Certificate Transparency Required on Google Chrome

Hello guys, I'm new to all this, some of my users are complaining because it throws them the NET: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED certificate error, for now it seems that it only happens in windows users and with chrome, because with other browsers it works. I use mac and it works for me.

My domain is: aurora.serviceone.cl

My web server is (include version): apache
The operating system my web server runs on is (include version): ubuntu
My hosting provider, if applicable, is: digitalocean
The version of my client is 0.31.0

What version of Chrome are they running?

5 Likes

Using Chrome Version 105.0.5195.102 (Official Build) (64-bit) on Windows 10 I do not see any issue.

2 Likes

Also you have both chains of trust to ISRG Root X1
The old chain to support old Android 7ish OSes, and the new one with X1 being a self signed root.
As shown here:
https://www.ssllabs.com/ssltest/analyze.html?d=aurora.serviceone.cl

All certificates from Let's Encrypt comply with Google's Certificate Transparency policy, so something unusual must be happening to get that error.

9 Likes

You have several certificate created today crt.sh | aurora.serviceone.cl

1 Like

I thought it was a problem in the creation or misconfiguration of the server..

It could be

  • a user with an out-of-date Chrome
  • a user with a misconfigured system date and time
  • an actual attack where someone has successfully hacked a different CA

I'm not immediately thinking of other realistic options, but I might be missing something.

6 Likes

@carlosjfernandes Can you get someone who encounters this error to export a copy of the certificate in question and send it to you? Chrome should permit saving the certificate into a text file.

6 Likes

I don't know if it has anything to do with it, but I currently live in Chile and days ago it should have updated its schedule but it didn't, the time change will take place on Saturday, do you think it has anything to do with it?

-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISA7uLAgIeSz/WwP9Iy0UOsuaeMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA5MDYxNzUwMzZaFw0yMjEyMDUxNzUwMzVaMB8xHTAbBgNVBAMT
FGF1cm9yYS5zZXJ2aWNlb25lLmNsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAoLEZrDdoNkVHf7JOFWyun6HiHqhZZJLNBOGXRmv9bm0ePRus1Q0+iYzU
DQ4zbtk4j6Zqv11Ay0qC80TyYbX+SqBoI2C638cAHKrt2Ne0mllJ2LCcbERQ8r8S
P8uH6/F2kdz+VgdSYtaYzYdPa/jYHWP63unqULKBN0qvUdFJND+cJcrGPdHfJo+l
EiNSx7uxYGYiDkC4IDcwD6SE1VUNKn3YKpBW0EFF5XlWCQ6Bf0btGaSDYcomlIYV
tMWP3A4fk3tCVSMXVfJYTtKZHspkzjuHyOjT/WRZpMdcuoj1gzgCcc5uweOBAo0I
tGOlHLLLOXk7Qek6HOxKuEUdg1froQIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBRBO6KWHTMkDNII2CYo1lTGDdv/mzAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRhdXJvcmEuc2VydmljZW9uZS5jbDBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2
AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABgxQj1gwAAAQDAEcw
RQIhANwz9taX2CTi1lA0bhh1WaaO2jirgK+6vFGMJlPfSg2VAiB8oM9mF8DWYL9C
wSjdkBk3VAfBcT5jrs1GFlCFjnTiHAB1AN+lXqtogk8fbK3uuF9OPlrqzaISpGpe
jjsSwCBEXCpzAAABgxQj18wAAAQDAEYwRAIgXOCwsFrqntH3pUUIkT3b+o788otK
8zRSlCekhMq5iW4CIEf/DWB+OsaCbPBsJR5icNVM/wF3z6REDjZjwHIWErR/MA0G
CSqGSIb3DQEBCwUAA4IBAQBFoYM9Mm4sdOcKQQ9CKU/SmdlxAUtOcGN8cEmSi7Zq
wTrqUlUiYcGHPHsTYTDb9dSpC0imONUVHLLS7+gqKwTGhemk2QgagXoJLuI7q1WN
ZnoyXgRUw6q1Mc4JtxZkgs/fc0pOjN7DDaal7FFePDv9AqCGt8OCEoOWsbbW99BE
YvkSVo69Cv5NOLm3m/zY3h9DumaePaSHSOciuUZKKAdUb3ETCyD2eFKy8vEeVizr
qTymzeSO86+ExEvPeisjB4We9/iBHbHuM74TMEyb6XHciB9gK0zOoaV4K8QnZO//
9y3o/Y7Anj33d/Xh7vYN5QhV6vSVHxEoq00gl1+nX2qM
-----END CERTIFICATE-----

A user just told me that now it works because I advance the time on his computer.

3 Likes
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:bb:8b:02:02:1e:4b:3f:d6:c0:ff:48:cb:45:0e:b2:e6:9e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Sep  6 17:50:36 2022 GMT
            Not After : Dec  5 17:50:35 2022 GMT
        Subject: CN=aurora.serviceone.cl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
2 Likes

Chile should change the time days ago but it did not do it due to a political event, now the official time change will be this next Saturday, the error happens when you are in Windows, Chrome and you have the current time of the country, but if you advance it one hour (like will be on Saturday) stop happening. What should I do?

The time used for certificate validity verification is in GMT. The local time change in Chile should not affect that in any possible way.

5 Likes

I am thinking it should resolve itself if you wait one hour, since certificates are Validity of Not Before and Not After in UTC based date timestamps.

1 Like

wow, so I don't know what's going on..

LE certificates are backdated one hour to account for misconfigured times. It could be the browser has its own opinion of time with regard to its calculation from UTC to local time and is not complient with the very specific political situation? In that case it would have been mere minutes or even seconds to get an incorrect certificate I guess..

Although I don't understand why the browser would complain about CT log stamps instead of just an invalid certificate.

Maybe the CT log stamps aren't backdated?

6 Likes

I bet they are not. But I would like to know that detail for sure.

1 Like

Guys now it seems that everything works correctly, after an hour or maybe a little more everything is normalized and I don't touch anything, it's very strange, does that time difference have something to do with it?