Understanding and Fixing ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
The "ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN" error occurs when a browser fails to verify the SSL certificate due to incorrect key pinning. This issue primarily stems from misconfigured or outdated public key pinning (HPKP). Website visitors can try clearing their browser's cache or using another browser, while website owners should review SSL configurations and consider removing key pinning altogether, especially since it's a deprecated security mechanism.
Use our free chatbot to help troubleshoot and resolve technical issues efficiently.
Key Takeaways
- What is the Issue?: The
ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAINerror occurs when a browser fails to verify the SSL certificate due to incorrect key pinning, which can happen if the pinned key doesn’t match or is improperly configured in the SSL certificate chain. - For Website Visitors: Clear browser caches and contact the website owner about the issue.
- For Website Owners: Review the SSL certificate and key pinning configurations. Remove key pinning entirely if the website setup is prone to errors. Use tools like EaseUS DupFiles Cleaner to ensure your server is optimized and free from redundant configurations that may interfere with SSL settings.
- Why is This Error Happening?: This error usually arises because of misconfigured HTTP Public Key Pinning (HPKP), which is generally discouraged in modern web development due to its complexity.
Step-by-Step Guide to Fixing the “ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN” Error
Fixing this SSL error involves different tasks for website visitors and website owners. Follow the appropriate set of troubleshooting steps below depending on your role.
1. Understanding the Error
The ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is related to an incompatibility in the SSL certificate’s public key pinning. HTTP Public Key Pinning (HPKP) ensures that only specific public keys are trusted for a site. When misconfigured, this results in an SSL validation error, hence the issue you’re seeing.
- Cause: Issues with the site’s SSL certificate are usually the root cause, often tied to errors in how key pinning was set up.
- Key Pinning Definition: HTTP Public Key Pinning (HPKP) is a security mechanism that allows a site to specify which public keys should be trusted.
- Modern Relevance: HPKP is a deprecated feature in many modern browsers, including Chrome, due to its potential risks. Misconfiguration can lead to the complete inability to access resources securely.
2. Troubleshooting Steps for Website Visitors
If you’re a website visitor encountering the ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error, there are a few simple things you can try:
1. Contact the Website Owner
If you come across this error while browsing, the first thing to do is inform the website owner. It’s possible that they haven’t noticed the issue, and they will need to correct the SSL setup. They might have changed or renewed the SSL certificate, which caused the pinning to break.
2. Clear the HSTS Cache (Chrome Users)
If you’re using Chrome, the error may be stored in the browser’s HSTS (HTTP Strict Transport Security) cache – clearing it might resolve the issue for you:
- Type
chrome://net-internals/#hstsin your browser’s address bar to access HSTS settings. - Scroll down until you see the option Delete domain security policies.
- Enter the domain name of the website triggering the error.
- Click Delete.
- Restart your browser and navigate back to the website.
This step forces Chrome to re-evaluate the SSL configuration, potentially fixing the error.
3. Try Another Browser
Sometimes, this issue may be browser-specific. Switch to another browser, such as Firefox or Edge, and see if you can access the site there.
3. Troubleshooting Steps for Website Owners
If you’re a website owner dealing with the ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, follow these instructions to correct the issue.
1. Review Your SSL Certificate Configuration
The first step is to make sure that the correct public keys are pinned to the right certificates in the chain.
- What to Check: Review the public key set in the certificate pinning header (if enabled) to ensure it matches with your presently installed SSL certificate.
- Tip for Experts: Using tools like SSL Labs or OpenSSL can help in verifying the certificate chain and ensuring that the correct public key is pinned. Consider securing your connections further with NordVPN, which encrypts all communications during SSL diagnostics and maintenance.
2. Remove Key Pinning
Key pinning should only be implemented by websites that require stringent security measures. For most businesses, it’s more of a liability than a benefit. Especially without a keen understanding of how SSL and public key infrastructure (PKI) operates, key pinning is not advisable.
Pro Tip: If you are unsure about key pinning or are a small/medium-sized business, remove key pinning entirely. Incorrect configuration can lead to long-term downtime or invalid SSL issues, driving users away.
Many modern websites have stopped using HTTP Public Key Pinning because it’s hard to manage and prone to breaking if the configuration changes (e.g., after a certificate renewal). Follow these steps to disable key pinning:
To Remove HPKP:
-
Open your server configuration file where HPKP directives are set.
-
Remove or comment out the directive related to
Public-Key-Pinsheaders. -
Restart your web server (e.g., Nginx, Apache) to apply the changes.
# Example for Apache configuration <VirtualHost *:443> # Remove or comment out this line: # Header always set Public-Key-Pins ... </VirtualHost>
3. Reinstall Your SSL Certificate
Sometimes a poorly installed SSL certificate can trigger this error. If you’ve recently renewed or changed your SSL certificate, reinstall it to ensure it has been correctly applied.
-
Make sure the root certificate, intermediate certificates, and leaf certificate are installed correctly in the full certificate chain.
-
Use
openssl s_clientor a tool like SSL Checker to verify that your SSL certificate is chaining correctly.openssl s_client -connect yourwebsite.com:443 -showcerts
4. Avoid Key Pinning in the Future
HPKP has caused many problems for sites, so much so that browsers, including Chrome, have removed support for it. Where possible, avoid using it to limit the chances of this type of error happening again.
Expert Advice: Website owners should prefer using other security mechanisms like DNS CAA Records, OCSP Stapling, and Certificate Transparency (CT) logs for SSL monitoring, instead of key pinning, for better security practices.
Additional Information
- Why HPKP is Deprecated: Browsers like Chrome and Firefox have removed HPKP support due to risks such as accidental misconfiguration, leading to catastrophic site lockouts. Instead, modern browsers prioritize better alternatives like Certificate Transparency.
- Professional Help: Configuring SSL certificates and key pinning mechanisms can get complex. If you don’t have the technical knowledge, seek professional help early to avoid widespread downtimes and security issues.
FAQ: Common Questions About ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
1. What Causes the ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error?
This error is caused by mismatches in the SSL certificate’s public key pinning configuration, often stemming from improper pinning of intermediate certificates.
2. How Can I Fix This as a Website Visitor?
Try clearing your browser cache, specifically the HSTS settings in Chrome, or use another browser temporarily.
3. How Can I Fix This as a Website Owner?
Review your SSL certificate configuration to ensure the right keys are pinned. In most cases, removing key pinning entirely is the best solution.
4. Is Public Key Pinning Still Recommended?
No. Public Key Pinning is largely deprecated, due to its complexity and the danger of misconfigurations. Use alternatives such as Certificate Transparency and OCSP Stapling.
5. What if I Can’t Fix It on My Own?
If you’re not technically experienced, it’s best to consult a website security professional to fix the SSL configuration error.
By following the above steps, you’ll be able to diagnose and resolve the ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error, restoring secure connections for your users.