Jason Parms

A brief guide to fix an SSL Certificate Error: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error in Chrome

Have you encountered NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error while browsing in Google Chrome? This is not a very common error, but since you have probably encountered it, you have come here looking for a solution.

The Google Chrome server-side error will appear like:

NET ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

 

The error may look slightly different in other browsers, but the answers to this error are the same.

If you are the web owner and encountering this error, there is a high chance that you can fix the issue by following some troubleshooting tips. But make sure that you are not only a regular website owner but technically skilled to handle this task. Otherwise, allow a professional to fix the error for you.

In case you encountered this server-side error while visiting a website that is not your error, there is nothing much you can do.

You can gather the tricks from this article and try to fix the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error, which you have been encountering to have an improved user experience.

What causes NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error?

ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is a key pinning error.

HTTP public key pinning (HPKP) was once considered an excellent security feature, but it has been removed from many modern browsers. This feature can help a web client to link a particular cryptographic public key with a specific web server. It can reduce the risk of MITM attacks made with fake certificates.

Owing to the complexity involved in pinning keys, not all can do it correctly except for the most technically advanced organizations.

If you have been trying to pin the keys and seeing error, it is because one of the keys you have pinned does not belong to the SSL certificate on which you pinned it.

You cannot change the keys. Thus, in the process of incorrectly pinning the keys to the correct certificates, you may end up breaking your entire site.

The process is more complicated because apart from pinning your own keys, you are required to pin the keys in all your certificate chain, except for the root. You will find the key of the root in the root stores.

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN (For webmasters)

Don’t attempt to pin the keys unless you are an expert and sure about what you are doing.

It is great if you can do it yourself as you will be able to have more control of the public keys used. It will lessen the risk of hackers cracking the associated private keys. However, the disadvantage is that there is a chance of breaking your entire website if you fail in your attempt.

Solution 1

Perhaps, you are facing ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error as you have not pinned a key somewhere in the certificate chain or you have pinned the incorrect key to one of the intermediate certificates that help in composing your certificate chain.

Note that web browsers need to complete the certificate chain effectively. Otherwise, they can’t extend the trust to an end-user certificate. In the process, the signatures on the certificates have to be verified with the use of their public keys.

Find the offending certificate. You can then search for a copy of its public key by visiting the intermediate CA’s website.

Solution 2

The tip is highly recommended.

Here, you will have to stop pinning keys.

Even experts say the trouble of pinning keys is not worth the security you get except for the most sophisticated companies or organizations.

Moreover, some browsers, including Google Chrome, are either not supporting it or are planning to remove it.

Besides, regularly turning over certificates and keys will give you the same level of security offered by key pinning. You don’t have to pin them. Rotating them every 3-6 months is a better solution.

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN (For web visitors)

Sadly, you can’t do anything as a web visitor when you encounter ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error as it is a server-side error. But you can try the tips below.

Solution 1

This tip is applicable only if you have recently renewed your SSL. Perhaps, the time chosen by the administrator has exceeded the certificate expiration date or its renewal.

To fix the error, remove the key from the HSTS database of your browser.

To do that,

Go to Google Chrome address bar and add the below command

chrome://net-internals/#hsts 

Next, submit the domain name that is causing the error to Delete domain security policies. Tap on Delete.

remove the key from the HSTS database

Revisit the website.

Solution 2

There is one trick you can apply, but it is not recommended.

Go to the site using the HTTP protocol. In case the website isn’t forcing HTTPS with an HSTS header, you might be able to gain access to it. But remember that you will be without any security.

This isn’t a good idea as you don’t want to compromise your password or payment information. Any data you enter will be easily visible to third parties, most probably with malicious intent.

What you can do instead is contact the site owner. Tell them about the ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN issue you are encountering. If the website is genuine, they will take the matter seriously and attempt to resolve it as they won’t want to lose followers.

Wrapping-Up

ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is a server-side error which is uncommon. But you can attempt to resolve the error as a web owner by following the troubleshooting tips mentioned above. Or even better, stop pinning keys. Just rotate them frequently.

For web visitors, there is nothing much you can do as it is a server-side error that needs to be resolved by the web owner. Your best bet is to call up the website owner and report the issue to them.

Installing an SSL is the best online security measure that you can take today to safeguard your data, but at the same time, misconfigurations can lead to errors. Don’t let these errors deter you from using an SSL. Reinstalling it or following some troubleshooting tips can resolve the issue most of the time.

Related Articles: