If your website's SSL certificate was issued in 2020, it may have stopped working in Chrome today (with the error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED). Fix is to get a new certificate from your CA.
Use this tool to check if your site is affected: sslmate.com/labs/ct_policy…
Use this tool to check if your site is affected: sslmate.com/labs/ct_policy…
Background: Chrome requires all certificates to be published in at least one active (non-retired) #CertificateTransparency log. For various reasons, logs are occasionally shut down/retired. If every log that a certificate is logged to is retired, the cert stops working. 2/n
Many non-Google logs have been retired over the years, but until recently Chrome required that certs also be logged to a Google-operated log. Thus, retiring a log never caused certs to break: you could always count on the cert to be in an active Google log. Until yesterday. 3/n
Yesterday, Google-operated logs were retired for the first time: groups.google.com/a/chromium.org…
The retired logs (Icarus, Rocketeer, Pilot, and Skydiver) are legacy logs which have been superseded by Argon and Xenon. 4/n
The retired logs (Icarus, Rocketeer, Pilot, and Skydiver) are legacy logs which have been superseded by Argon and Xenon. 4/n
The graceful shutdown of these logs began in 2020. One by one, Icarus, Rocketeer, Pilot, and Skydiver were reconfigured to reject most new certificate submissions. Eventually, they would contain only expired certificates, allowing them to be retired without causing breakage. 5/n
The last log was reconfigured on June 10, 2020: groups.google.com/a/chromium.org…
At the time, the longest certificate lifetime was 825 days. Thus, on Sep 13, 2022, it would be safe to retire these logs. 6/n
At the time, the longest certificate lifetime was 825 days. Thus, on Sep 13, 2022, it would be safe to retire these logs. 6/n
But Chrome retired these logs on May 1. There are still unexpired certs in Skydiver, Rocketeer, and Pilot. Any cert logged to one of these logs plus one of the retired non-Google logs (DigiCert 1 or 2) is now broken. 7/7
Update: these logs have been un-retired.
This is not yet reflected in the JSON log list published by Google, but can be seen in the protobuf file that is downloaded by Chrome clients several times a day. Once your client downloads the latest file, the errors should stop.
This is not yet reflected in the JSON log list published by Google, but can be seen in the protobuf file that is downloaded by Chrome clients several times a day. Once your client downloads the latest file, the errors should stop.
Chrome's official announcement of the un-retirement: groups.google.com/a/chromium.org…
Chrome still plans to retire these logs in the "near future" says sites using impacted certs should replace them ASAP.
Chrome still plans to retire these logs in the "near future" says sites using impacted certs should replace them ASAP.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
