ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

[SamFritz-Schreck]

Thank you for this script. I have been trying to get my CAC working on ubuntu for a while now.

The script ran, and I am now getting prompted in chrome to select a certificate, however I get this error. Clearing my data and restarting chrome doesn't seem to fix the issue. Any ideas how to troubleshoot?

[jdjaxon]

My apologies for the delay. I don't recall having ever seen this specific issue. I will link some of my previous responses that include general troubleshooting steps.

Issues with the PCSC middleware service:

• https://github.com/jdjaxon/linux_cac/issues/13#issuecomment-1362893763

General CACkey setup and configuration:

• https://github.com/jdjaxon/linux_cac/issues/1#issuecomment-1078578423
• https://github.com/jdjaxon/linux_cac/issues/1#issuecomment-1081971430

Be mindful that the different middleware solutions don't always work well together. If you have anything other than CACkey (OpenSC or CoolKey), they can potentially cause issues. I would temporarily uninstall them to ensure they aren't part of the problem.

If none of the above solutions help, post here, and I will do my best to assist you.

[SamFritz-Schreck]

So now I am getting prompted for my password in chrome but I get stuck in a loop of continuing to enter my pin over and over until I click cancel. This then throws a ERR_BAD_SSL_CLIENT_AUTH_CERT error. Any ideas?

[jdjaxon]

I'm not sure what resource you're trying to access, but is it possible that they have have a bad or expired SSL cert?

Have you tried any other browsers? Chrome may just be having issues verifying their SSL cert causing the page to reload and request your pin again.

[vlawhern]

Reviving an old thread to see if there was any progress made on this, as I'm seeing this error pop up on a new Ubuntu 22.04 LTS install. On this system everything works fine on my older CAC (issued a few years ago) but another user gets this error with a very recent CAC. I see that in your script you download the AllCerts.zip from MilitaryCAC but this file seems out-of-date? AllCerts.zip was uploaded 2023-11-08, so more than a year ago (https://militarycac.com/maccerts/)

I am wondering if there's a mismatch between certs needed for very new CACs and what the script uses to set up Firefox/Chrome.

[jdjaxon]

Reviving an old thread to see if there was any progress made on this, as I'm seeing this error pop up on a new Ubuntu 22.04 LTS install. On this system everything works fine on my older CAC (issued a few years ago) but another user gets this error with a very recent CAC. I see that in your script you download the AllCerts.zip from MilitaryCAC but this file seems out-of-date? AllCerts.zip was uploaded 2023-11-08, so more than a year ago (https://militarycac.com/maccerts/)

I am wondering if there's a mismatch between certs needed for very new CACs and what the script uses to set up Firefox/Chrome.

I may not notice this issue since the certs on my CAC are older. Some people seem to only intermittently have this specific error. I haven't been able to pin down what causes it. I likely need to update the script to also import the certs in the AllCerts.p7b file, which I will do as soon as I have time. I'm sure this will resolve most of the issues.

[tfrum]

I did update your script to grab .p7b instead, and it doesn't seem to solve the issue. In both Chrome and Firefox there's an infinite loop of putting in your PIN, which ends with API failures on sites like MyPay and ArmyIgnited.