Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

Firefox throws SEC_ERROR_BAD_SIGNATURE error for a site but Chromium says certificate is valid

  • 12 trả lời
  • 1 gặp vấn đề này
  • 224 lượt xem
  • Trả lời mới nhất được viết bởi m.busico

more options

Hi all, I have an Apache site on Kubuntu 20.04 with a certificate signed by my private CA. I've added the root CA ceritificate in Firefox and in Chromium.

Firefox throws a SEC_ERROR_BAD_SIGNATURE error

Chromium accept the certificate as valid

What can I do?

Notes: the site url is "https://hdev.h.net" (with an internal IP address inside my lab)

Attached there are:

- the authority settings page
- the certification authority certificate as seen by Firefox
- the site certificate

Firefox version 82.0 Ubuntu Chromium version 86.0.4240.11

Đính kèm ảnh chụp màn hình

Giải pháp được chọn

See also:

Try to rename cert9.db (cert9OLD.db) in the Firefox profile folder with Firefox closed.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Đọc câu trả lời này trong ngữ cảnh 👍 1

Tất cả các câu trả lời (12)

more options

Hữu ích?

more options

Well none of the suggested solution worked or is applicable

For now I have: - Firefox version 82.0 Ubuntu error SEC_ERROR_BAD_SIGNATURE - Chromium version 86.0.4240.11 says certificate is valid - Konqueror 5.0.97 says certificate is valid - Epiphany 3.36.4 says certificate is valid

Why Firefox behaves differently?

Hữu ích?

more options

I don't know why different browsers have a different opinion.

Before we make ourselves crazy over a transient issue, have you cleared Firefox's cache? See: How to clear the Firefox cache.

In theory, this error means "A signature on a certificate is improperly formatted or the certificate has been tampered with."

In your site certificate, it looks like these have the same value:

  • ID chiave soggetto
  • ID chiave autorità

And also:

Autorità di certificazione => Si (Certificate Authority => Yes)

Is it meant to be a self-signed certificate??

Hữu ích?

more options

Well, I cleared the cache and the problem persist.

To create certificate I used these step:

- create a private key for CA: sudo openssl genrsa -out hrootCA.key 2048 - create a CA certificate: sudo openssl req -x509 -new -nodes -key hrootCA.key -sha256 -days 3650 -out hrootCA.pem - create a server key and csr request (openssl configuration below) : sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout hdev.key -out hdev.csr -config openssl.cnf - create the server certificate signed by the CA: sudo openssl x509 -req -in hdev.csr -CA hrootCA.pem -CAkey hrootCA.key -CAcreateserial -out hdev.crt -sha256 -days 3650 -extfile openssl.cnf -extensions v3_ca - installed the hdev.cert and hdev.key in Apache - installed hrootCA.pem in Firefox

openssl.cnf contains:

=====================================

[req] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no

[req_distinguished_name] C = IT ST = Italy L = Rome O = Localhost CA OU = Laboratory CN = hdev

[v3_ca] subjectAltName = @alt_names

[alt_names] DNS.1 = hdev DNS.2 = *.h.net

=====================================

What I'm doing wrong?

Hữu ích?

more options

Well, I cleared the cache and the problem persist.

To create certificate I used these step:

- create a private key for CA: sudo openssl genrsa -out hrootCA.key 2048 - create a CA certificate: sudo openssl req -x509 -new -nodes -key hrootCA.key -sha256 -days 3650 -out hrootCA.pem - create a server key and csr request (openssl configuration below) : sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout hdev.key -out hdev.csr -config openssl.cnf - create the server certificate signed by the CA: sudo openssl x509 -req -in hdev.csr -CA hrootCA.pem -CAkey hrootCA.key -CAcreateserial -out hdev.crt -sha256 -days 3650 -extfile openssl.cnf -extensions v3_ca - installed the hdev.cert and hdev.key in Apache - installed hrootCA.pem in Firefox

openssl.cnf contains:

=====================================

[req] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no

[req_distinguished_name] C = IT ST = Italy L = Rome O = Localhost CA OU = Laboratory CN = hdev

[v3_ca] subjectAltName = @alt_names

[alt_names] DNS.1 = hdev DNS.2 = *.h.net

=====================================

What I'm doing wrong?

Hữu ích?

more options

Well, I cleared the cache and the problem persist.

To create certificate I used these step:

- create a private key for CA: sudo openssl genrsa -out hrootCA.key 2048 - create a CA certificate: sudo openssl req -x509 -new -nodes -key hrootCA.key -sha256 -days 3650 -out hrootCA.pem - create a server key and csr request (openssl configuration below) : sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout hdev.key -out hdev.csr -config openssl.cnf - create the server certificate signed by the CA: sudo openssl x509 -req -in hdev.csr -CA hrootCA.pem -CAkey hrootCA.key -CAcreateserial -out hdev.crt -sha256 -days 3650 -extfile openssl.cnf -extensions v3_ca - installed the hdev.cert and hdev.key in Apache - installed hrootCA.pem in Firefox

openssl.cnf contains:

=====================================

[req] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no

[req_distinguished_name] C = IT ST = Italy L = Rome O = Localhost CA OU = Laboratory CN = hdev

[v3_ca] subjectAltName = @alt_names

[alt_names] DNS.1 = hdev DNS.2 = *.h.net

=====================================

What I'm doing wrong?

Hữu ích?

more options

Sorry. Reposted because I didn't see the answer applear.

Please delete duplicated posts.

Thanks

Hữu ích?

more options

Sorry, this is not the best site for guidance on OpenSSL.

Hữu ích?

more options

Sorry, I was not clear.

I don't asked for openssl guidance.

I asked: why the command I used generate a certificate /certification authority that every browser accept excluded firefox?

Firefox needs some particular configuration, protocol or algoritm to accept a certificate?

Hữu ích?

more options

Sorry, what I meant was, perhaps on a forum related to OpenSSL you can find a discussion of issues related to certificate signature problems in Firefox.

Other than what I observed before about the certificate key and signature key being the same -- which is strange if you are signing with a different certificate -- I don't know why Firefox would object to the certificate signature.

Perhaps another forum volunteer knows of a way to find more detailed error information.

Hữu ích?

more options

Giải pháp được chọn

See also:

Try to rename cert9.db (cert9OLD.db) in the Firefox profile folder with Firefox closed.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Hữu ích?

more options

It worked. For the history, the step I followed.

  • stop Firefox
  • delete cert9.db
  • start firefox
  • before everything else import hrootCA.pem in the Autorities certificates
  • access the certificate protected page

Firefox still complain that there is something wrong with the certificate (it says that a security exception was added to this site); but correctly access the page without asking anything

Thanks a lot

Hữu ích?

Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.