This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

FF 78.6.0 ESR SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

  • 14 replies
  • 1 has this problem
  • 2 views
  • Last reply by Mike Kaply

more options

hey all,

I get the following error ONLY for internal websites (we have our own Windows CA): SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error....

Have already tried with several internal websites, but without success. Some information about the certificate: Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3

What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR.

Thanks in advance.

hey all, I get the following error ONLY for internal websites (we have our own Windows CA): '''SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED''' Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error.... Have already tried with several internal websites, but without success. Some information about the certificate: ''Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3'' What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR. Thanks in advance.

Modified by mostRecentlyA

Chosen solution

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

Read this answer in context 👍 0

All Replies (14)

more options

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly.

If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe):

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste pki and pause while the list is filtered

(3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

more options

FredMcD said

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly. If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe): (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste pki and pause while the list is filtered (3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

Hey thanks. Tried this already, no success.

more options

I called for more help.


There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Websites don't load - troubleshoot and fix error messages

http://kb.mozillazine.org/Error_loading_websites

What do the security warning codes mean

more options

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ?

You can try security.pki.sha1_enforcement_level = 0

more options

cor-el said

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ? You can try security.pki.sha1_enforcement_level = 0

security.pki.sha1_enforcement_level = 0 => no success, same problem.

- cert issued 12/2019 (valid for 2 years). - yes, intermediate and root cert are in firefox (and also Windows) cert store. I double checked this already.

more options

FredMcD said

I called for more help. There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message Websites don't load - troubleshoot and fix error messages http://kb.mozillazine.org/Error_loading_websites What do the security warning codes mean

Hey thanks. I already removed the AV Client -> no success. All other Links didnt help me, thanks anyway..

As said before, I had no problems with previous version of Firefox (68ESR). Anything should be new ...

Btw, are there any solution to edit trusted Server (section certificates) from GPO? I dont want to edit the exception for xxxx Clients^^

Modified by mostRecentlyA

more options

For GPO you can check the certificates section on this page.

I will move this thread to Firefox for Enterprise.

more options

Any other suggestions how to solve this problem?

more options

So you're running into this problem because all DHE cipher suites were disabled in Firefox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1496639

We have a new policy - DisabledCiphers - that will allow you to reenable it.

https://github.com/mozilla/policy-templates/blob/master/README.md

The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

more options

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable the setting "security.enterprise_roots.enabled", after this all internal websites are working. I deploy via Firefox-GPO the root and intermediate cert, install them in local Firefox certstore.. But I dont know, why this setting was the problem

more options

Chosen Solution

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

more options

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

Interesting. That means that there was a problem with your Windows certs. Glad it's working.

more options

Mike Kaply said

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine. Interesting. That means that there was a problem with your Windows certs. Glad it's working.

But Idk what exactly was wrong? As mentioned, the sign algorithm etc. seems ok.

my current setting is: - install root and intermediate certs via gpo into firefox certstore - tell firefox dont to use the windows cert store (REG Key ImportEnterpriseRoots (which equals security.enterprise_roots.enabled) set this to FALSE)

So far, everything is ok.

more options

If you recreate the problem and then get the certificate contents, we could debug.

Best to open a bug in bugzilla.mozilla.org