127

I have a HAProxy / stunnel server that handles SSL for our sites on AWS. During testing, I created a self-signed cert on this server and hit it from my desktop using Chrome to test that stunnel was working correctly.

Now I have installed the legitimate cert on that server. When I hit the site from my machine in Chrome it throws the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

My guess is that Chrome cached the key for the self-signed cert and it doesn’t match that of the legitimate cert. This site works in all other browsers on my machine so it’s just a Chrome problem.

One interesting note: When hitting the page from a incognito session (Ctrl+Shift+N), it works correctly. So it is clearly some sort of cache thing.

I did all the things I could think of (dumped my cache, deleted certs from the Personal and Other People page in the Manage Certificates dialog, Ctrl+F5, etc.).

My machine is Windows 7 x64. Chrome version: 12.0.742.91.

On the Google Chrome Help Form, there is a description of what sounds like the same issue; however, no resolution is found.

UPDATE: It seems to have “fixed itself” today. I hate problems like this. I still don’t know what caused it or how it resolved itself. Presumably the cached cert expired or something, but I am still interested to know where this information is stored and how to verify it.

TRiG
  • 1,193
  • 3
  • 14
  • 30
Foovanadil
  • 1,370

8 Answers8

43

Chrome stores SSL certificate state per host in browser history.

So just clear browser history (Ctrl+Shift+Del), at least the following parts:

  • Cached images and files
  • Hosted app data
  • Content licenses
  • Cookies and other site data, for Chrome version 64

Solution 2. If the above doesn't help, try this:

  • Close Chrome, kill all chrome background processes
  • Delete the directory:
    %USERPROFILE%/AppData/Local/Google/Chrome/User Data/CertificateTransparency
rustyx
  • 1,979
36

In Windows:

Internet Options/Properties > Content > Clear SSL state

enter image description here

Then type in any address bar: chrome://restart

You don't need to clear your entire history.

dukeofgaming
  • 799
17

Many problems with SSL certificates can be solved by simply removing the file from the cache folder.

In Chrome or Chromium, the file to be removed is cert9.db in the folder ~/.pki/nssdb. (In Firefox, you’d want to remove cert8.db.)

Attention! After removing these files, you will need to re-register CAs in your browser.

This is solution is for linux systems, the steps for Windows users would be somewhat different.

cmc
  • 737
Reinaldo Vale
  • 179
6

As far as I know, certificates are not specific to Google Chrome (at least on Windows) but to the whole system. You’ve already deleted that cert through Chrome’s interface, so it should gone.

Just to be certain, you could try.

Start → Run → certmgr.msc

Another tool to try is CCleaner. It should help with better cleaning of Chrome’s caches.

TRiG
  • 1,193
  • 3
  • 14
  • 30
LazyOne
  • 3,144
  • 1
  • 21
  • 17
3

For Windows 10, there is a way to clear only OCSP and CRL information without clearing Chrome history.

More details can be found from Mr. Dimcev's blog post https://web.archive.org/web/20211209012218/http://www.carbonwind.net/blog/post/Viewing-clearing-and-disabling-the-OCSP-and-CRL-cache-on-Windows-7.aspx

Running the suggested certutil -urlcache ocsp delete is likely to result in FAILED: 0x80070020 (WIN32: 32 ERROR_SHARING_VIOLATION) if Chrome is running.

Gili
  • 297
Jari Turkia
  • 306
2

I confirmed this worked for me on Windows 10:

  1. Pre-requisite: Certify (use another computer with no "knowledge" of your site) that your server serves the new certificate to brand new computers, at least.
  2. Clear the cache of Chrome. I chose to clear all three options presented when using CTRL+SHIFT+DEL: History, Cookies, and Cached. However, you can probably keep your history.
  3. Close chrome, and using the Task Manager, certify that there is no chrome.exe running. I think chrome caches the certificate in memory.
  4. Re-open chrome and visit the site. Your chrome browser should now pull the latest certificate and not use the cached one.
Christopher
  • 1,391
0

Given quite a lot of complicated and incorrect answers: Chrome caches certificates and does not have an option to remove them. However you can just force it to get a new one, for example if the website is "www.domain.com" you open "domain.com". This will make Chrome re-download the (same) certificate which then refreshes both.

John
  • 119
-3

More accurate way:

Ctrl+Shift+Del ( or Settings > Advanced > Clear browsing data )

[ Time range: All time ]

  • Chached images and files

press: Clear data

Mr. Smit
  • 207