Error 500: The signature is invalid. Verify and try again

Hello everyone and congratulations again for creating this framework!

I am trying to implement SSL on my nginx docker container, in view of the deployment that will take place on AWS ECS, but i have some problems.

My technologies and related versions:

  • Magento 2.4.1
  • Vue Storefront 1.12.2
  • Vue Storefront API 1.12.3
  • Mage2vuestorefront 1.11.12

The container seems to work correctly, so the site is navigable in SSL, the frontend with Vue Storefront is correctly displayed with a certificate, as well as the back office with access to Magento.

However, I have problems when calls are made to the container that manages the API (vue storefront api - port 8080). For some strange reason it seems that Magento refuses to answer, reporting this error:
{"code":500,"result":{"errorMessage":"The signature is invalid. Verify and try again.","code":401}}

Here is part of my nginx configuration:
server {
listen 80;
return 301 https://$host$request_uri;

server {
    listen 443 ssl http2 default_server;
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


# vue storefront frontend
location / {
  proxy_pass http://vsf_nodejs:3000/;

# vue storefront frontend assets
location /assets/ {
  proxy_pass http://vsf_nodejs:3000/assets/;

# vue storefront api
location /api/ {
  proxy_pass http://vsf_api_nodejs:8080/api/;

# vue storefront api img
location /img/ {
  proxy_pass http://vsf_api_nodejs:8080/img/;


I tried to make various attempts, and I also discovered the point where it breaks on Magento:

I don’t understand if it is necessary to configure something on the API application, on the container node that manages it or if there is a starting problem on the certificate that was generated and passed to me. Unfortunately I am quite ignorant about SSL certificates, I tried to assemble the .ca-bundle file and the .crt file into one .crt and assign it back to nginx, but nothing has changed. Can anyone help me?

Thank you so much,

Hello @MichaelZangirolami
please make sure your magento api access has correct permissions for all necessary modules (the code you have pointed to checks both credentials AND requested resource. Temporarily allow ALL endpoints in magento to those API credentials to see if that solves your issue. Then, adjust it correctly to have minimal access once you find out what you were missing.

If giving full access to those credentials in magento didn’t solve the problem in vuesf, make sure you didn’t make a typo or some simple mistake when copying the credentials. sometimes quick copy does a bad job because some part is not copied over due to underscore or so. Just be extra careful at comparing all credentials and it should be good. rebuild the app once you are done and it should be good from there.

Thanks for your response jan,
In these days I’m solving other problems I encounter in my attempt to deploy on AWS Fargate.
I will update this discussion as soon as I return to the matter.

Thank you!

Hi @MichaelZangirolami.
Did you solve the problem?
I have this same problem and I don’t know how to fix it.

Thank you!

Hi @Francesco_Terreni,
nope for the moment. In these days i’m trying to fix other things about VSF and Magento sync… i’ll back on the problem next days.

If I can fix it I will update this post :slight_smile:

Hi @Francesco_Terreni,
I went back to the problem this morning, actually I didn’t get the 500 error “The signature is invalid. Verify and try again”, but I got this other 500 error: “UNABLE_TO_VERIFY_LEAF_SIGNATURE”.

For the first error, which is perhaps still related to the second, I don’t know in which case it happens exactly ath the moment, while for the second I proceeded like this:

  1. I initially verified that the problem was solved by implementing this environment in my VSF API docker:

The problem actually solved itself, but this method is not safe in production, so I solved it by entering my certificate file ca-bundle.crt in vuestorefront-api/config/certs.

Some links that were useful to me:

Update: I found that actually in production mode I still get this error:

Call: https://host/api/stock/check?sku=XXX
Response: {“code”:500,“result”:{“errorMessage”:“The signature is invalid. Verify and try again.”,“code”:401}}

Tomorrow I will try to investigate again to understand what changes compared to my local environment and after I will update this post.

Nothing to do, the credentials are all correct, the problem is only happening to me in the production environment.

The fact is that Magento returns false to on this file src/vendor/laminas/laminas-crypt/src/Utils.php on line 35, precisely, on the function: hash_equals($ expected, $ actual).

I think it depends on the certificate, the point is that it’s the same one I use locally, where it’s working, and it’s a real certificate.

Probably, it is an architectural problem, that not having shared it with you I realize it is difficult to help me.

If you have any ideas I can only thank you, otherwise I will update you when I resolve.

Hi all,
just to inform in case someone could be useful, I solved the problem, it was something very simple in my case: on the VSF API config.json file, it was enough to change all the endpoints from http:// to https:// on the “magento2” key.

I expected it to work anyway, as port 80 on my AWS Load Balancer did a redirect to port 443, as did my local nginx. Maybe Magento didn’t like this redirect with different servers.

Strangely this thing locally seemed to be irrelevant, while in staging it reproduced the error described in this post, probably the difference is that in the first case it’s all on localhost, while in the second case I use a multi-service docker architecture on different servers (AWS Fargate services). I’m not entirely sure, but that’s the only theory I have at the moment.