New issue
Advanced search Search tips
Starred by 8 users
Status: WontFix
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment
Always get a net::ERR_CERT_DATABASE_CHANGED error when loading https site
Reported by the.warl...@gmail.com, Sep 22 2016 Back to list
Chrome Version       : 53.0.2785.116 (Official Build) (64-bit)
OS Version: OS X 10.12
URLs (if applicable) : https://mail.google.com
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 10: OK

What steps will reproduce the problem?
1. Open any https page

What happens instead of that?
Page does not load. Open Developer Tools and you see bunches of errors:
net::ERR_CERT_DATABASE_CHANGED
net::ERR_NETWORK_CHANGED

It happens every time

Please provide any additional information below. Attach a screenshot if
possible.
It's OK before upgrading to Mac Sierra. You can start from there.
 
Comment 1 by phistuck@gmail.com, Sep 22 2016
You did not add a net-log, like Ryan asked. That makes it hard to impossible to reproduce the issue. Please, add a net-log using the instructions at -
https://dev.chromium.org/for-testers/providing-network-details

​​
Thank you.
Labels: Needs-Feedback
Components: Internals>Network
1. Screenshot of errors.
2. net-logs. I cleaned up history and logged in to google mail.
screen 2016-09-22 at 15.35.44.jpg
90.7 KB View Download
net-internals-log (3).json
5.6 MB View Download
Additional information:

1. My ~/Library/Application\ Support/Google is a symlink to a folder in a encrypted DMG file.
2. I'm accessing google sites through a socks5 proxy
Hmm, just tried more sites, same problem for facebook.
screen 2016-09-22 at 15.44.22.jpg
198 KB View Download
Open Keychain Access.

Are you adding and removing Keychains? Do you have any programs which might change the trust settings of CAs?

I ask because running an encrypted DMG through a socks5 proxy generally suggests a degree of (and I don't mean this negatively, just factually) security paranoia, and such security paranoia can also do weird things like have applications adding/removing Keychains (perhaps per-app) or changing CA trust settings.
Comment 8 Deleted
Sigh, I've double checked with opensnoop command. No program is modifying Keychains. (~/Library/Keychains)

However, during those tests, AlipayDispatcherService seems to run every few seconds.
I don't know what it does, but surely looks suspicious.

I have disabled the program, and will come back in a few days, hmm
sudo mv "/Library/Application Support/Alipay"{,.bak}


Cc: pinkerton@chromium.org ellyjo...@chromium.org
Cc'ing some mac folks
Hm. This error does seem to be a little bit more common on 10.12 than previous releases, but it's still at practically zero frequency, which suggests that this isn't a widespread issue.

#9: Okay, please report back if disabling that program fixes the issue. I doubt that this is a Chrome issue on the basis of the investigation so far.
I've reported this issue to Alipay to see if the problem is caused by them and if it can be fixed.
Comment 13 by danfr...@gmail.com, Sep 22 2016
Getting the same issues. I can see in activity monitor AlipayDispatcherService is popping in and out each time the error happens on Chrome loading an https website. In the Apple Console I am getting:

default	00:49:56.226270 +0800	AlipayDispatcherService	TIC TCP Conn Start [1:0x7ff1c00103e0]
default	00:50:16.316838 +0800	AlipayDispatcherService	Faulting in NSHTTPCookieStorage singleton
default	00:50:16.316866 +0800	AlipayDispatcherService	Faulting in CFHTTPCookieStorage singleton
default	00:50:16.316883 +0800	AlipayDispatcherService	Creating default cookie storage with process/bundle identifier
default	00:50:16.318143 +0800	AlipayDispatcherService	subsystem: com.apple.network, category: , enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 2, enable_private_data: 0

every 10 seconds or so, regardless of what I do, from boot. Not sure if it helps.
Comment 14 by danfr...@gmail.com, Sep 22 2016
cd /Library/LaunchDaemons/
sudo cp com.alipay.DispatcherService.plist com.alipay.DispatcherService.plist.bk
sudo rm com.alipay.DispatcherService.plist
sudo reboot

Just rebooted, no AlipayDispatcherService running (and therefore no log every 10 sec), no error in Chrome anymore loading https websites.

Did not happen before updating to Sierra.

Comment 15 by sdy@chromium.org, Sep 22 2016
This should stop it without a reboot:

sudo launchctl remove com.alipay.DispatcherService

(You still need to rename/delete the file if you want to disable it persistently.)
Cc: rsesek@chromium.org
+rsesek
Lots of Mac CC's, but Comment #7 is the hint that it's "kinda" WAI

We listen for Keychain events for an Add/Remove Keychain event or a Trust Settings change event, and on either of those, we flush all socket pools (because both TLS trust settings may have changed and there may be new / no longer available smart cards). We had to do this to gracefully handle smartcard insertion/removal events on OS X, as otherwise Chrome could prevent ejection of smartcards (in locking readers) or miss when they were added (requiring Chrome restarts).

It sounds like the Alipay code is, at least in 10.12, perhaps not functioning right and thus causing a removal/addition of its keychain used for Alipay/AliDisplay, which then results in triggering a socket flush.

So I'm tentatively putting this in the "Third-party software is meh" for now, but happy to see that if we see software *other* than this particular bit, that there may be changes in OS X.
Components: -Internals>Network Internals>Network>Certificate
Regarding ERR_CERT_DATABASE_CHANGED, the stats indicate a steady growth of this on all platforms except linux:

cros: https://goto.google.com/udkog
mac: https://goto.google.com/lssaj
android: https://goto.google.com/ueexz
windows: https://goto.google.com/bbcfm
linux: https://goto.google.com/tqnxg
Eric: Filed Issue 650509 for what I think may be a partial cause. There's no way we should be hitting that path that frequently. I also suspect there may be some Google bias in those numbers.
Thanks!
Project Member Comment 22 by sheriffbot@chromium.org, Oct 4 2016
Labels: -Needs-Feedback Needs-Review
Owner: rsleevi@chromium.org
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: WontFix
I'm going to close this, on the basis of Comment #17.
Sign in to add a comment