Fix Error ERR SSL PINNED KEY NOT IN CERT CHAIN

Have you found the error ERR SSL PINNED KEY NOT IN CERT CHAIN while you were surfing in Google Chrome? This is not a very common error, but since you have probably encountered it, you have come here looking for a solution.

The error may look slightly different in other browsers, but the responses to this error are the same. If you are the website owner and encountering this error, there is a good chance that you can fix the problem by following some troubleshooting tips.

But make sure that you are not only a regular website owner but also have the technical ability to handle this task. Otherwise, let a professional fix the error for you.

In case you encounter this server-side error while visiting a website that is not your fault, there is not much you can do. You can collect the Tricks of this article and try to fix the ERR SSL PINNED KEY NOT IN CERT CHAIN ​​error you have been encountering so that you have an improved user experience.

What causes the error ERR SSL PINNED KEY NOT IN CERT CHAIN?

The ERR SSL PINNED KEY NOT IN CERT CHAIN ​​error is a key pinning error. HTTP Public Key Pinning (HPKP) was once considered an excellent security feature, but it has been removed from many modern browsers.

This feature can help a web client bind a particular cryptographic public key to a specific web server. It can reduce the risk of MITM attacks performed with fake certificates.

Due to the complexity involved in pinning keys, not everyone except the most technically advanced organizations can do it correctly. If you have been trying to pin keys and you see an error, error, it is because one of the keys you have pinned does not belong to the SSL certificate you pinned it to.

You cannot change keys. Therefore, in the process of incorrectly pinning keys to the correct certificates, you may end up breaking your entire site. The process is more complicated because in addition to pinning your own keys, you need to pin keys across your entire certificate chain except for the root. You will find the root key in the root stores.

Fixing ERR SSL PINNED KEY NOT IN CERT CHAIN ​​(for webmasters)

Don't try to fix keys unless you are an expert and confident in what you are doing. It's great if you can do it yourself, as you'll be able to have more control over the public keys used. You'll reduce the risk of hackers cracking the associated private keys. However, the downside is that there is a chance of breaking your entire website if you fail in your attempt.

Solution 1

Perhaps, you are facing the error ERR SSL PINNED KEY NOT IN CERT CHAIN ​​because you have not pinned a key somewhere in the certificate chain or you have pinned the wrong key to one of the intermediate certificates that help compose your certificate chain.

Please note that web browsers must complete the certificate chain effectively, otherwise they cannot extend trust to an end-user certificate.

In the process, the certificate signatures must be verified using their public keys. Find the offending certificate. You can then look for a copy of your public key by visiting the intermediate CA's website.

Solution 2

Tipping is highly recommended. Here, you'll need to stop pinning keys. Even experts say that the trouble of pinning keys isn't worth the security you gain, except for the most sophisticated businesses or organizations.

In addition, some browsers, included Google Chrome, they either don't support it or plan to remove it. Similarly, delivering certificates and keys regularly will give you the same level of security that key pinning does. You don't have to pin them. Rotating them every 3-6 months is a better solution.

Fix for ERR SSL PINNED KEY NOT IN CERT CHAIN ​​error (for web visitors)

Unfortunately, there is nothing you can do as a web visitor when you encounter the error. ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, as it is a server side error. But you can try the following tips.

Solution 1

This tip is only applicable if you have recently renewed your SSL. Perhaps, There chosen by the administrator has passed the certificate expiration date or your renewal. To correct the error, delete the key from the HSTS database in your browser.

To do that:

• Go to the address bar of Google Chrome and add the following command: chrome://net-internals/#hsts 
• Next, send the domain name that is causing the error to Delete domain security policies. Tap Delete.

• Please visit the website again.

Solution 2

There is a trick you can apply, but it is not recommended. Go to the site using the HTTP protocol. In case the website does not force HTTPS with an HSTS header, you might be able to gain access to it. But remember that you will not have any security.

This is not a good idea, as you don't want to compromise your password or payment information. Any data you enter will be easily visible to third parties, likely with malicious intent. What you can do instead is contact the site owner.

Tell them about the problem  ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN  you are finding. If the website is genuine, they will take the matter seriously and try to resolve it as they do not want to lose followers.

Conclusions

The ERR SSL PINNED KEY NOT IN CERT CHAIN ​​error is a server-side error that is rare. But you can try to resolve the error as a website owner by following the troubleshooting tips mentioned above. Or better yet, stop pinning keys. Just rotate them frequently.

For website visitors, there is not much you can do as it is a server-side error that needs to be resolved by the website owner. The best thing you can do is call the website owner and inform them of the problem.

Installing an SSL is the best online security measure you can take today to protect your data, but at the same time, incorrect settings can lead to errors. Don't let these errors stop you from using an SSL. Reinstalling it or following some troubleshooting tips can resolve the problem most of the time.

We hope this post is useful for you. If you know another method to put an end to this error, do not hesitate to share it. See you in a future post.