SSL bypasses for full URLs (as you have above) will not work because knowning the full URL implies that the SSL tunnel has already been broken.
The updates for firefox from my experience have mainly come from mozilla.org, so it should suffice to bypass that top-level domain as the application is hardcoded to trust only their top level CA (not any other CA that may be in the trusted store).
Great goggly moggley. That would explain a few things. My prior rule had 2 url.host rules that were probably working but I was trying to be a bit surgical with the *.mozilla.org rule to restrict it to update paths and the like... but, good point, won't work! Thanks much Jon. Wish I'd asked months ago.