Chrome Certificate Error


#1

Some users of our websites are getting the certificate error ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. We noticed that updating their Chrome version to the current one resolves the issue. Why this would happend with Chrome version 66, for exemple, and not with version 70?

My domain is:
dalesports.com.br
mylittlecandy.com.br
I ran this command:
NA
It produced this output:
NA
My web server is (include version):
Haproxy
The operating system my web server runs on is (include version):
CentOS 6
My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NA


#2

Hi @afagund

Chrome requires that certificate authorities like Let’s Encrypt submit issued certificates to a number of Certificate Transparency logs in order for the certificate to be considered valid & trusted: https://github.com/chromium/ct-policy

One or more of the Certificate Transparency logs that Let’s Encrypt is using to meet the Chrome requirements is not trusted by Chrome 66 (maybe it didn’t exist at the time Chrome 66 was released for example). The set of trusted logs changes release-to-release (some may be added, some may be removed). Edit: In particular, Chrome 66 is missing the “Yeti” family of logs that we submit to. It was added in Chrome 67.

There are a multitude of reasons why users should always be running the most up-to-date version of their web browser. This is another good one :slight_smile:


#3

Hi Daniel,

We are an E-Commerce platform with millions of users accessing our customer’s stores. Its impossible to ask every user facing this issue to update their browser version. Is there any workaround for this or the browser update is the only way to go?

Thanks for your prompt response!

Andre Fagundes


#4

Sorry, there’s no workaround. Users with old versions of Chrome will see many certificate warnings browsing the web.


#5

Thanks Daniel, appreciate your help!


#6

This is a bit odd, though, since general CT enforcement in Chrome didn’t start until Chrome 68. Also, Chrome automatically turns off CT enforcement if it hasn’t been updated for 18 weeks.

@afagund, do you know which exact sites have this problem? Chrome 66 did have CT enforcement for one CA: Symantec. If you have a site running an old Symantec certificate, it’s possible Chrome 66 could give that error.

At any rate, all this detail is mainly for curiosity and education. Your main message to affected users should be to keep their Chrome up to date. :grin:


#7

@jsha we are also facing issues with Symantec certs, but in this case users are seeing a different error - NET::ERR_CERT_SYMANTEC_LEGACY.


#8

Hi @afagund

Google doesn’t accept old symantec certificates.

Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued. This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google.

Chrome 70 is now active. These old Symantec certificates should be removed.


#9

Chrome 70 has been active since it hit Canary in July.