Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

How to Fix NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error on Google Chrome?

Since 2018, SSL/TLS Certificate has become an essential part of website security. But any misconfiguration can cause numerous problems resulting in different types of errors.

From the SSL errors, one of them is Google Chrome error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN (also written as ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN OR NET ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN).

This Google Chrome error is the server-side error that appears differently in the Mozilla Firefox browser as MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE.

net-err-ssl-pinned-key-not-in-cert-chain-error-chrome
Nevertheless, it doesn’t matter in which browser you face this error, whether it’s Google Chrome or Mozilla Firefox case is the same. When it comes to resolving it, there’s good and bad news both. The good news is that if you’re the website owner and facing this issue, there’s a way to resolve it. And the bad news is that, if you’re a website visitor you can’t do much.

How Website Visitors Fix NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN?

As said earlier, there’s nothing much you can do if you’re the website visitor. Though the best thing you can do is:
  • Contact the owner of the website and let them know that their website is facing this SSL certificate pinning error and wait till they fix the issue.
  • Another one is not clicking through the warning and trying to connect the website through HTTP. Though trying to connect website via HTTP is not recommended because any details entered on that website such as password remains open and visible to third parties.

How Website Owners Fix NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN?

There’s a promising way to solve this Google Chrome error NETERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, but it’s quite risky if you’re not experienced and confident enough to know what you’re doing. As the error itself explains, this Google Chrome error is a key pinning error. Though one of the solutions, in theory, is HTTP public key pinning (HPKP), it’s quite difficult for most of the organizations. And to put simply, it’s not recommended for regular website owners.

If an attempt of key pinning backfires, it won’t go as planned. The error itself means that the keys you have tried to pin isn’t bound to the pinned certificate. Also, these keys are not interchangeable, and failing to pin the right key to the right certificate can break the website.

To put it another way, you just don’t have to pin only your own keys, you also have to pin the keys for the whole certificate chain means saving the root, and whose key is included in the root stores. And the reason is that, whenever the visitor arrives at your website, the server on which your website is hosted presents the certificate of the user’s browser. So, the browser uses those public keys for verifying the signature on every certificate and traces it back to the certificate, which has left it.

Nevertheless, there’s always the possibility of mis-pinning other intermediate public keys while pinning your own certificate, and it can create a problem.

The simple fix to avoid such a problem is: STOP KEY PINNING.

Experts also advise the same that it’s best to avoid key pinning. Lastly, it’s best to re-install your SSL/TLS certificate and if there are any intermediates in the standard manner. Ultimately, it can also mean that you may have to remove the configuration made previously, which takes around a few minutes.

Summary

It’s one of the server-side errors which doesn’t occur so often. But there’s a possibility that you may come across this Google Chrome error. If that’s the case, there’s no need to worry. If you’re a website visitor, there’s nothing much you can do except trying to contact the website owner and let them know that their website is facing this issue. And, if you’re website owner, then the best piece of advice we can give is to reinstall it again in the same old-fashioned way.

Related Articles:

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More