sfw/fix
ERR_CERT_WEAK_SIGNATURE_ALGORITHM high

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

The certificate is signed with SHA-1, a hash browsers stopped trusting, so Chrome blocks the page outright.

What you see

Your connection is not private

Attackers might be trying to steal your information from example.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

What’s actually happening

Chrome shows the full red interstitial before any content loads. The certificate itself may be in-date and chain to a trusted root, but it's signed with SHA-1, and Chrome has rejected SHA-1-signed certs from public CAs since Chrome 56 in early 2017. SHA-1 is considered collision-vulnerable, so the browser treats the signature as untrustworthy regardless of the expiry date. It fails identically in incognito and on every device.

Common causes

  • The leaf certificate was signed with SHA-1 (`sha1WithRSAEncryption`) instead of SHA-256 — common on certs issued years ago or re-cut from an old template.
  • An internal/private CA still defaults to SHA-1 when signing, so every cert it issues for intranet apps trips this.
  • An intermediate certificate in the chain uses SHA-1, dragging down an otherwise modern leaf.
  • A network appliance or device generated a self-signed SHA-1 cert from outdated firmware.
  • A cert was renewed by copying the old CSR/profile, carrying the SHA-1 signature algorithm forward.

How to fix it

  1. Confirm the signature algorithmRun `openssl x509 -in cert.pem -noout -text | grep -i 'Signature Algorithm'` (or `echo | openssl s_client -connect example.com:443 | openssl x509 -noout -text | grep -i signature`). If it reads `sha1WithRSAEncryption`, that's the problem. Check the intermediates too — the weak link can be above the leaf.
  2. Reissue the certificate with SHA-256From a public CA, request a reissue and confirm the signing algorithm is SHA-256 (every legitimate public CA defaults to SHA-2 now). With certbot/Let's Encrypt this is automatic — `certbot renew --force-renewal` produces a SHA-256 cert. Install the new files and reload the server.
  3. Fix a SHA-1 internal CAIf a private CA signs the cert, reconfigure it to use SHA-256 (`openssl ... -sha256`, or set the hash in the CA software) and re-issue both the intermediate and the leaf. A SHA-1 intermediate will keep breaking things even after the leaf is fixed.
  4. Replace appliance self-signed certsUpdate the device firmware so it regenerates a SHA-256 self-signed cert, or install a proper SHA-256 cert for the hostname and stop serving the legacy one.

Stop it recurring

Standardize on SHA-256 for every cert and CA template, and verify the signature algorithm with openssl whenever you issue or renew rather than reusing an old profile.

Related errors

NET::ERR_CERT_SYMANTEC_LEGACY

critical

The cert chains to a distrusted Symantec-era root, so Chrome rejects it entirely — replacing the certificate is the only fix.

NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

high

Chrome blocks the cert because it can't prove the cert was publicly logged — there are no valid SCTs attached.

SSL_ERROR_NO_CYPHER_OVERLAP in Firefox

high

Firefox and the server share no cipher suite both will use, so the TLS handshake dies before any data moves.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.