Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 93527 Improve error text of "Error 201 (net::ERR_CERT_DATE_INVALID): Unknown error"
Starred by 8 users Reported by alagesan@chromium.org, Aug 19 2011 Back to list
Status: Verified
Owner:
Closed: Feb 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Compat

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
The below data is provided based on user reports in 'GoogleFeedback'. We did not reproduce the issue.
20+ users have reported this issue in Current week.
Chrome Version       : 15.0.854.0,13.0.782.112
URLs (if applicable) :https://mail.google.com/mail/?hl=it&tab=wm
Other browsers tested:
 Did not test
What steps will reproduce the problem?
1.Open Chrome browser session
2.Try accessing Gmail or Google or Google Docs webpages


What is the expected result?
Users should be able to access the Gmail, Google or Google Docs without any issue

What happens instead?
Chrome is not allowing User's to enter Gmail/Google/Google Docs and is displayed with "Error 201 (net::ERR_CERT_DATE_INVALID): Unknown error."
For more details, refer the user reports below:

http://goto.google.com/48179467
http://goto.google.com/48129838
http://goto.google.com/47450893

For more user reports, refer the Cluster URL below:
http://goto.google.com/1224368

 
Labels: Internals-Network-SSL
One quick thing is to make sure that the local time on the user's machine is configured correctly. For example, http://goto.google.com/48129838 complains about both gmail and twitter, so it's likely just an old time setting on their machine.

Perhaps we could do a better job with explaining how to remedy this in the error page. 
Cc: jtan@chromium.org
Comment 1 resolves the issue for users in the help forum, eg:

http://www.google.com/support/forum/p/Chrome/thread?tid=2645a32d73f8f729&hl=en
http://www.google.com/support/forum/p/Chrome/thread?tid=40ca7d00e7bd738d&hl=en

+1 to more helpful error text. cc-ing @jtan, who helped improve error messages in the past.
Labels: Hotlist-ConOps
Comment 4 by jtan@chromium.org, Aug 29 2011
Cc: mmenke@chromium.org
Status: Untriaged
+mmenke 

Hey Matt, is this error one that you can help us improve? I can help with the messaging if so. Are there other things the user should check for aside from an incorrect time setting?
Cc: agl@chromium.org
 Issue 94548  has been merged into this issue.
I missed the list of sites affecting this with  Issue 94548 .

Normally ERR_CERT_DATE_INVALID is a user-overridable error message, displaying the SSL interstitial page, with user-localized strings IDS_CERT_ERROR_EXPIRED_TITLE, IDS_CERT_ERROR_EXPIRED_DETAILS, IDS_CERT_ERROR_EXPIRED_DESCRIPTION, IDS_CERT_ERROR_EXPIRED_DETAILS_EXTRA_INFO_2 (or s/EXPIRED/NOT_YET_VALID)

However, if the site is an HSTS site, all certificate errors are fatal. As a result, only the generic network error page shows - with no localized strings.

Ideally, the HSTS non-overridability would be passed up to content/browser/ssl_policy.cc SSLPolicy::OnCertErrorInternal, which has a boolean flag as to whether or not the user should be able to override the error. If it's an HSTS site, setting that to false will still allow the detailed, localized messages to be displayed, but without raising an error.

This may not be suitable if the localized messages specifically refer to the "Proceed" button (since it may not be present), but hopefully offers insight into where the problem is likely originating.

The HSTS preload list is http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/net/base/transport_security_state.cc&l=580 , which should give suitable domains to test. As I cannot access the goto.google.com/ references, I can't confirm 100% that this is the issue, but based on the description and the forum posts, I believe it to be the same.
Comment 7 by k...@google.com, Aug 29 2011
Labels: Mstone-16
Owner: agl@chromium.org
Status: Assigned
Comment 8 by jtan@chromium.org, Sep 2 2011
It sounds like the forum users reporting this have all been able to resolve their issue by correcting the local time on their machines. There may be other causes for this error but the reports on this bug don't appear to point to that, so I'm going to close this bug as WontFix. I can file a separate bug to track improving the error text for ERR_CERT_DATE_INVALID.

@agl - Since you're the assigned owner, does this sound good to you?
Comment 9 by jtan@chromium.org, Sep 9 2011
Labels: -Type-Bug Type-Feature
Summary: Improve error text of "Error 201 (net::ERR_CERT_DATE_INVALID): Unknown error" (was: NULL)
Chatted with agl. We'll repurpose/retitle this bug to be about improving the error text instead. We should instruct users on the error message to check that their system clocks are configured correctly.
I'm encountering this error accessing my own internal development site. I do know that certificate is expired. It expired yesterday. However, I expect to be prompted with the option to ignore an expired certificate, and instead I receive this error.

As this is my own development server (Apache) which I use for testing HTTPS, I can also add that I am not using a Strict-Transport-Security header. And I don't see anything in the certificate which suggests HSTS to me either.

So if its the case this would occur with any site's expired certificate, it definitely seems like a bug to me.


Comment 11 by a...@golang.org, Sep 30 2011
shakerl...: can you post a screenshot of the error and the Chrome version and platform that you're using?
Attached is a screenshot of the error and version. I'm using Chrome on a Fedora 14 Linux platform.
chrome_error.png
58.5 KB View Download
I just loaded a minor update to revision 14.0.835.186, and get the same result.
Comment 14 by agl@chromium.org, Oct 3 2011
shakerl...: That really does look like an HSTS error, but the certificate isn't expired for me. Can you go to chrome://net-internals/#hsts and put handyworks.4-dogs.biz in the "Query a domain" box? (Although I fear that debugging interface wasn't working in M14.)
I have installed a new non-expired certificate for the handyworks.4-dogs.biz host, so that would no longer be an applicable test case. Sorry.
 Issue 98860  has been merged into this issue.
Comment 17 by laforge@google.com, Oct 24 2011
Labels: -Mstone-16 MovedFrom-16 Mstone-17
Comment 18 by kosov...@gmail.com, Nov 14 2011
Still consider this to be a bug. What shall I do, if for some reason I don't want to change time on my PC, but I do want to continue using secured sites?
Comment 19 by k...@google.com, Dec 19 2011
Labels: -Mstone-17 Mstone-18 MovedFrom-17
Moving bugs marked as Available but not blockers from M17 to M18.  Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label.  If you're able.
Cc: palmer@chromium.org
Labels: -MovedFrom-16 -Mstone-18 -MovedFrom-17 Mstone-16
Status: Verified
This was fixed with http://crrev.com/102994 , but bugdroid never updated this issue. Further work on it was done by both agl@ and palmer@ to enhance the overall user experience.
Comment 21 by jtan@chromium.org, Feb 8 2012
Thanks for the update on this. For our information, what is the new error message the user will see in this case with this change? 

jtan: The standard Chromium SSL error interstitial for expired certificates should appear. For HSTS sites, the only difference is that the proceed button will be missing and text referring to proceed will also be missing.

The current text can be seen at a non-pinned, non-HSTS site such as

https://test-sspev.verisign.com:1443/test-SSPEV-expired-verisign.html

To test with pinning, visit chrome://net-internals/#hsts and enter values of:

Domain: test-sspev.verisign.com
Public Key Fingerprints: sha1/Guzek9lMwR3KeIS8wwS9gBvVtIg= (doesn't matter, the site is expired, but adding a pinned entry to cover all edge cases)

You can later remove the pin via the same chrome://net-internals page
Comment 23 by jtan@chromium.org, Feb 8 2012
Ah, thanks rsleevi! 
Project Member Comment 24 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Feature -Area-Compat -Internals-Network-SSL -Mstone-16 Type-Compat Cr-Internals-Network-SSL M-16
Project Member Comment 26 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Sign in to add a comment