I used to use StartSSL for my free SSL certificates, but they expire each year, and I'm lazy.
So I created my own certificate authority, and certificates. This site uses them.
In my Apache config, I've specified that only TLS and DHE-DSS-AES256-SHA and DHE-RSA-AES256-SHA ciphers can be used.
Both of my browsers show that they accept these ciphers.
However, Chrome can connect fine to https://calum.org/, but my Firefox (18) gives the following error:
Secure Connection Failed
An error occurred during a connection to calum.org.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
I've imported the CA into both Firefox and Chrome, so it's nothing to do with that. The times on both the server and my PC here are synced, so it's not that.
SSL checking sites find no problems with my setup (other than my CA isn't trusted).
sec_error_bad_signature doesn't even appear on Mozilla's Secure connection troubleshooting page
I'm at a loss. I'm starting to suspect that it's some of the various options that can be part of the CA, or of the certificate, but it's hard to know how to find out what to check. Firefox's error message doesn't give much of a decent steer.
If you have any idea what it could be, please leave a comment. Also, if you have a problem connecting to https://calum.org/, please leave a comment with your browser version.
The problem was that my CA DN was the same as the certificate DN.
My CA DN was C=GB,ST=England,O=calum.org,CN=calum.org and my cert was C=GB,ST=England,O=calum.org,CN=calum.org
I wish I'd made the CA C=GB, ST=England, O=calum.org, OU=ca, CN=calum.org, but as I didn't, I've had to make the SSL cert C=GB, ST=England, O=calum.org, OU=web, CN=calum.org.