X
Tap here to go to the mobile version of the site.

منتدى الدعم

SEC_ERROR_BAD_SIGNATURE on private CA certificates

Posted

Was there a recent change that invalidates private certificates, with it's private CA imported into my FF CA repository?

What I have set up, which worked not too long ago, which was defining the IP address and host name in C:\Windows\System32\drivers\etc\hosts file. Then importing the remote site's private CA certificate in FF. From that point on, it trusted my private URLs due to matching private CA. Now, generates SEC_ERROR_BAD_SIGNATURE.

I renamed the cert8.db file and restarted FF. I now get the normal "untrusted" error then re-imported the private CA to make the "untrusted" error go away. However, that still gave me SEC_ERROR_BAD_SIGNATURE. So, something must've changed.

I even tried disabling OCSP checking (thought it was optional if it couldn't check). I then disabled OCSP Stapling. Neither resolved this issue, thinking it was trying to check with the OCSP server, which it can't reach due to firewall since it's internal to the other private LAN.

I'm not sure where to look. I tried Googling for answers, which lead me to the above two solutions to try.

The CA I have is a private CA, generated by Microsoft Windows Server 2008 R2 with the Active Directory Certificate Authority installation. Like I said, it was working in FF fairly recently. Let me know what else you need for me to provide.

Regards,

John Babbitt Systems Administrator Cutler Investment Group, LLC

Was there a recent change that invalidates private certificates, with it's private CA imported into my FF CA repository? What I have set up, which worked not too long ago, which was defining the IP address and host name in C:\Windows\System32\drivers\etc\hosts file. Then importing the remote site's private CA certificate in FF. From that point on, it trusted my private URLs due to matching private CA. Now, generates SEC_ERROR_BAD_SIGNATURE. I renamed the cert8.db file and restarted FF. I now get the normal "untrusted" error then re-imported the private CA to make the "untrusted" error go away. However, that still gave me SEC_ERROR_BAD_SIGNATURE. So, something must've changed. I even tried disabling OCSP checking (thought it was optional if it couldn't check). I then disabled OCSP Stapling. Neither resolved this issue, thinking it was trying to check with the OCSP server, which it can't reach due to firewall since it's internal to the other private LAN. I'm not sure where to look. I tried Googling for answers, which lead me to the above two solutions to try. The CA I have is a private CA, generated by Microsoft Windows Server 2008 R2 with the Active Directory Certificate Authority installation. Like I said, it was working in FF fairly recently. Let me know what else you need for me to provide. Regards, John Babbitt Systems Administrator Cutler Investment Group, LLC

Chosen solution

Actually, I did say I did that in the very first post. Anyways, just figured out the problem!

I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Shockwave Flash 26.0 r0

Application

  • Firefox 54.0.1
  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
  • Support URL: https://support.mozilla.org/1/firefox/54.0.1/WINNT/en-US/

Extensions

  • Application Update Service Helper 2.0 (aushelper@mozilla.org)
  • Firefox Screenshots 6.6.0 (screenshots@mozilla.org)
  • Follow-on Search Telemetry 0.9.1 (followonsearch@mozilla.com)
  • LastPass: Free Password Manager 4.1.54a (support@lastpass.com)
  • Multi-process staged rollout 1.85 (e10srollout@mozilla.org)
  • Pocket 1.0.5 (firefox@getpocket.com)
  • Shield Recipe Client 1.0.0 (shield-recipe-client@mozilla.org)
  • Web Compat 1.1 (webcompat@mozilla.org)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: ATI Radeon HD 3450
  • adapterDescription2:
  • adapterDeviceID: 0x95c5
  • adapterDeviceID2:
  • adapterDrivers: aticfx64 aticfx64 aticfx32 aticfx32 atiumd64 atidxx64 atiumdag atidxx32 atiumdva atiumd6a atitmm64
  • adapterDrivers2:
  • adapterRAM: 256
  • adapterRAM2:
  • adapterSubsysID: 03421028
  • adapterSubsysID2:
  • adapterVendorID: 0x1002
  • adapterVendorID2:
  • crashGuards: []
  • currentAudioBackend: wasapi
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 10.0.15063.483
  • driverDate: 1-13-2015
  • driverDate2:
  • driverVersion: 8.970.100.9001
  • driverVersion2:
  • failures: [u'CP+[GFX1-]: ClientLayerManager::BeginTransaction with IPC channel down. GPU process may have died.', u'CP+[GFX1-]: ClientLayerManager::BeginTransaction with IPC channel down. GPU process may have died.']
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'disabled', u'description': u'Direct3D9 Compositing', u'log': [{u'status': u'disabled', u'message': u'Disabled by default', u'type': u'default'}], u'name': u'D3D9_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}, {u'status': u'available', u'description': u'GPU Process', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'GPU_PROCESS'}, {u'status': u'unavailable', u'description': u'WebRender', u'log': [{u'status': u'available', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}], u'name': u'WEBRENDER'}]}
  • indices: [0, 1]
  • info: {u'AzureContentBackend (UI Process)': u'skia', u'AzureCanvasBackend (UI Process)': u'skia', u'ApzWheelInput': 1, u'AzureFallbackCanvasBackend (UI Process)': u'cairo', u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'Direct2D 1.1', u'AzureContentBackend': u'Direct2D 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webgl1DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug_get OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc MOZ_WEBGL_depth_texture
  • webgl1Renderer: Google Inc. -- ANGLE (ATI Radeon HD 3450 Direct3D11 vs_4_1 ps_4_1)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.2a250c8a0e15)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 00000000000053ee) EGL_VERSION: 1.4 (ANGLE 2.1.0.2a250c8a0e15) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • webgl2DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug_get OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc
  • webgl2Renderer: Google Inc. -- ANGLE (ATI Radeon HD 3450 Direct3D11 vs_4_1 ps_4_1)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.2a250c8a0e15)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 00000000000053ee) EGL_VERSION: 1.4 (ANGLE 2.1.0.2a250c8a0e15) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No

Question owner

By the way, yes, like everyone else with this problem, it works fine on IE and Chrome. Just having this issue with FF.

By the way, yes, like everyone else with this problem, it works fine on IE and Chrome. Just having this issue with FF.
FredMcD
  • Top 10 Contributor
4220 solutions 58911 answers
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate. http://www.ehow.com/how_11385212_troubleshoot-reset-connection-firefox.html https://support.mozilla.org/en-US/kb/server-not-found-connection-problem https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message https://support.mozilla.org/t5/Firefox/the-conexion-is-not-secure/m-p/1373536/#M1038128 http://kb.mozillazine.org/Error_loading_websites

Question owner

Unfortunately, those are what I also found and tried them all. The thing is, if I take out the private CA certificate, go to the URL, add it to the exception, it works fine. Just not when I add in the private CA certificate. So, it is directly related to the CA certificate. What changed now that it is no longer trusting my private CA certificate? I see this:

"An error occurred during a connection to <private URL>. Peer’s certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE"

"The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

What is it trying to verify? I disabled OCSP checking. Is it still trying to look up OCSP? It will fail because the OCSP site is unreachable from my workstation.

Like I said, I disabled OCSP Checking and OCSP Stapling but still get the same result.

Unfortunately, those are what I also found and tried them all. The thing is, if I take out the private CA certificate, go to the URL, add it to the exception, it works fine. Just not when I add in the private CA certificate. So, it is directly related to the CA certificate. What changed now that it is no longer trusting my private CA certificate? I see this: "An error occurred during a connection to <private URL>. Peer’s certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE" "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified." What is it trying to verify? I disabled OCSP checking. Is it still trying to look up OCSP? It will fail because the OCSP site is unreachable from my workstation. Like I said, I disabled OCSP Checking and OCSP Stapling but still get the same result.

Modified by CIG_Support

FredMcD
  • Top 10 Contributor
4220 solutions 58911 answers

I called for more help.

You may have corrupt cert8.db file. cert8.db stores all your security certificate settings

Type about:support<enter> in the address bar.

Under the page logo on the left side, you will see Application Basics. Under this find Profile Folder. To its right press the button Show Folder. This will open your file browser to the current Firefox profile. Now Close Firefox.

Locate the above file. Then rename or delete it. Restart Firefox.

I called for more help. You may have corrupt '''cert8.db''' file. '''cert8.db''' stores all your security certificate settings Type '''about:support'''<enter> in the address bar. Under the page logo on the left side, you will see '''Application Basics. ''' Under this find '''Profile Folder. ''' To its right press the button '''Show Folder. ''' This will open your file browser to the current Firefox profile. Now '''Close Firefox. ''' Locate the above file. Then rename or delete it. Restart Firefox.

Chosen Solution

Actually, I did say I did that in the very first post. Anyways, just figured out the problem!

I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!

Actually, I did say I did that in the very first post. Anyways, just figured out the problem! I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!