[solved] Sec_error_bad_signature

I always get SEC_ERROR_BAD_SIGNATURE in Browser (Firefox 59.0.1, Safari, Iridium, iCab), when I request or renew a Certificate.
For every tested domain.

My example domain is:

I ran this command:
./letsencrypt request www.intermezzo.net
(ACME1 and ACME2 tried)

Authorizing www.intermezzo.net.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing intermezzo.net.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Generating RSA key.
Generating CSR.
Retrieving certificate.
Using /usr/local/etc/hiawatha/tls/www.intermezzo.net.pem as output file.
Writing private key and certificate to file.
Retrieving CA certificate.
Writing CA certificate to file.

My web server is (include version):
Hiawatha Webserver 10.8-rc1

The operating system my web server runs on is (include version):
OpenBSD 6.2 (amd64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):


it seems that your server send two certs in one request.
One is the correct certificate, however the other one is an selfsigned cert.

Can you check your config and make sure to remove the cert? (although i don’t know what happened since i can’t connect to your server)

Thank you

I restarted the server. Sorry.

There is only one cert in the config. The issue is only with new certs. Old certs on other domains are still working.

The server banned you because of curl, I disabled this now :slight_smile:

Checking with openssl tools, I get errors, too:

$ openssl s_client -connect www.intermezzo.net:443 -servername www.intermezzo.net
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
140296662271648:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
140296662271648:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721:
140296662271648:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1840:

I would check if the components of the certificate file are valid.

This is due to a bug in Hiawatha’s Let’s Encrypt script. This topic can be closed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.