Chrome shows old SSL certificate - google-chrome

I use Let's encrypt certificates on the server. The certificates are automatically renewed and the server-config is updated.
Problem: When I open the web-page in Chrome, it shows that the certificate is valid, but the Certificate dialogue still shows the old certificate info (see Valid from dates):
When I open the page in incognito mode, the browser shows the correct/new certificate
Another odd thing:
after refreshing the page with CTRL+F5, Chrome shows the correct info
but when I now close the tab and open a new tab, the old info will be shown again!?
Questions:
Is this maybe a bug in Chrome? i.e. maybe it caches the certificate info for too long
Or is there something my web-page/server can do to update this info?

tl;dr
It turned out that the issue is related to the web-page being a PWA and that we had initially used a www-only cert.
Details:
when setting up the server we first created a www-only-certificate for e.g. www.myapp.com
but we forgot to include the naked-domain in the cert, so some hours later we created a new cert for myapp.com and www.myapp.com
the browsers that had already loaded the app had the issue described in the question
Result:
actually we just ignored the issue, because only few clients were affected and even for those, chrome does not show an error and the connection is still encrypted
for more details see this Let's Encrypt forum post

Clear browser cache in Windows 10 machines to fix this issue -
https://kinsta.com/knowledgebase/how-to-clear-browser-cache/
CTRL + SHIFT + DEL. Chrome will open up a new tab with a popup window titled Clear Browsing Data. Make sure that only the Cached images and files box is checked. Otherwise, you might accidentally clear your browsing history, saved passwords, cookies, and more:

Related

Local virtual hosts show Privacy Error on Chrome due to HSTS

I have created several virtual hosts for my development processes. They were working just fine till yesterday. But in my chrome app, today they stopped working. Chrome shows: NET::ERR_CERT_AUTHORITY_INVALID
All my vhosts end with .dev. I changed one .dev to .work and its again working. But I can not do this for all vhosts as there are too many of them. What do I do?
PS:
They are working fine in firefox.
The error remains same in chrome incognito mode.
I tried clearing cache and hard reload, deleted my history and cache, restarting chrome even windows multiple time, nothing works.
In one solution, I found an exception can be included in chrome://net-internals/#hsts. I tried deleting domain in there but somehow it still appears in Query Domain search.
Chrome have switched the .dev sub domain to HTTPS only.
They have done this by turning on HSTS for this top level domain, but by preloading this in the Chrome code rather than sending the HSTS header. This means it cannot be switched off in the chrome://net-internals/#hsts screen.
More info:
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
So you’re only options are:
Update you’re vhosts to a different TLD (e.g. .test). And yes this might be painful because you have so many.
Move to HTTPS by creating a certificate and updating your URLs. A self signed certificate that you can create yourself will do, however note that HSTS not only blocks accessing the site over plaintext HTTP, but also prevents you clicking through certificate errors. So you’ll need to manually accept any certificate to your trust store before it can be used.
The chrome team have been pushing HTTPS more and more and certain features are now HTTPS-only so even dev envs will need it now. So maybe it’s finally time take the effort to make the switch.

Digital certificates in chrome

I have the following case in a web application of mine. The usual browser that the user uses is Chrome.
I use digital certificates that users have cryptographic cards that they insert into a card reader.
To log in to the application, basically users access the https link that makes the certificate data read.
So far everything works fine.
If the user to end his session of the application closes the browser, there is no problem. Everything is over.
But if the user wants to leave his application session, without closing all browser windows, here are my problems.
There is a button that closes the session of the application, the user leaves and redirects to the initial login screen. It seems that everything has been reset, because the user has left. But when the new user wants to log in and press the link to read the certificate data, instead of doing a new reading of the new card, use the data from the previous card without just asking for the pin to access it.
The problem goes further, for example, if the user has forgotten the card, the card and tries to logarize, the failure to read the certificate. But now, although inserted correctly, the card will not be read again until the browser is restarted, which maintains a cache that does not have a certificate.
At the moment only the solution was found by closing all Chrome windows, but that depends on whether the user does or not.
A partial solution would be sure to close the browser with javascript () but for some time, it can not be closed with javascript (window.close ()), a window that can not be opened from the site itself, with what is available I think it's ruled out
Can someone contribute to me? Thank you
Chrome and the rest of browsers maintain a cache of the SSL authentications performed and decide when to prompt user for selecting a certificate. There is no "logout" function neither the connection can be closed from server side due to TLS resumption protocol ( client can resume the session)
This a common and known issue when defining an authentication system using client certificates. I only have found a workaround: use different domains to force browser to choose a certificate:
login.domain.com
-->login1.domain.com
-->login2.domain.com
-->loginN.domain.com
You have a virtual authentication URL login.domain.com which redirects user's browser to a random loginN.domain.com every time you need an authentication. Chrome will detect that it is a different domain and will prompt user for selecting a certificate
You could also think about using different ports instead of different DNS, but then you could have problems with the user's firewall because you are not using a standard port, and in this case Firefox does not show the window either.

SharePoint authentication token/cookie persists when closing browser, but only in Chrome

SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. Based on several articles, including this one, you can force SharePoint to use session cookies by the following PowerShell command. I ran this command in my SharePoint environment.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
My goal is to make a user re-authenticate when they close and re-open their browser. For both Forms Authenticated users and Windows Authenticated users, this works great in Firefox and IE. However, in Google Chrome, when I close/re-open the browser and navigate to my SharePoint site, it remembers the user that I was authenticated as before I closed my browser; which is baffling, considering this is supposed to be a Session cookie. This happens for both Forms Authenticated users, and Windows authenticated users.
FedAuth Session cookie, given by SharePoint, as seen in Chrome
Any ideas why Google Chrome (but not IE or FF) is "remembering" my credentials upon browser close/open?
SharePoint Version: 2013, on-premise.
Chrome Version: 42.0.2311.152
Other Notes:
WindowsTokenLifetime is set to it's default value, 10hrs
FormsTokenLifetime is set to 2 minutes
LogonTokenCacheExpirationWindow is set to 1 minute
Update:
I tried closing all identifiable Chrome.exe processes via Taskmgr, but the next time I opened my browser, it still remembered me. However, I restarted my computer, opened the browser, and it didn't remember me that time. I don't think this is a SharePoint issue, but rather a Chrome issue. My guess is that some Chrome process is staying alive somewhere, even though it appears to be closed, thus allowing the "Session" to remain open. Still investigating...
Apparently, when you let Chrome run in the background, the Session cookies aren't expired (even though you've closed the browser). Disabling background mode causes Chrome to forget your Session cookie, as it should.
Note: I'm curious if this a bug in Chrome. This behavior seems to go against what a Session cookie is.
a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed
Update:
According to Google, this is expected behavior (though I'd consider that notion debatable). Also, another SO user also came across the same issue.

500 Internal Server Error just on Google Chrome when logging into PayPal

Whenever I try to visit log in to PayPal on Google Chrome (my current version is 35.0.1916.114 which is the most up to date at the time of writing this), I get a 500 Internal Server Error. Here's the exact one:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster#paypal.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
I'm able to visit the homepage fine and I can log in on all other browsers but this has been an issue for some time now (I just haven't gotten around to looking into it). At the moment, I open Firefox just to use PayPal but I used Chrome for everything else so I'm trying to solve it.
Any ideas on why this would be happening? I've seen other questions on the web similar but they are mainly due to people 'buying' through PayPal which isn't a problem for me. I can purchase items on the 'purchase' screens that you get redirected to from a site.
Thanks for your help!
I see this from time to time on a couple of very specific web sites (e.g., Slashdot). All other sites works fine when this happens (and the site works fine in other browsers, including Web Kit based ones). The embarrassingly simple solution is to restart the browser (I try to avoid it since I often have 50+ tabs open). If guess the problem might be session cookies (that would explain why a restart works). As a consequence of this guess, clearing all permanent cookies for PayPal and related sites might be worth considering.
For me, I do like this at the 500 error page
Click on the Secure to the left side of the address bar
Select Site settings
Select Reset site settings at the bottom of the page
Reload the page
in some cases but not all. There appears to be a corrupt session via the cookie or data stored for a specific browser in the java files. Try the following;
1. Download CCleaner (close chrome)
Remove and clean registry files
Remove tmp and cached for CHROME as well as cookies
Clear index.dat file
4. Control Panel / Java-open / clear internet java cached files
5. Make sure you're not using a proxy IP for the web
6. Restart computer
7. Try again
Now that Google separated cookies from permissions I had to delete my cookies separately to get it to work.
Click on the Secure to the left side of the address bar
Select Cookies
Select the wordpress cookies and Remove each one
Reload page

Can Google Chrome be used on a local dev server with an invalid SSL cert?

Our application runs within a frameset that uses one visible frame to show content and two others to handle communication with the server. I did not design this and have no power to change it now.
The problem is that my local machine does not have a valid SSL certificate (it's self-signed), so accessing it and trying to login pops an 'invalid certificate' error. In IE and FF I am able to simply click a button to continue. However, I just started trying to test with Chrome and it seems to stop me dead with:
Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.
There is no option to continue. There also doesn't appear to be anything in the options menu to add localhost as a trusted site, though I may have missed something. Does anyone know a way around this? Disabling SSL locally won't be very easy and risks me forgetting to enable it for deployment. Any other thoughts?
Thanks.
What I would recommend is to add the self-signed certificate to Chrome manually rather than trying to make localhost a trusted site. It looks like there are a couple ways to accomplish this. Here is one forum thread that discusses the issue, but I think it boils down to:
If you are on Windows, install the certificate in IE. The linked thread explains this process in more detail, but it looks like you go to the site in IE, click "Continue" or similar, then right-click the certificate error button to the right of the URL bar and follow the prompts. (If that doesn't work, here's a question that I believe addresses the issue.)
More recent versions of Chrome appear to allow certificate import directly. On version "15.0.874.121 m" for Windows, I can click the tool menu, go to Options, then Under the Hood, then the Manage Certificates button. I believe you then click the "Import..." button, though I do not recall whether you need to be on the Personal tab or one of the others. You will need to have the certificate in a file format that Chrome supports (p12 is one, there are others). There is a help link in the appropriate place that specifies the accepted formats.
I recommend Safari for this purpose. Sign a cert with StartCom, and enroll the cert in the browser.