New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 737815 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Last visit 16 days ago
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Changing root trust on Windows does not take effect until Chrome restarts

Project Member Reported by marchuk@chromium.org, Jun 29 2017

Issue description

59.0.3071.115 Win7 64-bit
Also reproduced in 58.0.3029.110 (64-bit), 55, 48, so it's not a regression.

What steps will reproduce the problem?

Reproduced in QD5:
1. Configure https server with self-signed certificate
2. Open https page https://40.26.197.35.bc.googleusercontent.com get NET::ERR_CERT_AUTHORITY_INVALID error, which is expected, as this website with self-signed certificate, which is not added to windows certificate store yet.
3. Do not close Chrome, Import Root CA root2.crt to Trusted Root Certification Authority and t7.crt to let windows choose path automatically.
4. Refresh, re-open webpage https://40.26.197.35.bc.googleusercontent.com/

What is the expected result?
No errors while re-opening https://40.26.197.35.bc.googleusercontent.com/ when proper certificates are pushed to windows certificate store.

What happens instead?
NET::ERR_CERT_AUTHORITY_INVALID error still there.

P.S. After exiting chrome completely, make sure no chrome.exe left running, start again, launch https://40.26.197.35.bc.googleusercontent.com, page opens without errors.

Microsoft Internet Explorer behaves as expected.

Have green customer with ~6000 users affected (the are refreshing certificates in windows, when they launch chrome while refresh is still in progress, after certificate refresh process completes, chrome still shows ERR_CERT_AUTHORITY_INVALID) and as workaround, sysadmin has to come over to each individual user, open-close chrome, sometimes with clearing cache.

Video, certificates attached.

Per https://bugs.chromium.org/p/chromium/issues/detail?id=323288 #9 "Chrome will not cache resources that have certificate errors"

Ricardo, can you please help to triage?
 
1.avi
4.1 MB Download
Jun 28 2017 3-27 PM.webm
6.8 MB View Download
root2.crt
1.5 KB Download
t7.crt
2.0 KB Download
chrome_debug.log
256 KB View Download
Status: WontFix (was: Untriaged)
Perhaps assigned to the wrong person (that's a lot of rvargas), but this is working as intended.

For a variety of reasons, we intentionally do not observe or respect trust store changes while Chrome is running. The appropriate answer is - as noted - to restart Chrome, on any/all platforms, to ensure any trust changes propagate effectively.
Summary: Changing root trust on Windows does not take effect until Chrome restarts (was: Chrome caches resources that have SSL errors, but should not)

Sign in to add a comment