Chrome shows site as "Not Secure" (Cert Invalid), but certificate is correct

google-chrome ssl certificate
22,827

Contrary to curl or s_client neither Chrome nor Firefox use the systems CA store on Ubuntu. They have their own trust store and you need to import the CA certificate into their specific store in order to be treated as trusted. To access the trust store of Chrome use chrome://settings/certificates.

Share:
22,827

Related videos on Youtube

blueFast
Author by

blueFast

Updated on September 18, 2022

Comments

  • blueFast
    blueFast over 1 year

    I have a self-generated CA, and a generated certificate. The certificate is valid:

    » openssl verify -verbose -x509_strict -CAfile rootCA.pem mysite.bundle.crt
mysite.bundle.crt: OK

    The root CA is installed in my system (Ubuntu 16.04), and curl is able to validate the cert:

    curl https://mysite

    No complains here.

    I can verify the cert chain in the running site, and everything seems ok, including the SAN entries:

    » openssl s_client -showcerts -servername mysite -connect mysite:443 </dev/null 2> /dev/null | openssl x509 -noout -text | grep DNS:
                DNS:mysite

    But Chrome still complains. What could be the reason?

    EDIT

    Adding screenshot

    enter image description here

    • user1686
      user1686 about 6 years
      Chrome usually shows a specific error code. Can you provide it?
    • blueFast
      blueFast about 6 years
      @grawity there is no error code per se, but some details. I have added a screenshot. I can add more if needed.
  • blueFast
    blueFast about 6 years
    Thanks. Are you sure? This comment to another question of mine says the opposite
  • Steffen Ullrich
    Steffen Ullrich about 6 years
    @dangonfast: Yes I'm sure. Just have a look at the store yourself by using chrome://settings/certificates and see if you find the certificates you've added to the global store there. Chrome does use the system CA store on Windows and Mac but not on Linux. Firefox uses its own store on all platforms.
  • blueFast
    blueFast about 6 years
    Indeed, that link should be in your answer too! :) And those are the only ones used by Chrome, not on top of the system ones?
  • Steffen Ullrich
    Steffen Ullrich about 6 years
    @dangonfast: From my experience these are the only ones.
  • blueFast
    blueFast about 6 years
    After adding the self-generated CA root certificate to the Chrome store, it shows as valid. Thanks!
  • Ramhound
    Ramhound about 6 years
    @dangonfast You never specified what OS. A tag doesn’t count.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Chrome - certificate settings in Registry
How to debug ERR_PROXY_CERTIFICATE_INVALID?
Chrome is not accepting my IIS self-signed certificate
Disable Chrome from checking SSL certificates completely
Receiving SSL certificate errors only from some clients
Is there a way to extract a "private certificate key" from Chrome and import it into Firefox?
Unable to use client certificates in Chrome or IE on Windows 10
Why do I have untrusted certificates for Google, Yahoo, Mozilla and others?
SSL certificate verification failure in Chrome, Heartbleed bug?
Why do some websites change SSL certificates so frequently?