Skip to content

Self-signed certificates don't work on firefox #6891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
theCalcaholic opened this issue Mar 11, 2025 · 2 comments
Open

Self-signed certificates don't work on firefox #6891

theCalcaholic opened this issue Mar 11, 2025 · 2 comments

Comments

@theCalcaholic
Copy link

theCalcaholic commented Mar 11, 2025
edited
Loading

Expected behavior

Self signed certificates should show "CA not trusted" type errors on all browsers but work otherwise (after accepting the warning)

Actual behavior

Self signed certificates work on Chromium based browsers (tested on Chromium and Brave) but not on Firefox, where the following error message is shown:

An error occurred during a connection to localhost. Peer’s certificate has an invalid signature.

Error code: SEC_ERROR_BAD_SIGNATURE

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

This issue does not occur when using a self signed certificate from a different source, e.g. generated using the following openssl command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 7 -nodes

Minimal configuration to reproduce the issue

./Caddyfile:

localhost:443 {
  bind 0.0.0.0
  tls internal

  respond "static response"
}

docker command:

docker run --rm -v "$PWD/Caddyfile:/etc/caddy/Caddyfile:ro" -p 443:443 caddy:2

Context

Caddy version: v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
Firefox version: 136.0 (64-bit) - Flatpak version
@bt90
Copy link
Contributor

bt90 commented Mar 11, 2025
edited
Loading

Could you check the TLS handshake using:

openssl s_client -connect localhost:443

and post the output?

@theCalcaholic
Copy link
Author

theCalcaholic commented Mar 11, 2025
edited
Loading

Sure, here it is:

  $ openssl s_client -connect localhost:443
  Connecting to ::1
  CONNECTED(00000003)
  80B2A21DEF7F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:909:SSL alert number 80
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 7 bytes and written 302 bytes
  Verification: OK
  ---
  New, (NONE), Cipher is (NONE)
  This TLS version forbids renegotiation.
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  Early data was not sent
  Verify return code: 0 (ok)
  ---

EDIT: Here are the two certificates in question. One notable difference is, that caddy uses a (self signed) CA to issue the actual certificate, while I created a self signed certificate directly for my comparison - however, I've been doing the same procedure as caddy with openssl in the past and not encountered this problem.

caddy_internal_self_signed_cert.pem.txt
openssl_self_signed_cert.pem.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bt90 @theCalcaholic