Usage of "Public Key Pinning" may bring difficulties and your say may stop opening in Chrome browser. Usually, that happens after the renewal of an SSL certificate. In this case, the time chosen by the administrator could exceed the time of expiration of the certificate, or its renewal.
As a result, the visitor of the website would receive error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN like on the screenshot below.
HSTS is HTTPS Strict Transport Security. This setting forces the browser to always use HTTPS for a particular site. This is done with special instructions from the web server that serves the site. As an additional layer of security, HPKP - HTTP Public Key Pinning can be used. This setting allows the webmaster to specify which public key associated with the SSL certificate is good. The visitor browser will save these parameters for the time specified in the web server settings.
Sometimes something goes wrong, webmasters make mistakes when configuring servers, as a result of this, the site becomes inaccessible. In this case, you can manually delete the associated keys manually in the browser settings. This will not work if the keys are downloaded to the browser in advance (for example, Facebook). In this case, updating the browser may help.
1
Solution: Removing a fixed HSTS key
Fortunately, possible problems can be solved quite simply, just remove the key from the HSTS database of the Google Chrome browser.
I have recently replaced the SSL certificates issued by RapidSSL because Symantec is no longer trusted by Google. But, after replacing the new SSL certificates I'm experiencing a privacy issue from web browsers. Browser indicates following error when I try to access a domain name which was affected by the new SSL certificates. NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
So I did research on this error and found out that this error occurs due to the public key pins cache. but further researching on this matter I found out that the public key pin for SSL certificates has not been changed with newly issued certificates. So if we compare the public key pins between certificates prior to replacement and after the replacement both has same BASE64 encoded hash value. Further, I saw that this issue is getting resolved once the browser cache is cleaned. But our clients do not like to clean their browser cache. So we cannot rely on clearing browser cache. Can you please let us know is there any other way where we can overcome this issue?
asked Apr 25, 2018 at 11:38
2
Thanks for help. I also found a solution.
For GC: Follow instructions from this image:
For FF:
- Close the browser.
- Open the file "SiteSecurityServiceState.txt" from the profile folder and remove lines with site domain.
- Open the browser.
I hope this will be useful if someone is confronted with the same situation.
answered Jul 16, 2018 at 6:01
VitalyVitaly
6111 gold badge7 silver badges21 bronze badges
There’s a promising way to solve this Google Chrome error NETERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, but it’s quite risky if you’re not experienced and confident enough to know what you’re doing. As the error itself explains, this Google Chrome error is a key pinning error. Though one of the solutions, in theory, is HTTP public key pinning (HPKP), it’s quite difficult for most of the organizations. And to put simply, it’s not recommended for regular website owners.
If an attempt of key pinning backfires, it won’t go as planned. The error itself means that the keys you have tried to pin isn’t bound to the pinned certificate. Also, these keys are not interchangeable, and failing to pin the right key to the right certificate can break the website.
To put it another way, you just don’t have to pin only your own keys, you also have to pin the keys for the whole certificate chain means saving the root, and whose key is included in the root stores. And the reason is that, whenever the visitor arrives at your website, the server on which your website is hosted presents the certificate of the user’s browser. So, the browser uses those public keys for verifying the signature on every certificate and traces it back to the certificate, which has left it.
Nevertheless, there’s always the possibility of mis-pinning other intermediate public keys while pinning your own certificate, and it can create a problem.
The simple fix to avoid such a problem is: STOP KEY PINNING.
Experts also advise the same that it’s best to avoid key pinning. Lastly, it’s best to re-install your SSL/TLS certificate and if there are any intermediates in the standard manner. Ultimately, it can also mean that you may have to remove the configuration made previously, which takes around a few minutes.