101

I have a HAProxy / stunnel server that handles SSL for our sites on AWS. During testing, I created a self-signed cert on this server and hit it from my desktop using Chrome to test that stunnel was working correctly.

Now I have installed the legitimate cert on that server. When I hit the site from my machine in Chrome it throws the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

My guess is that Chrome cached the key for the self-signed cert and it doesn’t match that of the legitimate cert. This site works in all other browsers on my machine so it’s just a Chrome problem.

One interesting note: When hitting the page from a incognito session (Ctrl+Shift+N), it works correctly. So it is clearly some sort of cache thing.

I did all the things I could think of (dumped my cache, deleted certs from the Personal and Other People page in the Manage Certificates dialog, Ctrl+F5, etc.).

My machine is Windows 7 x64. Chrome version: 12.0.742.91.

On the Google Chrome Help Form, there is a description of what sounds like the same issue; however, no resolution is found.


UPDATE: It seems to have “fixed itself” today. I hate problems like this. I still don’t know what caused it or how it resolved itself. Presumably the cached cert expired or something, but I am still interested to know where this information is stored and how to verify it.

TRiG
  • 1,167
  • 2
  • 13
  • 30
Foovanadil
  • 1,110
  • 2
  • 7
  • 7
  • 1
    From another user I heard: This issue was caused on my machine by a slightly outdated Avast Antivirus. Avast creates a layer between your browser and the web with an SHA1 certificate. If you disable avast for a moment, Chrome will be able to access the certificate delivered by your server. In my case, a simple Avast Program Update solved the issue. – Foovanadil Apr 21 '15 at 20:18
  • This was not the case on my machine as I didn't have anti virus installed. – Foovanadil Apr 21 '15 at 20:20
  • 1
    Since the question is locked I can't add an answer, but in windows you have to 1) Go to Settings => Manage Certificates => delete the cert then 2) Close Chrome and then 3) Go to task manager and manually kill all of the Chrome.exe processes. Once you open Chrome again you should be good to go. – jakejgordon Jun 10 '15 at 14:20
  • @jakejgordon -- I wasn't able to see the cert in the Manage Certificates window, but killing Chrome.exe and reopening Chrome did the trick for me. Note, I have a web filter/monitoring proxy running as well, but did not need to stop it. – Lars Kemmann Aug 25 '15 at 02:11
  • 5
    Why is this question "protected" when there are no valid or working answers? @Michael-Hampon? – NickG Jul 06 '17 at 15:05
  • On OS X, simply restarting chrome (right click, quit, open it again) fixed my cached SSL cert issue. – brismuth Sep 01 '17 at 06:52
  • 1
    I also cannot add an answer but for Chrome it is called HSTS and can be found navigating to chrome://net-internals/#hsts There you can query by domain and delete the cached certificate – Edgar Hernandez Mar 02 '18 at 12:02
  • @NickG: because mods. The only solution that worked for me was restarting Chromium. (Ubuntu) – Dan Dascalescu Aug 20 '19 at 17:40
  • Thank you, @Foovanadil — Avast was indeed the culprit for me. Specifically, what worked for me (macOS 10.13.6, Chrome 78, Nov 2019) was to disable Avast's Web Shield, hard refresh the page in Chrome, then turn on Web Shield again. – cabgfx Nov 28 '19 at 17:25
  • Not enough rep to answer... but what worked for me - go to `chrome://net-internals/#hsts`, enter and delete domain via *Delete domain security policies* at bottom, then restart chrome – danwild Jan 18 '21 at 04:49

7 Answers7

39

Chrome stores SSL certificate state per host in browser history.

So just clear browser history (Ctrl+Shift+Del), at least the following parts:

  • Cached images and files
  • Hosted app data
  • Content licenses
  • Cookies and other site data, for Chrome version 64

Solution 2. If the above doesn't help, try this:

  • Close Chrome, kill all chrome background processes
  • Delete the directory:
    %USERPROFILE%/AppData/Local/Google/Chrome/User Data/CertificateTransparency
rustyx
  • 1,506
  • 3
  • 19
  • 28
  • My problem is ancient now so chrome may have have change this behavior but it didn't work for me to clear the cache (as I noted in the question). If it works now that would be great. – Foovanadil May 05 '15 at 22:50
  • 56
    This did NOT work for me – Serj Sagan Aug 11 '15 at 09:38
  • 2
    This worked for me, my specific problem was that Chrome was saying that the certificate had expired, but since others could access the site on https, I could see that there was indeed a new certificate available, but for some reason Chrome wasn't requesting it, or possibly reading it properly. – shaheenery Oct 05 '15 at 21:18
  • This worked for me in a case where chrome had forcing a particular hostname to HTTPS because I mistakenly tried to fetch it with HTTPS once (the site in question only serves HTTP) – Suchipi Jun 13 '17 at 23:41
  • 1
    **FIDDLER users**: If you are using Fiddler with HTTPS intercepts, fiddler will cache SSL certificates. To fix this, you need to run fiddlers "Remove Interception Certificates" option, clear your browser's cache (no need to clear anything else, and **restart the browser**. Depending on which browser you're using, the last two steps might not be needed, but these are needed for Chrome – NickG Jul 06 '17 at 15:14
  • 4
    Sad that I've searched the whole internet and didn't get working solution. But finally tried it out myself. Close Chrome and delete the directory "CertificateTransparency" under "C:/Users//AppData/Local/Google/Chrome/User Data" and restart, then you'll find the prompt appear again. – shouya Nov 07 '17 at 16:27
  • 1
    @ShouYa I have searched for hours and this solves the problem! – wdetac Jun 15 '18 at 10:02
  • none of these options are working for me. The only solution i found was rebooting the computer – wal May 13 '19 at 00:18
15

Many problems with SSL certificates can be solved by simply removing the file from the cache folder.

In Chrome or Chromium, the file to be removed is cert9.db in the folder ~/.pki/nssdb. (In Firefox, you’d want to remove cert8.db.)

Attention! After removing these files, you will need to re-register CAs in your browser.

This is solution is for linux systems, the steps for Windows users would be somewhat different.

cmc
  • 637
  • 6
  • 7
Reinaldo Vale
  • 159
  • 1
  • 3
  • 7
    It would be good if you could elaborate or provide links regarding re-registering CAs. – Mike Shultz May 06 '17 at 06:45
  • It seems that quitting and restarting chrome works after this – Ian Turton Oct 16 '17 at 11:06
  • 1
    `~/.pki` folder doesn't exist for me (on `Mac`) - and lack of explanation about re-registering CAs seems like a big oversight. Also, "on Windows, somewhat different" is not particularly helpful; if you don't know how to fix it for Windows, just say "this is a *nix-only solution" – dwanderson Jun 27 '18 at 19:04
  • This worked for me, thanks! Ubuntu 18.04 / Linux. – dusoft Feb 03 '20 at 21:38
4

As far as I know, certificates are not specific to Google Chrome (at least on Windows) but to the whole system. You’ve already deleted that cert through Chrome’s interface, so it should gone.

Just to be certain, you could try.

Start → Run → certmgr.msc

Another tool to try is CCleaner. It should help with better cleaning of Chrome’s caches.

TRiG
  • 1,167
  • 2
  • 13
  • 30
LazyOne
  • 3,014
  • 1
  • 16
  • 15
  • 1
    Tried certmgr.msc and I don't see the cert in there. Like you said it is clearly gone since the other browsers do the right thing, maybe this is just a chrome bug of some sort – Foovanadil Jun 13 '11 at 18:36
  • So ... did you had any luck so far? Have you tried CCleaner as suggested? .. or any other tool? – LazyOne Jun 14 '11 at 09:00
  • I ran CCCleaner and looked at what it wanted to delete and it was nothing more than what Chrome will delete (Just cookies and session info). – Foovanadil Jun 14 '11 at 16:38
  • 1
    if that is true, why incognitive mode works? – Jose Nobile Feb 06 '17 at 05:38
3

For Windows 10, there is a way to clear only OCSP and CRL information without clearing Chrome history.

More details can be found from Mr. Dimcev's blog post http://www.carbonwind.net/blog/post/Viewing-clearing-and-disabling-the-OCSP-and-CRL-cache-on-Windows-7.aspx

Running the suggested certutil -urlcache ocsp delete is likely to result in FAILED: 0x80070020 (WIN32: 32 ERROR_SHARING_VIOLATION) if Chrome is running.

Jari Turkia
  • 274
  • 2
  • 5
2

In Windows:

Internet Options/Properties > Content > Clear SSL state

enter image description here

Then type in any address bar: chrome://restart

You don't need to clear your entire history.

dukeofgaming
  • 459
  • 1
  • 5
  • 14
  • So simple - thanks :) – webnoob Mar 07 '22 at 06:11
  • This needs more upvotes as is the only proper answer. Restarting chrome via ```chrome://restart``` also preserves tabs. Amazing! (And 10 years late). Confirmed on Win 11 / Chrome 105 – GCon Sep 18 '22 at 10:50
2

I confirmed this worked for me on Windows 10:

  1. Pre-requisite: Certify (use another computer with no "knowledge" of your site) that your server serves the new certificate to brand new computers, at least.
  2. Clear the cache of Chrome. I chose to clear all three options presented when using CTRL+SHIFT+DEL: History, Cookies, and Cached. However, you can probably keep your history.
  3. Close chrome, and using the Task Manager, certify that there is no chrome.exe running. I think chrome caches the certificate in memory.
  4. Re-open chrome and visit the site. Your chrome browser should now pull the latest certificate and not use the cached one.
Chris
  • 1,381
  • 1
  • 12
  • 22
  • Wiping entire history seems way too powerful method to remove OCSP-info for a single site. Is there really no alternative? – Jari Turkia Feb 19 '20 at 12:29
  • @JariTurkia, I bet you could actually keep your history. I've updated my answer to suggest this. Your answer could still be helpful for users who want to keep all their cached site data. – Chris Feb 19 '20 at 16:16
-3

More accurate way:

Ctrl+Shift+Del ( or Settings > Advanced > Clear browsing data )

[ Time range: All time ]

  • Chached images and files

press: Clear data

jmp
  • 187
  • 1
  • 1
  • 6