Solve NET::ERR SSL PINNED KEY NOT IN CERT CHAIN

It is a wrong error out of caching by browser. It is not what really the site is. If the site is bad then your antivirus, antimalware will deliver warning. Our site at this moment facing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error out of overlooked public key pinning on Google Chrome, Android etc browsers out of unmatched pin values before the expirary of our GeoTrust SSL Certificate. We do not have huge technical error. We would continue Geotrust as CA, it was expected that an expired certificate’s pin set will get flushed. In order to “comply” with Chrome’s caching based block, we had to use expired certificate! You can understand, how much fallacious is the rule sets of Chrome’s caching of pins.

GeoTrust in-between changed a lot. Do You Want to Solve Solve NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN as Webmaster? Unfortunately Out of Immature Technology, there is no manual Way. You or we are not only the sufferers, there are many webmasters, many users who face it. The works of paid engineers of various companies basically towards experimental works. There are however some steps you must do as webmaster, in order to increase chance of getting back domain to be properly displayed on various browsers of Google.

 

Solve NET::ERR SSL PINNED KEY NOT IN CERT CHAIN : For the Visitors

 

It is easy for Chrome browser. Navigate to chrome://net-internals/#hsts. Query the domain. Type the same hostname into the Delete domain section and click Delete. It will erase Chrome’s cache of HTTS and also the publicly pinned values. Rather, you can use Microsoft or Apple’s any browser.

 

Solve NET::ERR SSL PINNED KEY NOT IN CERT CHAIN : For the Webmasters

 

None can say when users can ever browse your site. It is matter of luck if Chrome ever flushes the value. In case you are webmaster, you may need to plan to use another domain and 301 redirect all URLs from that site.
You can however perform some steps to ensure that the changes are your natural, not hacker created.

Do not stop publishing new articles

If you stop publication of articles, it will appear as if you are not active and really the site is compromised. When you regularly publish articles, some of the users will try to visit some way. You will not loss 100% visitors, you will loss around 50% users resulting more than 50% revenue. Mobile users normally do not click ads.
The error is only cosmetic. Bots will normally crawl.

Delete your domain from HSTS Preload list

Check whether your website is HSTS Preload list. It is not what you must did yourself, it is luck which automatically adds. You’ll find the official site of HSTS upon websearch and also instruction on removal. You need to remove the preload directive on webserver’s configuration file. Next, make the max-age to zero. You can comment out the directive after few days.

Decrease the max-age of Public Key Pinning

Decrease it to 300 or lower, but not just zero.

Test Your SSL Settings Using Web Tools

Make 100% sure that your current pins and certificates has no error by testing by SSL Lab’s tool and tool by Scott Helme :

His tool will generate 3 pin values. Add them in addition whatever you had. Passing these two tests will make sure that your server currently has no real technical error.

Do not change your server IP

Many tools used by browsers for caching may check other odds. It is better to avoid to get flagged.

 

Can I use Let’s Encrypt?

 

No. That will become experimental work. Use standard common paid DV SSL/TLS certificate sellers, preferably whose certificate you used before.

 

Can Visitors Ever Visit My Site Normally?

 

Yes. Although there is no warranty. It is quite common among the technology blogs out of experiments. HSTS list takes around 2 months to get flushed after request. HPKP takes around 90 days for Chrome. Your website will face kind of jail by Google for 3 months. It is kind of simple imprisonment. You can drive traffic with warning that Google’s browsers will give error. Hope that someway your domain will get noticed and will be flushed by someone more quick.

 

Conclusion

 

HSTS and HPKP are not practical for any kind of website for the basic reason – webmaster has no manual way to let the browsers tell that nothing was wrong. Errors with HPKP can destroy a domain forever.