New issue
Advanced search Search tips

Issue 809754 link

Starred by 8 users
Status: Duplicate
Merged: issue 88003
Owner: ----
Closed: Feb 2018
Cc:
elawrence@chromium.org
a...@chromium.org
est...@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment

ERR_CERT_AUTHORITY_INVALID error simultaneous with "This certificate is valid"

Project Member Reported by rch@chromium.org, Feb 6 2018 
Chrome Version       : 66.0.3341.0
OS Version: OS X 10.13.3
URLs (if applicable) : https://markets.on.nytimes.com/research/tools/builder/api.asp?sym=%24SP&duration=1&chartstyle=ArticleInline&w=375&h=212&display=fillclose&scale=2&topLabel=%20S.%26P.&showChange=1&backgroundColor=FFFFFF&fillColor=E3E9ED&line1Color=3E5A7F&line2Color=C7D0D
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari:
    Firefox:
    IE/Edge:

What steps will reproduce the problem?
1. Open https://markets.on.nytimes.com/research/tools/builder/api.asp?sym=%24SP&duration=1&chartstyle=ArticleInline&w=375&h=212&display=fillclose&scale=2&topLabel=%20S.%26P.&showChange=1&backgroundColor=FFFFFF&fillColor=E3E9ED&line1Color=3E5A7F&line2Color=C7D0D5
2. Observe NET::ERR_CERT_AUTHORITY_INVALID
3. Click on HTTPS broken lock and observe "Certificate (invalid)"
4. Click the certification UI and observe "This certificate is valid" for the leaf, intermediate and root certificate.
4. Click on ERR_CERT_AUTHORITY_INVALID to see:
NET::ERR_CERT_AUTHORITY_INVALID
Subject: markets.on.nytimes.com

Issuer: RapidSSL SHA256 CA - G3

Expires on: Jun 28, 2018

Current date: Feb 6, 2018

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIENTCCAx2gAwIBAgIDB+FgMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTEwMjYwNDMzMzdaFw0xODA2MjgxNjM2NTJaMCExHzAd
BgNVBAMTFm1hcmtldHMub24ubnl0aW1lcy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDEaj6myvlxvI1vLode0iB+nR7rGhfF3S5FX1k6UkFXMtJR
wizKbKhezmQNyaiqq1cxa2CnV2rC61flSJQwf9pg4989fQRFlf4HUFecAlQIS/Za
rL4j9/QxrYPb+eC5JEfN59amIDFonluwgJWxIRLQLp9uxGR0Fsgm4eT+wNX5hKKO
p3OjK9iUix/g4ZIdZtwRw3iAivrab/LpRCJVMm38NipO0k4LhiHwdCnNEgkIGG4K
2gnO314owQYZcxD8r3wvGcu+8d2r/lUW5EiMAYrfFHMMVMAhAW2eMi/BjQCCYvZu
sCx3Dn0o6R9k22+02n2bt2BNRD05B55fNlLgdCSfAgMBAAGjggFOMIIBSjAfBgNV
HSMEGDAWgBTDnPP800YINLvORn+gfFvz4gjLWTBXBggrBgEFBQcBAQRLMEkwHwYI
KwYBBQUHMAGGE2h0dHA6Ly9ndi5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6
Ly9ndi5zeW1jYi5jb20vZ3YuY3J0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwIQYDVR0RBBowGIIWbWFya2V0cy5vbi5ueXRp
bWVzLmNvbTArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2
LmNybDAMBgNVHRMBAf8EAjAAMEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYB
BQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0B
AQsFAAOCAQEAnPVgu4zFiSIn034bUKvVpOa6mwwPRV0xiYCrhnu62q2L7UdeiTbb
4XhDeP6S7lhb0OpCu4jLStAyCy/lNzQT5Bl7IK/Yq8fHfvbcfCBI1dYRv2m4TieY
IBkHSPHXmDpKArSA21txJVsQva98B5JzbSRoCVJBMhHFwwrIk+pZb5P0qH3KtD7v
JisPLDyLot4CONa64he0p+AGoQc5UTDq8t3UDbUeOfJp9FH8Q5I0AKb6THKjh49L
vcMx5tTVxKGJeTkEagc6AcGioxzcyDGUSoW3Gc8LBfB+xBDU8hHIQ35bo3yQTAan
tpKyBW0PSPXeENd4IHOAcrO9ntz8WM4PiA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

What is the expected result?

Either the certificate is valid, in which case I would have expected the page to load.

Or the certificate is not valid in which case I would expect the UI to not say "this certificate is valid"

What happens instead of that?

Mismatch between the error code and the UI.

(But probably there is subtlety here that I don't understand)

Please provide any additional information below. Attach a screenshot if
possible.

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3341.0 Safari/537.36
Screen Shot 2018-02-06 at 3.02.24 PM.png
44.1 KB View Download

Comment 1 by rsleevi@chromium.org, Feb 6 2018

Components: UI>Browser>CertificateViewer
Mergedinto: 88003
Status: Duplicate (was: Unconfirmed)
This is a known issue, as tracked in  Issue 88003 . The UI is controlled by the OS, and does not reflect Chrome's evaluation policies. We have not announced any plans to switch to a Chrome-operated UI to show the errors and policies from Chrome.

The certificate is being distrusted as part of https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Comment 2 by rch@chromium.org, Feb 6 2018 

Ah! Thanks. I wondered if symantec might have been part of the issue here. Too bad the UI doesn't match, but I totally understand the decision to show the platform UI.

Comment 3 by rsleevi@chromium.org, Feb 8 2018

Cc: elawrence@chromium.org
 Issue 810348  has been merged into this issue.

Comment 4 by elawrence@chromium.org, Feb 8 2018 

 Issue 810462  has been merged into this issue.

Comment 5 by rsleevi@chromium.org, Feb 9 2018

Cc: rsleevi@chromium.org a...@chromium.org est...@chromium.org
 Issue 810650  has been merged into this issue.

Comment 6 by elawrence@chromium.org, Feb 15 2018 

 Issue 812488  has been merged into this issue.

Comment 7 by elawrence@chromium.org, Apr 22 2018 

 Issue 835633  has been merged into this issue.

Sign in to add a comment