chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec certs

Bug #1641380 reported by Guanhao Yin on 2016-11-13
This bug affects 233 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Critical
Chad Miller

Bug Description

Chromium browser in xenial no longer trusts Symantec issued certificates. See [1].

1. https://bugs.chromium.org/p/chromium/issues/detail?id=664177

Ubuntu release: 16.04
chromium-browser: 53.0.2785.143-0ubuntu0.16.04.1.1254

WORKAROUNDS: download Chrome, or use Firefox.

Guanhao Yin (yinguanhao) wrote :

Probably affects Trusty, Yakkety and Zesty too, as they also have chromium 53.

Ziad (ziadjb) wrote :

Yes it affects Trusty, in Linux MINT too.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed

From one day to another it tells me half of my websites would use invalid certificates. The bug report for chrome describes it quite well as a ticking time bomb. Would be great to see 53 replaced quickly with 54 in mainline ubuntu.

Guanhao Yin (yinguanhao) on 2016-11-13
summary: - Xenial: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec and Geotrust
+ chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec
certs
Guanhao Yin (yinguanhao) on 2016-11-13
description: updated
Chad Miller (cmiller) on 2016-11-13
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
importance: Undecided → Critical
Jakob Oswald (jakob-oswald) wrote :

Same here, is there a workaround (disable transparency checking in chrome for now)?

Guanhao Yin (yinguanhao) wrote :

A dirty workaround: disable NTP and set system date a few days back.

_omega_ (omega-retro) wrote :

it seems you can also open developer tools and find a direct link to one of the rejected URLs, if you then attempt to directly access that link you will be given the option to temporarily allow the URL, at which point you will be able to view pages that contain the rejected certificate.
a horrible workaround as well....

1 comments hidden view all 114 comments
Andrew (andrewkk) wrote :

If you're in need of an immediate workaround, it's possible to disable this check for individual sites by e.g.:

$ echo '{"CertificateTransparencyEnforcementDisabledForUrls": ["weebly.com"]}' \
| sudo tee /etc/chromium-browser/policies/recommended/workaround_1641380.json

Details: https://www.chromium.org/administrators/policy-list-3#CertificateTransparencyEnforcementDisabledForUrls

calexil (calexil) wrote :

confirming on mint 18 mate.

bob (bobleny) wrote :

Same error for me as well.
The Symantec Class 3 Secure Server CA - G4 is not in the chrome certificate store.

As a temporary fix, I just saved the cert to disc and imported it into chrome. You can get it here:
https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045
Advanced Settings -> Https/SSL "Manage certificates"

I just hope Symantec hasn't been compromised or something...

Version 53.0.2785.143 Built on Ubuntu , running on LinuxMint 17.3 (64-bit)

Timothy Pearson (kb9vqf) wrote :

Just hit this on a Trusty machine.

The Chromium bug that was linked in the description of this bug now contains a patch to reduce impact. It's not clear to me if the bug is a complete solution or not.

I don't know if upgrading to a new Chromium or applying that patch is a faster mitigation for affected users.

Anders Frisk (anders-frisk650) wrote :

Can confirm that the #11 temporary fix works for me.

Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

jof (jof-v) wrote :

The bug is because the build is older than 10 weeks: https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39

Could we perhaps just get the same build packaged again?

Quentin Decaunes (storm1er) wrote :

Also affects every let's encrypt certificate : https://letsencrypt.org/

Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

On 14.11.2016 08:40, jof wrote:
> The bug is because the build is older than 10 weeks:
> https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39
>
> Could we perhaps just get the same build packaged again?
>
+1 for this solution. Then we have 10 weeks to get it fixed the right way.

+1

+1

Roopesh Nair (roopesh90nair) wrote :

Affects AWS console login as well: https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2
Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

Roopesh Nair (roopesh90nair) wrote :

Effects Maxcdn as well: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Version 53.0.2785.143 Built on Ubuntu , running on Ubuntu 16.04 (64-bit)

_omega_ (omega-retro) wrote :

>The bug is because the build is older than 10 weeks: >https://chromium.googlesource.com/chromium/src/net/+/master/cert/ct_policy_enforcer.cc#39

>Could we perhaps just get the same build packaged again?

+1 to this also, seems a perfect solution while we wait for a new package to get built and accepted...

Ging (andrew-m-wilkins) wrote :

I'm affected by this on 16.04
chrome 53.0.2785.143
Coworker on 14.04 KDE, same version of chrome is unaffected

Darryl Weaver (dweaver) wrote :

Also effects:
https://tumblr.com
https://www.meetup.com

Also confirmed on Trusty and Xenial.

bfsworks (j-warren) wrote :

Yes, this seems to affect sites that use CDN's even if the main domain certificate is not affected. It appears most major CDN's are using these family of certificate providers which as a result affects any site that uses a major CDN.

Other sites affected (Xenial): amazon.de
In addition my banks' online banking portal.

Dmitriy Balakin (0x0000.ru) wrote :

Thawte certificates are not accepted: https://life.ru

calexil (calexil) wrote :

https://Mint.com

http://pnc.com

jeez..I can't access any financial info through my browser anymore.. Thank goodness I can thru my phone

Mike Chelen (mchelen) wrote :

Quick reminder that Firefox does not suffer from this bug, if you need a desktop browser to use.

Azusa (azunyargh) wrote :

I'm not sure how safe of a workaround this is, but starting chromium with --ignore-certificate-errors flag allows all the content to load properly.

visred (visred) wrote :

This is not a bug with chrome. It is a bug with symantec's certificate issuance systems.

Andrew J. Caines (cainesaj) wrote :

Thanks for the workarounds and to those working on the updated package.

This also affects GeoTrust SSL CA - G3 as used by many U.S. Government sites:

preview.cbp.gov
beta.ready.gov
wcmaas.homelandsecurity.gov
www.uscg.mil
www.safecomprogram.gov
preview.fleta.gov
www.llis.gov
www.biometrics.gov
beta.tsa.gov
preview.disasterassistance.gov
preview.fletc.gov
alpha.uscis.gov
preprod-selfcheck.uscis.gov
preview.uscis.gov
beta.uscis.gov
www.uscis.gov
my.uscis.gov
preview-everify.uscis.gov
www.infopass.uscis.gov
infopass.uscis.gov
everify.uscis.gov
www.floodsmart.gov
agents.floodsmart.gov
www.agents.floodsmart.gov
preview.ice.gov
www.citizencorps.gov
ics-cert.us-cert.gov
www.ics-cert.us-cert.gov
www.buildsecurityin.us-cert.gov
preview1.us-cert.gov
buildsecurityin.us-cert.gov
apps.fema.gov
careers.fema.gov
tdl.apps.fema.gov
beta.fema.gov
preview.fema.gov
www.nfip.fema.gov
tdl.integration.fema.gov
integration.fema.gov
preview-careers.fema.gov
wcmaas.dhs.gov
mobilecoe.dhs.gov
mock-my.uscis.dhs.gov
preview-studyinthestates.dhs.gov
cisombvos.dhs.gov
sharedservices.dhs.gov
nccic.dhs.gov
carwash.dhs.gov
www.llis.dhs.gov
www.cyber.st.dhs.gov
preview.dhs.gov

Ging (andrew-m-wilkins) wrote :

I have tried recompiling the chromium package from source on ubuntu 16.04 and this resolves the issue (for another 10 weeks)
So the fix suggested on #22 does work

Charles (charles-ubuntu-m) wrote :

@visred: it is a bug in Chromium. There are many sites with valid CT entries that are getting flagged and cannot be visited.

The patch is here: https://chromium.googlesource.com/chromium/src.git/+/ec8e431e9a0f80ace76368ce7edce006f3d409f2

Chad Miller (cmiller) on 2016-11-15
Changed in chromium-browser (Ubuntu):
status: Confirmed → Fix Committed
Quentin Decaunes (storm1er) wrote :

Good News =) Thanks
Any idea on ETA ?
Shouldn't be too long I think.

Peter Buri (peter.buri) wrote :

Until the package is not fixed you can use builds from https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage

Marc Pignat (swid) wrote :

This PPA does the job, thank you!

Chad Miller (cmiller) wrote :

That PPA has a very stern warning on it. Ignore it at your peril.

On Tue, Nov 15, 2016 at 5:32 AM, Marc Pignat <email address hidden>
wrote:

> This PPA does the job, thank you!
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1641380
>
> Title:
> chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec
> certs
>
> Status in chromium-browser package in Ubuntu:
> Fix Committed
>
> Bug description:
> Chromium browser in xenial no longer trusts Symantec issued
> certificates. See [1].
>
> 1. https://bugs.chromium.org/p/chromium/issues/detail?id=664177
>
> Ubuntu release: 16.04
> chromium-browser: 53.0.2785.143-0ubuntu0.16.04.1.1254
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1641380/+
> subscriptions
>

Martin (rivalitaet) wrote :

Sorry, I changed the status by accident, it's still not released.

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Chad Miller (cmiller) on 2016-11-15
Changed in chromium-browser (Ubuntu):
status: Fix Released → Fix Committed
Nick Ceriello (nceriello) wrote :

Any ETA on the release?

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
34 comments hidden view all 114 comments
Eloquence (eloquence) wrote :

Any instructions for a workaround are appreciated:

1) Installing the certificate from https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045 as suggested in an earlier comment doesn't work: pasting the certificate into a file and importing it into Chromium produces the error "The Private Key for this Client Certificate is missing or invalid."

2) As noted above, Chromium 54 builds are extremely crashy so not really an option.

3) Manually installing individual DEBs seems liable to break things, but if that's a workable path, I'm willing to give it a try. However, instructions which DEBs to install and whether any additional steps are needed would be appreciated.

Thanks!

wdoekes (walter+ubuntu) wrote :

54.0.2840.100-0ubuntu0.16.10.1326 from 'ppa:canonical-chromium-builds/stage' (on Yakkety) hasn't crashed yet. (Running for 10 minutes now.) Beats having to switch to FF for some pages.

wdoekes (walter+ubuntu) wrote :

Okay, that didn't take long. My slack windows started to "Aw snap!" within another 10 minutes.

Both the Xenial [*1] version and the version from Haw Loeung (hloeung) [*2] work fine though. Where the second is better because the broken Xenial version is lower and would be auto-replaced with the broken Yakkety build until a fixed version is uploaded.

Answering w2vy's (tom-moulton) question: a fixed version will likely be still higher and auto-update over these manually installed files. In short: no manual uninstall will have to be performed.

[*1]
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-browser_53.0.2785.143-0ubuntu0.16.04.1.1257_amd64.deb
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-browser-l10n_53.0.2785.143-0ubuntu0.16.04.1.1257_all.deb
http://nl.archive.ubuntu.com/ubuntu/pool/universe/c/chromium-browser/chromium-codecs-ffmpeg-extra_53.0.2785.143-0ubuntu0.16.04.1.1257_amd64.deb

[*2] from: https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+sourcepub/7137607/+listing-archive-extra
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-browser_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-browser-l10n_53.0.2785.143-0ubuntu2.16.10.1323_all.deb
https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+files/chromium-codecs-ffmpeg-extra_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb

Answering Eloquence's (eloquence) question:
- find the broken packages on your system:
  $ dpkg -l | grep chromium
- select and download the replacements from here:
  https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+sourcepub/7137607/+listing-archive-extra
  (pay attention to your architecture (arm vs amd64))
- install the downloaded files:
  $ sudo dpkg -i THE_DOWNLOADED_FILES...

P.S. I'm a bit puzzled that the fix for Xenial didn't get into Yakkety immediately. Now I ran into this issue on two separate occasions.

wdoekes (walter+ubuntu) wrote :

s/the broken Xenial version is lower/the fixed Xenial version is lower/

(sorry)

+1 to #76, be nice to revert to stable Chromium ASAP though

gloonie (gloonie) wrote :

Agree with above: Build 54 worked for this bug, but Chromium is very unstable in other respects.

Chad Miller (cmiller) on 2016-12-12
Changed in chromium-browser (Ubuntu):
status: Fix Released → In Progress
Jesse Glick (jesse-glick) wrote :

Confirmed that chromium-browser_53.0.2785.143-0ubuntu2.16.10.1323_amd64.deb and the two others mentioned in #77 fix a custom atlassian.net site.

Dandapani (daniel-obrien) wrote :

This cert is an Authorities Cert. Cut/paste into file and import as Authorities:

 https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2045

Eloquence (eloquence) wrote :

That did the trick. Thank you, Dandapani! For those still experiencing the issue, try following the instructions in #11 / #82. This will fix it for sites using the Symantec CA but not for the GeoTrust ones e.g. #32. Does anyone have a link handy for importing the Geotrust CA?

Fix in #11/#82 fixed it for me as well...at least for sites like Amazon. (Running 16.10)

#82 fixed issue with , but not with "Symantec Class 3 EV SSL CA - G3".

Here is a link to intermediate certificate Symantec G3:

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR2061

It fixed connection to my bank.

crysman (crysman) wrote :

I am affected, too. Manually importing the certificate as suggested in #82 has helped in sites like Amazon.com, but does not solve the problem.

I am experiencing issues with this certificate:
===
Common Name (CN) RapidSSL SHA256 CA
Organization (O) GeoTrust Inc.
===

Although before Chromium update it had worked normally and also it is working right now in Firefox.

crysman (crysman) wrote :

Also this one:
===
Common Name (CN) GeoTrust EV SSL CA - G4
Organization (O) GeoTrust Inc.
===

barnaba (barnabaturek) wrote :

I think that the proposed 'fix' of just importing the Symantec certs isn't a very smart move, chrome requires transparency for a reason (you can read about it following the links in the original ticket).

Robert Kiesel (robert-kiesel) wrote :

Debian just updated to Chromium 55

https://packages.debian.org/stable/web/chromium

So this should come soon to Ubuntu.

Xaratas (nomikon+ubuntu) wrote :

The Build on #68 does prevent the error but in/shortly after the loading of the page it crashes the tab. Display: Aw, Snap! without any hint why

Tested with codingame.com (Crashes only after login) and amazon.(com|de)
Tested with incognito modus, no active plugins.

When will chromium 55 be available?

hackel (hackel) wrote :

The new Zesty Chromium 55 packages are much more stable than 54 for me. Haven't noticed any issues yet! They also install cleanly on 16.10.

https://launchpad.net/~canonical-chromium-builds/+archive/ubuntu/stage/+packages

Achim Behrens (k1l) wrote :

installed the freshly build amd64 yakkety .debs from the link in #91 and its working again now.

w2vy (tom-moulton) wrote :

There were build failures for yakkety (and others), so there could be lingering issues with those binaries

Oliver Egginger (lau6chpad) wrote :

Installed 55.0.2883.75-0ubuntu0.16.10.1327 now.

Works so far but what surprises me is the following error on Twitch now:

"No supported video backend avaiable; Flash is not installed"

I could use Twitch before without problems.

John Moser (nigelenki) wrote :

I see @cmiller reopened this bug without comment. Is the Ubuntu team researching an issue preventing a successful fix at this time?

Chad Miller (cmiller) wrote :

Chromium v55 is in testing. The only blocker is that Flash seems to have stopped working. More soon.

is something related to problem on displaying message like this https://chromeunboxed.com/googles-chrome-55-hasnt-killed-flash-yet/ ?

Chad Miller (cmiller) wrote :

@Daniele, no, that's not it. Google Chrome and Chromium behave differently, on same version.

dimovnike (dimovnike) wrote :

This is madness. A lot of sites are cut, like amazon, and others. I tried the version 55 from staging but it doesn't work properly yet (sites like amazon and youtube and up in "aw snap!"). Anyone knows when to expect a fix?

Chad Miller (cmiller) wrote :

I think I found the cause of the flash-not-running blocker. A few hours to build, a few to test further, and then maybe released in a few after that.

Please keep bug reports useful. Workarounds and hand-wringing make it hard to keep track of bugs.

Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Committed
Lee Revell (rlrevell-k) wrote :

Why is this still broken on yakkety? Fix committed *30 days ago*? Literally half the internet is broken. This is the longest I can remember a showstopper bug going unfixed in the 10+ years I have been using Ubuntu.

@cmiller are you talking about #82 and #85 ?

Chromium 55.0.2883.75-0ubuntu0.16.10.1327 fixes this bug but has other video related problems (on Twitch if you don't enable Flash explicitly like #94 or other Flash websites even if you enable it maybe fixed on #100 but not released yet I assume)
Why not release a Chromium 53 with CT timebomb disabled (like Debian) right now and take time to fix the Chromium 55 build ?
It's really a showstopper bug like @rlrevell-k said for Ubuntu yakkety users, I thought it would have been fixed (even intermediately) much sooner.

Florian W. (florian-will) wrote :

Flash not working is less of a show stopper than half of the internet not working because of trust issues. (Who needs flash anyway? I use it maybe once a month, but now I can't do my christmas shopping in Chromium because amazon doesn't work no matter what.) So if you can't get flash to work, I'd recommend just pushing the new chromium anyway. :-)

description: updated
1 comments hidden view all 114 comments
zebul666 (zebul666) wrote :

why is the bug is still not fixed on yakkety ? still using chromium 53.0.2785.143-0ubuntu1.1307

For those in a lurch because of this error, you can always install Chrome (the non-open-source version) and use it until this situation is cleared up. Chrome and Chromium seem to be able to exist side-by-side, and when this is resolved you can remove it or switch back to Chromium and just leave it for the next crisis. Not ideal, and definitely not for those who use Chromium to avoid proprietary software, but a workaround that lets you keep your workflow going without switching to Firefox.

Moses Moore (moses-ubuntu) wrote :

Just installed yakkety-updates/universe chromium-browser 55.0.2883.87-0ubuntu0.16.10.1328

I'm no longer shut out of Amazon (Cloudfront) nor IBM intranet sites. I'll find out if it's a permanent fix ten weeks from now.

Chad Miller (cmiller) on 2016-12-17
Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Richard (ismail-a) wrote :

Certificate transparency can be tested by browsing to https://npr.org

For broken, this will display an intermediate full-page warning with a Back to safety action button

Other sites may have difficulty in loading resources and display huge unscaled images, garbled content or missing JavaScript functions
- this is likely to happen if proceed (Unsafe) is selected
- the site may use a large number of domain names making it practically impossible to browse the site

hsts sites cannot be browser at all.

Richard (ismail-a) wrote :

Another complication is that Chromium 55 vide h.264 is currently broken, too
bug 1650730

Richard (ismail-a) wrote :

As of 161230, this defect is still present for Ubuntu 16.10 Yakkety

Andrew J. Caines (cainesaj) wrote :

Chad, thanks for your work on this. 55.0.2883.87 (Developer Build) Built on Ubuntu, running on Ubuntu 16.04 (64-bit) working everywhere I've visited.

Richard, NPR's site may not be a good test since https://npr.org/ uses a wildcard cert for *.npr.org with no alternate name for npr.org and while https://www.npr.org/ works fine, the site redirects to http://npr.org/

An example of a site done well by someone competent is Troy Hunt's invaluable https://haveibeenpwned.com/ which has Certificate Transparency for the site and several resources (Google) as well as CloudFlare.

Richard (ismail-a) wrote :

Actually, it does work for latest 16.10

dpkg --status chromium-browser | egrep "(V|Pa)"
Package: chromium-browser
Version: 55.0.2883.87-0ubuntu1.16.10.1330

h.264 works, too: bug 1650730

Tested at:
https://www.meetup.com
https://www.youtube.com/html5

William Hua (attente) wrote :

Hi Chad, thanks for this, is this fix going to be released in zesty soon? It seems to have been stuck in zesty-proposed for some time... also, is there a reason that the updates are going to yakkety first before zesty?

Displaying first 40 and last 40 comments. View all 114 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers