{"id":5854,"date":"2019-06-17T02:10:02","date_gmt":"2019-06-17T10:10:02","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=5854"},"modified":"2021-01-26T07:32:13","modified_gmt":"2021-01-26T15:32:13","slug":"how-to-fix-neterr_ssl_pinned_key_not_in_cert_chain","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/how-to-fix-neterr_ssl_pinned_key_not_in_cert_chain\/","title":{"rendered":"How To Fix NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN"},"content":{"rendered":"

A quick guide on fixing a difficult SSL\/TLS certificate error:
\nNET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN in Google Chrome<\/h2>\n

Let\u2019s not beat around the bush \u2013 you\u2019re here because you were trying to reach a website and got a \u201cNET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN\u201d error. Probably using Google Chrome, as that is the search giant\u2019s parlance. <\/p>\n

Or, alternatively, you\u2019re a website owner that has been told by a Chrome user that they\u2019re receiving a \u201cNET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN\u201d error when attempting to reach your site.
\nEither way you need help.<\/p>\n

Now, I have some good news and I have some bad news. The good news is that if you\u2019re a website owner, I can help you. The bad news is that if you\u2019re just a regular internet user, you\u2019re $#!% out of luck.<\/p>\n

Well, for the most part. Let\u2019s start with regular internet users first. <\/p>\n

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN for regular internet users<\/h2>\n

Unfortunately, this is a server-side error that can\u2019t be fixed on your end. Whereas there are some (ill-advised) work-arounds for other certificate errors \u2013 things like changing your system time or clicking through a warning \u2013 when the issue is key-pinning you might be completely out of luck.<\/p>\n

You can attempt to navigate to the site using the HTTP protocol. And if the site isn\u2019t forcing HTTPS with an HSTS header you\u2019ll be able to reach it \u2013 albeit without any security in place. Again, this isn\u2019t a good idea because anything you do on that site \u2013 any password you enter, what you\u2019re viewing \u2013 is out in the open and easily visible to third parties. <\/p>\n

Your best bet is to contact the site owner and let them know that there\u2019s an issue with one of the keys they have pinned. Or in this case, don\u2019t have pinned.<\/p>\n

Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN for site owners<\/h2>\n

Key pinning is a risky thing to do if you\u2019re not completely sure what you\u2019re doing. The premise is great, allowing you to more closely control what public keys are used, which reduces the risk of having one of the associated private keys cracked. But the downside is that you can completely break your website if you muck it up.<\/p>\n

Without assuming too much, it sounds like potentially, maybe, someone didn\u2019t get it right somewhere?<\/p>\n

You have two choices, this error is as a result of a key NOT being pinned somewhere in the certificate chain. As you are no doubt aware, web browsers need to be able to successfully complete the certificate chain before extending trust to an end-user\/leaf certificate. Part of that is verifying the signatures on the certificates, and that\u2019s done using their public keys. <\/p>\n

You likely have either pinned the wrong key, or not pinned any key to one of the intermediate certificates that makes up your certificate chain. Once you find the offending certificate, you should be able to find a copy of its public key on the intermediate CA\u2019s website. <\/p>\n

Here\u2019s a better idea though \u2013 stop pinning keys.<\/p>\n

Experts around the world agree that it\u2019s frankly more trouble than it\u2019s worth for all but the most sophisticated of enterprises. There\u2019s way more downside than upside. And some browsers, Google Chrome included, either have phased out support or have announced their intention to.<\/p>\n

Besides, you can gain the same level of defense provided by key pinning simply by turning over certificates and keys more frequently. There\u2019s no need to pin them. Just rotate them every 3-6 months. <\/p>\n

We hope this helps.<\/p>\n

\n

Save up to 89% on SSL certificates<\/h2>\n

\nWe offer the lowest prices on SSL certificates from Comodo, GeoTrust, Thawte, Sectigo, Symantec, and RapidSSL. Save up to 89% by purchasing direct from us!<\/br>
\nBuy SSL Certificates at Only $4.97<\/a><\/p>\n<\/div>\n

Related Resources<\/h2>\n