My site has Certificate Transparency enabled but Chrome is still showing NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

Question

I have a site called www.goflyla.com and I purchased the SSL cert from RapidSSL with Certificate Transparency enabled.

SSLLabs give a green line saying Certificate Transparency: Yes (certificate):

Strangely, this only happens in Chrome (Mac version). I can still access my site in Windows and Ubuntu (Linux) Chrome but saying the site supplied invalid Certificate Transparency information

Checked with chrome://net-internals and embedded_scts is there:

I have narrowed it down to Chrome version 53.

What should I do?

score 5 · Answer 1 · edited Jun 16 '20 at 09:49

Botched CT redaction

According to the CT lookup site (archived here) the certificate is logged as ?.goflyla.com. This looks very much like an attempt to redact the exact domain name.

And unfortunately that feature is not fully standardized yet. So it just doesn't work at the moment. (And any attempt to submit a redacted entry to the log will just result in Chrome 53 completely ignoring that log entry and saying: No log entry found. -- For details see SSLMate blog post linked below.)

So what can you do? -- I'm not sure. I'd guess one of two things:

Ask RapidSSL to fix the CT Log submission and re-submit with the unredacted hostname.
Buy a different certificate. And not from Symantec or a subsidiary. -- The reason is that Symantec was, for lack of a better word, sentenced by Google to CT log every new certificate (Archived here). -- (And it appears that that requirement also applies to their subsidiaries, like RapidSSL.) And other certificate authorities simply are not under that requirement.

SSLMate Blog, 2016-09-07, Why Chrome 53 is Rejecting Chase Bank's Symantec Certificate (Archived here.)

Despite the fact that redaction, practically speaking, does not exist, Symantec forged ahead and grafted redaction onto the original version of Certificate Transparency. The result is a Franken-certificate that works fine in browsers that don't support Certificate Transparency, but fails to validate in Chrome.
Log entry without redaction: https://crt.sh/?id=31180341&opt=cablint,x509lint
Log entry from later on that same day. Interestingly with the SAME serial number. I don't know what to make of that. Also now with the weird redaction attempt of "?" Instead of "www": https://crt.sh/?id=30754735&opt=x509lint,cablint

score 1 · Answer 2 · answered Nov 14 '16 at 19:20

1

The problem is not with your site, it is with Chrome 53. Many sites are affected.

Ubuntu bug report about NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED in Chromium 53
Chromium project bug report about NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED in Chromium 53

answered Nov 14 '16 at 19:20

Mark Stosberg

182
7

That bug (which is widespread) 'blew up' Nov 10 and is covered in http://security.stackexchange.com/questions/142536/why-is-one-of-three-browsers-reporting-an-invalid-https-certificate . The problem in _this_ Q occurred two months earlier, and is different. – dave_thompson_085 Nov 15 '16 at 06:55

My site has Certificate Transparency enabled but Chrome is still showing NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

2 Answers2

Botched CT redaction

Further reading:

Linked