https://news.ycombinator.com/item?id=35410880

Navigation
=> / Home
=> /posts/ Posts
=> /search/ Search