How To Fix NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

A quick guide on fixing a difficult SSL/TLS certificate error:
NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN in Google Chrome

Let’s not beat around the bush – you’re here because you were trying to reach a website and got a “NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN” error. Probably using Google Chrome, as that is the search giant’s parlance.

Or, alternatively, you’re a website owner that has been told by a Chrome user that they’re receiving a “NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN” error when attempting to reach your site.
Either way you need help.

Now, I have some good news and I have some bad news. The good news is that if you’re a website owner, I can help you. The bad news is that if you’re just a regular internet user, you’re $#!% out of luck.

Well, for the most part. Let’s start with regular internet users first.

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN for regular internet users

Unfortunately, this is a server-side error that can’t be fixed on your end. Whereas there are some (ill-advised) work-arounds for other certificate errors – things like changing your system time or clicking through a warning – when the issue is key-pinning you might be completely out of luck.

You can attempt to navigate to the site using the HTTP protocol. And if the site isn’t forcing HTTPS with an HSTS header you’ll be able to reach it – albeit without any security in place. Again, this isn’t a good idea because anything you do on that site – any password you enter, what you’re viewing – is out in the open and easily visible to third parties.

Your best bet is to contact the site owner and let them know that there’s an issue with one of the keys they have pinned. Or in this case, don’t have pinned.

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN for site owners

Key pinning is a risky thing to do if you’re not completely sure what you’re doing. The premise is great, allowing you to more closely control what public keys are used, which reduces the risk of having one of the associated private keys cracked. But the downside is that you can completely break your website if you muck it up.

Without assuming too much, it sounds like potentially, maybe, someone didn’t get it right somewhere?

You have two choices, this error is as a result of a key NOT being pinned somewhere in the certificate chain. As you are no doubt aware, web browsers need to be able to successfully complete the certificate chain before extending trust to an end-user/leaf certificate. Part of that is verifying the signatures on the certificates, and that’s done using their public keys.

You likely have either pinned the wrong key, or not pinned any key to one of the intermediate certificates that makes up your certificate chain. Once you find the offending certificate, you should be able to find a copy of its public key on the intermediate CA’s website.

Here’s a better idea though – stop pinning keys.

Experts around the world agree that it’s frankly more trouble than it’s worth for all but the most sophisticated of enterprises. There’s way more downside than upside. And some browsers, Google Chrome included, either have phased out support or have announced their intention to.

Besides, you can gain the same level of defense provided by key pinning simply by turning over certificates and keys more frequently. There’s no need to pin them. Just rotate them every 3-6 months.

We hope this helps.

Related Resources

• Guide for the “SSL Certificate Problem: Unable to get Local Issuer Certificate”
• SSL_Error_rx_record_too_long – The Trouble Shooting Guide
• ERR_CONNECTION_REFUSED in Chrome – Fixing Guide by SSLSecurity
• How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error
• Your Connection is not Private Error – A Fixing Guide for all devices
• Apache Server: Common SSL Errors and Troubleshooting Guide
• What is Mixed Content Error & How to Disable it on Chrome
• Troubleshoot ‘Secure Connection Failed’ Error in Firefox