GoDaddy Cert and Chrome Update = Net:Err_certificate_transparency_required
Recent Chrome update rejects valid GoDaddy SSL certs as of this afternoon. Anyone else running into this one? This is GoDaddy's response to the issue
---
We really appreciate your patience and time. To have the better product and user experience a patching update has been rolled out and it is currently under progress. We apologize for any inconvenience this has caused. Unfortunately, the complexity of the work is taking longer than expected and we are unable to provide any estimated time frame. Our engineer team is already working diligently to get the issue resolved at the earliest. We appreciate your patience and understanding in this matter. At present Google chrome version is not compatible with SSL TLS version for all registrars not only GoDaddy so most of sites are effected. So our developers are working with them to resolve the issue on high priority. I got the same response from GD...somehow costco got their site back up...different CA. Thx for posting this reply from GD. Atlassian posted that it's been resolved for Bitbucket[1] [1] https://bitbucket.status.atlassian.com/incidents/r6jvgswd238... They switched over to Let's Encrypt for their cert. Hi all- I have 2 sites with SSL certs with Godaddy and both started having this exact problem a few hours ago.. only with chrome, works fine in bing and firefox. on windows 10 desktop. I tried costco.com and got the same error. Called Godaddy a minute ago and they said they can't comment on any other customers but said using chrome on his end he could access both my sites and costco without any error. My sites' certs are due to renew in 2 months. Do you think if I rekey them today and install the rekeyed certs that might solve the problem? Thanks! ~Jerry I was on chat with godaddy and they said that any certs that were issued before June 2020 will not be on any of Google's SCTs and that they will need to be re-keyed. I did that with a new cert as ours was expiring in July and that has fixed it for us. So give re-keying a try. This is going to be a very annoying thing for us, if true. Our April 2020 issued Cert expires in July and was on track to roll out a new cert in two weeks. This means we get to push up the timetable and do an out-of-sequence patch roll to address this in over 100 environments. Fun night ahead. The weird part is, if you click on the error in chrome, it displays the Cert Details, including this wonderful gem: https://groups.google.com/a/chromium.org/g/ct-policy/c/abPZR... Pilot and Rocketeer were just shut down, however, I'm surprised this had any impact because the above post says: > If you are delivering SCTs embedded in the certificate, this should require no action on your part. All previously-issued certificates containing SCTs from these logs that complied with the Chrome CT Policy will continue to do so. Edit: Ah but if /all/ the logs are retired, it's no longer valid. So if you have two retired google logs + a digicert log that's presumably also retired, the SCTs are no longer acceptable. My problem is solved for both of my sites. I renewed both certs and uploaded them and each site now loads fine in chrome. Thank you to everyone who posted in this thread. I can now go get a beer! thx for the info.
My 2 sites' certs are valid from (before June 2020) Set to auto renew in July.
5/9/2020 to 7/7/2022
5/10/2020 to 7/9/2022 I'll try re-keying one of them and see if that solves the problem... based on your info seems that it would. Thank you! The response I got from Godaddy and worked for us: Chrome retired some CT logs on May 1st. For OLD certificates, that is ones issued sometime before June 2020, they might contain SCTs that have now all been retired by Google. Normally this should not be an issue, but if ALL the SCTs on a certificate are now retired, then the it looks like the most recent version of Chrome will not trust it. You need to rekey the SSL by generating a new CSR from hosting plan and then you need to upload the new SSL files in the hosting plan please. Out of curiosity, do you get any errors in Qualys [1] or TestSSL [2]? Use the checkbox to hide your domain from results on the Qualys site. Testssl is just bash+openssl that runs from your machine. No issues there for me. Also clear on crt.sh
https://crt.sh/?q=5E+7E+34+26+F0+DB+84+8F+53+5D+3E+A5+63+B2+... Safari works, but cannot access bitbucket.org in Chrome. Same here. SSL checks out clean. Safari, Firefox, and older Chrome work just fine. Way to go Google. My customers are livid and evidently getting auto-updated throughout the day. Yeah, noticed it with Bitbucket and Sendgrid - cannot access their websites from Chrome. I have a wildcard cert with Godaddy and all the sites with the cert cant be accessed through Chrome. Qualys reports no issues Yes my company is. As are Costco and others. just reported by some of our clients. We have emails sent through sendgrid and the links are throwing this error (assuming sendgrid tracking links use Godaddy SSL). yes sir, opened a ticket with GoDaddy and they are stating that many people are calling in on this issue within the last few hours our GoDaddy wildcard certificate is getting rejected by Chrome. In the GoDaddy chat queue currently... we have the same problem, somebody solved?
Certificate Transparency:
SCT Google 'Pilot' log (Embedded in certificate, Verified)
SCT Google 'Rocketeer' log (Embedded in certificate, Verified)
SCT DigiCert Log Server (Embedded in certificate, Verified)