3

We've had a couple of users recently complain about not being able to connect to the HTTPS version of our website (served via Apache) from Firefox. They error they receive is:

Secure Connection Failed

An error occurred during a connection to www.domain.com. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature)

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

  • Please contact the website owners to inform them of this problem.

However, the vast majority of our users do not receive any kind of error here, and everything just works. I am also unable to reproduce it on my end.

My initial searching led me to believe this was a bug in Firefox, and indeed for one user the problem went away when Firefox upgraded itself. Another though has a fresh install of Firefox (from yesterday) and verified that he is on the latest stable version (38.0.1 as of this writing).

Any ideas on what might be causing this?

DOOManiac
  • 791
  • 6
  • 12
  • 26
  • SHA-1 SSL certificate are obsolete due to weaknesses disvovered in the algorithm. You should re-key your certificate. If you have a SHA-1 certificate, your provider should allow for you to generate a new SHA-256 certificate for free : https://blog.digicert.com/what-is-sha-2-and-how-it-affects-you/ – krisFR May 19 '15 at 22:43
  • I'm aware that SHA-1 is obsolete, and we are working on getting a new one; but is this why Firefox is having problems? If so why would it work just fine for all other Firefox users? And if so, you should submit this as an answer instead of a comment. :) – DOOManiac May 20 '15 at 16:28
  • As far as some Firefox works and other not SHA-1 may not be the issue, that's why i wrote just a comment...Every users use the same FF version ? Try to rename or delete the file `cert8.db`... – krisFR May 20 '15 at 16:33

2 Answers2

1

Today i had a client, which imported an invalid CA-Certificate with the same name (internal CA). This caused the sec_error_bad_signature error.

I removed the wrong CA certificate from Firefox Trusted Certificate store and reimported the correct one.

MHeld
  • 111
  • 4
0

Deleting the cert8.db file as originally suggested here ended up being a hit-or-miss fix to the problem. For some users it worked swimmingly; others it did nothing at all. In fact, for some users even uninstalling Firefox and nuking their Firefox APPDATA folders, Registry Entries, and etc. did not fix the error.

While I was unable to determine if it was SHA-1 causing the problem with Firefox users, issuing a new SSL certificate did fix this for everyone. So at the very least that is a workaround...

DOOManiac
  • 791
  • 6
  • 12
  • 26