TransWikia.com

Chrome, Safari, and Airmail have stopped trusting random certificates, including ones for Google-owned sites

Super User Asked by tubedogg on November 16, 2021

As of approximately June 13, 2020, some secure sites that I try to visit in Google Chrome are showing a Privacy error, specifically NET::ERR_CERT_AUTHORITY_INVALID. I am using Google Chrome Version 83.0.4103.106 (Official Build) (64-bit) on macOS 10.14.6. After further testing I am having this problem in Microsoft Edge (which is built on top of Chromium) and Safari, too (though not Firefox).

This includes google.com, docs.google.com, youtube.com, and gmail.com, as well as status.discordapp.com, cdn.superonefoods.com (though their site countymarketifalls.com works fine), and boardgamegeekstore.com. Sites that work fine include torn.com, abc.com, and this site.

I found an answer somewhere on one of the Stack Exchange sites (sorry, didn’t save the URL) that suggested I drag-and-drop the image of the certificate onto my desktop, which copies the certificate, then add it to Keychain Access and manually trust it. I tried it for Google and that solved it for Google-related sites. I have not done that for the other sites as there is clearly something wrong here and I am not doing that manually for every site.

When I click on the "Not Secure" bit before the URL, it says "Certificate (invalid)". Clicking on the words "Certificate (invalid)" shows me a chain of certificates, all of which say they are "valid". See screenshot for boardgamegeekstore.com. (Paradoxically, that site uses the same chain of certificates that superuser.com uses, and boardgamegeekstore.com doesn’t work while superuser.com does.)

Screenshot showing chain of certificates for site boardgamegeekstore.com. Bottom-most (site-specific) is selected and demonstrates "This certificate is valid" text.

I am having a similar problem when my email client, Airmail Version 4.1 (618), tries to connect to imap.gmail.com (but not to imappro.zoho.com). This screenshot is rather long and cobbled together because it wouldn’t let me expand the window, but this is the only place I see an error message regarding a certificate–Chrome shows "This certificate is valid," as seen above, for all certificates, even while simultaneously telling me the certificate is invalid on the error page.

Further details

I am not using a VPN or proxy. I do use Little Snitch, but I disabled it entirely and the problem persisted.

Besides what is built into the system as far as PHP, Python, etc., I do have the following installed via Homebrew:

$ brew list
bchunk      [email protected] readline    telnet      youtube-dl
gdbm        python      sqlite      xz

[email protected] is a dependency of Python 3, per brew info python. It is possible that is causing problems, but I don’t know why that would have just now started causing problems, as it has been installed since February.

To my knowledge nothing changed recently before the issue occurred.

This is also impacting the Discord app, but as far as I can tell, no other applications on my user account are having this problem. No other devices on my network are having any problems. As noted below, another user account on my computer is not exhibiting the problem in limited testing.

Rebooting sometimes seems to resolve the problem for a while, between several and 24 hours, before it starts occurring again.

Things I have tried

  • Incognito windows in Chrome. The problem persists. (I can bypass the warning for sites using HSTS in Incognito whereas I can’t outside of Incognito, because of the way Incognito functions, but this does not resolve the underlying problem.)

  • using Firefox. All of the sites in question, including Google before I "fixed" it, did and continue to work correctly in Firefox with no errors or warnings. (Firefox has been installed since before this problem started. My understanding is it has its own certificate store and does not use the system’s, which would explain why it works fine.)

  • temporarily disabling my firewall. It had no effect.

  • updating Chrome. It updated to Version 83.0.4103.106 (Official Build) (64-bit), but did not fix anything. Sorry I forgot to note the before version, but I keep it up-to-date, so it would have been whatever the last Stable version was. It has since auto-updated to 83.0.4103.116.

  • cleared browsing data for "Download history" and "Cached images and files". It had no effect.

  • disabled all extensions in Chrome. It had no effect.

  • installed Security Update 2020-003 and macOS Mojave 10.14.6 Supplemental Update 2. During this process the computer rebooted and the problem was resolved for the remainder of the evening. Today the problem has returned.

  • deleted /var/db/crls/crlcache2.db and rebooted. This resolved it for over 24 hours, at which point the issue started again.

  • ran openssl s_client -connect docs.google.com:443 from the command line. It returned no errors, which I think means the problem seems to be limited to browsers and my email client.

  • logged into another account on my computer which has been setup for a while, well before these problems started, and was able to browse in Chrome and Safari without problem to the sites noted above. I have re-checked this from time to time and the other account is still working fine. This seems to indicate it’s something with my user account, but see next item.

  • disabled iCloud Keychain and deleted my login keychain in Keychain Access, so it was recreated on next login. Theoretically this puts it on par with the other user account but my user account is still having the problems.

  • installed Security Update 2020-004 Mojave. Again, the reboot resolved it for a short period of time and then the issue resumed.

  • compared certificates for superuser.com and boardgamegeekstore.com. The site-level certificates are identical except for the bits pertaining to each site. The intermediate- and root-level certificates are identical for each.

Possible others having this issue

I did find these two threads on Let’s Encrypt’s community indicating that others are having this problem with the exact symptoms that I am (random sites affected but Chrome says certs are valid, reboot fixes it temporarily, etc). At least I know I am not alone, but I am not sure anything there helps resolve it.

https://community.letsencrypt.org/t/letsencrypt-org-frontpage-net-err-cert-invalid/116707/35
https://community.letsencrypt.org/t/macos-safari-certificate-weirdness/118778

One Answer

I'm having the same exact issue, but on windows. Both Chrome and Edge are affected (they are both based on chromium), Firefox is unaffected. Signing into another account on the computer seems to fix it, so I assume something has occurred with my account specifically. The thing is, I haven't changed anything. It seemed to occur right after I updated edge to the latest version (83), but it may have been a coincidence.

I have done the windows equivalents of what you've tried, and still no luck.

Answered by Levi on November 16, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP