With Chrome 57, StartCom StartSSL SSL Certificates are branded as “not trusted”

Yesterday chrome installed an update for us, bringing the newest stable version 57 to our computers.

Together with that update we experienced an unexpected change with one of our website endpoints: for one of our endpoints, the SSL certificate was marked by chrome as insecure and we received a warning about NET::ERR_CERT_AUTHORITY_INVALID

Naturally we suspected an expired certificate and continued to check, but were surprised to find that the cert was still active and valid until 2019, so there had to be another reason!

Indeed, the problem was not with our cert or server configuration, but instead with the release of the newest chrome version, specifically version 57. An announcement was made by google last year, warning users of WoSign & StartCom SSL certificates that chrome would stop including these issuers in their trusted list by version 56.

Actually it seems that this change did not make it in version 56, but instead was made active in version 57, which has been rolled out recently.

We already migrated the majority of our endpoints to safe and open certificates by https://letsencrypt.org/, but one was still running on our old StartCom certificates, so we migrated that endpoint as well, after which SSL would continue to run flawlessly.

For Azure Web Apps we use https://github.com/sjkp/letsencrypt-siteextension, and for Ubuntu Server, you can follow the easy steps illustrated at https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.