Getting the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Chrome error can be frustrating for both website owners and visitors. This SSL-related error usually takes place when the pinned public key does not match the certificate chain presented by the server.
It’s a security measure that is based on pinned keys to avoid man-in-the-middle attacks, but when misconfigured, it can block the legitimate access to your site.
In this article, we will explain the most frequent causes of this error and the methods for solving it for both website owners and visitors.
What are the Common Causes of ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN in Google Chrome
Understanding the root causes of this error is the first step toward resolving it. Here are the most common culprits:
- Incorrect Key Pinning Configuration
- Certificate Chain Issues
- Expired or Mismatched Certificates
- Server Misconfiguration
- Browser Caching Issues
1. Incorrect Key Pinning Configuration
- What Happens: HTTP Public Key Pinning (HPKP) is a security feature that tells browsers to associate a specific cryptographic public key with a website. If the pinned key doesn’t match the one in the certificate chain, the browser blocks access.
- Why It Matters: Misconfigured HPKP can lead to this error, especially if the pinned key is outdated or incorrect.
2. Certificate Chain Issues
- What Happens: The SSL certificate chain includes the end-entity certificate, intermediate certificates, and the root certificate. If any link in this chain is missing or invalid, the browser won’t trust the connection.
- Why It Matters: Incomplete or improperly configured chains are a common cause of SSL errors.
3. Expired or Mismatched Certificates
- What Happens: SSL certificates have expiration dates. If a certificate expires or doesn’t match the domain name, browsers will flag the connection as insecure.
- Why It Matters: Expired or mismatched certificates can disrupt user access and harm your site’s credibility.
4. Server Misconfiguration
- What Happens: Incorrect server settings, such as missing intermediate certificates or improper SSL/TLS configurations, can trigger this error.
- Why It Matters: Server misconfigurations are often overlooked but can be easily fixed with the right adjustments.
5. Browser Caching Issues
- What Happens: Browsers cache SSL information to speed up future visits. If the cached data is outdated or corrupted, it can cause errors.
- Why It Matters: Clearing the cache is a simple yet effective solution for many SSL-related issues.
A Key Solution: Removing a Fixed HSTS Key
If you are getting the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error because of a fixed HSTS (HTTP Strict Transport Security) key, there is no need to panic; this problem can be easily fixed in a few minutes. The following is a step by step guide on how to remove the key from Google Chrome’s HSTS database:
- Open Chrome’s HSTS Settings: In your Chrome browser, paste the following into the address bar:
chrome://net-internals/#hsts
- Delete the Domain’s Security Policies: In the “Delete domain security policies” section, type the domain that is causing a problem and click Delete button.
- Retry Accessing the Website: After deleting the domain from the HSTS database, close your browser and launch it again, then try to revisit to the site. This should fix the error if it was caused by a cached or incorrect HSTS configuration.
How to Fix the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error as a Website Owner
This error will have a severe impact on your business if you are a website owner, and you must do everything possible to fix it so that your clients can access your site without any restrictions.
Here’s what you can do:
- Verify Your SSL Certificate
- Ensure a Complete Certificate Chain
- Update or Remove HPKP
- Check Server Configuration
- Test and Monitor
1. Verify Your SSL Certificate
- This is to check whether your SSL certificate is still valid and is associated with the right domain name.
- You can use SSL Labs’ SSL Test to check your certificate and find out if there is anything wrong with it. This tool will help you check the certificate and give you a report of what is wrong with it, if there is anything wrong with the certificate, it will be easy to tell.
2. Ensure a Complete Certificate Chain
- You should also make sure that your server is set to send the entire certificate chain to the client, including the intermediate certificates.
- If you are using a CDN or a hosting company, you should check whether they allow the correct chain to be set up.
3. Update or Remove HPKP
- HTTP Public Key Pinning (HPKP) was supposed to be deprecated because of its complexity and the chances of making the wrong settings.
- If you are still using it, you should think of removing it completely.
- Replace HPKP with modern security measures like Certificate Transparency and Expect-CT headers. These are some of the other security measures that you should consider using instead of HPKP to improve the security of your website.
4. Check Server Configuration
- Go through your settings and check that the SSL/TLS protocols are well configured.
- You can also use Mozilla’s SSL Configuration Generator to generate the best server settings.
5. Test and Monitor
- After changing the configuration, it is recommended to check the site with SSL Checker or Why No Padlock to ensure that the error is gone.
- It is recommended to keep on checking your site from time to time to detect and fix any problems before they affect the users. This is because once a user gets an error message, they may not always try again to access your site.
How to Fix the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error as a Website Visitor
If you are a visitor of this site and you encounter this error, there are several measures that you can take to solve the issue;
- Clear Browser Cache: SSL cached data can sometimes cause errors. Please delete your browser’s cache and cookies then try to load the page again. How to clear cache is different across various browsers but you can find it in the settings.
- Check Your System Date and Time: Incorrect system clock settings can lead to SSL certificate validation failure. It is recommended to check the correctness of the clock on your device.
- Try a Different Browser or Device: Sometimes SSL errors can be related to certain browser’s settings or issues. Try to open the site with another browser or device.
- Disable Browser Extensions: Some browser extensions, particularly those that are related to security or privacy, can break SSL connection. Try to disable temporary extensions and check if the error appears again.
- Contact the Website Owner: If the error still persists, it is probably a server side issue. Try to contact the owner or the administrator of the website and let them know about the issue.
Final Thoughts
The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is a security feature for users, however if it is misconfigured then it can be a real pain. Through understanding the most typical causes and implementing the measures discussed above, both website creators and surfers will be able to fix this problem without a problem.
For that reason, for website owners, it is crucial to stay aware and have the right SSL settings to avoid such errors. For visitors, basic troubleshooting measures like deleting cache or checking system settings could be enough to solve the problem.
It may be worth noting that not only do SSL errors affect the user experience but they also negatively impact your site’s reliability. Solving them quickly is important to ensure that everyone has a secure and smooth browsing experience.
