Welcome to WebmasterWorld Guest from 18.204.48.199

Forum Moderators: open

Message Too Old, No Replies

5 year certificate no longer valid

Chrome invalidating valid certificate

     
3:36 pm on Apr 16, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


This morning, my secure sites could not connect error free using Chrome. Internet Explorer had no problem. My SSL certificates are 5 year certificates, expiring in 2017.

Are others seeing this? Are big players affected?

It is especially galling that https is crossed out in the addresss bar leading to the presumption that the connection is not encrypted.

Moderator: is posting link OK or useful? It is merely a login page.
3:52 pm on Apr 16, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


No link is needed to understand your issue. It could be the type of Certificate that is affecting the Chrome validity. The technology that was good enough may not meet the higher encryption standards required today. I would look into the encryption level of the Certificate, and maybe visit the Certificate supplier's site to see if they can upgrade it. Chrome started moving that direction about 6 months ago, along with the big Google push to SSL for "all" sites.
3:59 pm on Apr 16, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26458
votes: 1076


Thanks DenRein

No need for a link.

Do you get the same effect with other sites that don not belong to you?
4:12 pm on Apr 16, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


Not2easy: Clicking the lock symbol shows what Chrome thinks the problem is. It states "The server certificate has a validity period that is too long". The connection section is green and shows the connection is TLS 1.2, AES_128_GCM, and ECDHE_RSA.

engine: we have the same question. Are others seeing this? For example, I went to a banking site. No error but then they are using a 1 year cert. The issue in my mind is the 5 year cert and I don't know of https sites other than mine who have one.
6:51 pm on Apr 16, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


not2easy: I failed to completely comprehend what yoou were saying. Visiting the ssllabs site and running a test, I see that my cert is encrypted with SHA-1. If you Bing for "chrome sha1 deprecation" the very first link to the symantec site explains exactly what I am seeing.

The diagnostic message obfuscates what the real problem apparently is.

I am now in process of having certs re-issued with SHA-2
6:57 pm on Apr 16, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 10, 2001
posts:1551
votes: 10


Chrome is just particularly quick to implement a new requirement:
The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet rowser and other relying-party software applications.
...
2015-04-01 9.4.1 CAs SHALL NOT issue certificates with validity periods longer than 39 months.
[cabforum.org...]

Actually, the implementation may be a bit too broad, as the requirement is not meant to be applied to certificates issued before 2015-04-01.
7:07 pm on Apr 16, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


bird: I was thrown off by the bogus chrome error message: "The server certificate has a validity period that is too long"

What I now think is going on is:

"Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”. The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google" ref: [symantec.com...]

I can also partially verify this with another site having a more recent 5 year cert. I say "partially" because the underlying server tech differs considerably.
7:51 pm on Apr 16, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


Sorry DenRein, I should have done this lookup earlier for you, it is in my notes from last September:
[googleonlinesecurity.blogspot.com...]

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November.
They may have moved up the timetable.
8:13 pm on Apr 16, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


not2easy: according to the symantec article cited, they are right on schedule with the rollout. What they did not do in the time they had to roll this out is come up with a meaningful error message. "The server certificate has a validity period that is too long" just doesn't cut it.
10:18 pm on Apr 16, 2015 (gmt 0)

Full Member from AU 

10+ Year Member

joined:Oct 20, 2003
posts:259
votes: 1


Yes, I have had had Chrome saying security certificates are no longer valid for websites that IE and Firefox seem to load fine. Are they going to far in the other direction in regards to security?
2:58 am on Apr 17, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 889


Isn't it always going too far if you make your changes retroactive?
"Effective five years from today, we will no longer honor five-year certificates" is one thing. "Effective next year, we will no longer etcetera" is another thing.
6:48 pm on Apr 17, 2015 (gmt 0)

New User

joined:Jan 18, 2015
posts: 25
votes: 4


Thanks all. It took me a day and a half but I have been able to confirm that re-issuing the SSL certs (with SHA256 hash) does fix this problem on my development system. At $25 for 5 years (sigh ... I will miss the convenience of 5 year certs RIP), I have certs for my local machines to do SSL test/develpment. In a few hours, I will roll out re-issued certs to my customers.