GoDaddy Cert and Chrome Update = Net:Err_certificate_transparency_required

21 pointsbesus3y ago23 comments

Recent Chrome update rejects valid GoDaddy SSL certs as of this afternoon. Anyone else running into this one?

23 comments

This is GoDaddy's response to the issue --- We really appreciate your patience and time. To have the better product and user experience a patching update has been rolled out and it is currently under progress. We apologize for any inconvenience this has caused. Unfortunately, the complexity of the work is taking longer than expected and we are unable to provide any estimated time frame. Our engineer team is already working diligently to get the issue resolved at the earliest. We appreciate your patience and understanding in this matter.

At present Google chrome version is not compatible with SSL TLS version for all registrars not only GoDaddy so most of sites are effected. So our developers are working with them to resolve the issue on high priority.

biohazard4213y ago

I got the same response from GD...somehow costco got their site back up...different CA.

jerry7777773y ago

Thx for posting this reply from GD.

groundshark3y ago

Atlassian posted that it's been resolved for Bitbucket[1]

[1] https://bitbucket.status.atlassian.com/incidents/r6jvgswd238...

besusOP3y ago

They switched over to Let's Encrypt for their cert.

jerry7777773y ago

Hi all- I have 2 sites with SSL certs with Godaddy and both started having this exact problem a few hours ago.. only with chrome, works fine in bing and firefox. on windows 10 desktop. I tried costco.com and got the same error. Called Godaddy a minute ago and they said they can't comment on any other customers but said using chrome on his end he could access both my sites and costco without any error. My sites' certs are due to renew in 2 months. Do you think if I rekey them today and install the rekeyed certs that might solve the problem? Thanks! ~Jerry

andyco013y ago

I was on chat with godaddy and they said that any certs that were issued before June 2020 will not be on any of Google's SCTs and that they will need to be re-keyed. I did that with a new cert as ours was expiring in July and that has fixed it for us. So give re-keying a try.

InvaderFizz3y ago

This is going to be a very annoying thing for us, if true. Our April 2020 issued Cert expires in July and was on track to roll out a new cert in two weeks. This means we get to push up the timetable and do an out-of-sequence patch roll to address this in over 100 environments.

Fun night ahead.

The weird part is, if you click on the error in chrome, it displays the Cert Details, including this wonderful gem:

    Certificate Transparency:
    SCT Google 'Pilot' log (Embedded in certificate, Verified)
    SCT Google 'Rocketeer' log (Embedded in certificate, Verified)
    SCT DigiCert Log Server (Embedded in certificate, Verified)

1 more reply

jerry7777773y ago

My problem is solved for both of my sites. I renewed both certs and uploaded them and each site now loads fine in chrome. Thank you to everyone who posted in this thread. I can now go get a beer!

jerry7777773y ago

thx for the info. My 2 sites' certs are valid from (before June 2020) Set to auto renew in July. 5/9/2020 to 7/7/2022 5/10/2020 to 7/9/2022

I'll try re-keying one of them and see if that solves the problem... based on your info seems that it would. Thank you!

ivank3y ago

https://twitter.com/__agwa/status/1521283290396864513

andyco013y ago

The response I got from Godaddy and worked for us:

Chrome retired some CT logs on May 1st. For OLD certificates, that is ones issued sometime before June 2020, they might contain SCTs that have now all been retired by Google. Normally this should not be an issue, but if ALL the SCTs on a certificate are now retired, then the it looks like the most recent version of Chrome will not trust it.

You need to rekey the SSL by generating a new CSR from hosting plan and then you need to upload the new SSL files in the hosting plan please.

LinuxBender3y ago

Out of curiosity, do you get any errors in Qualys [1] or TestSSL [2]? Use the checkbox to hide your domain from results on the Qualys site. Testssl is just bash+openssl that runs from your machine.

[1] - https://www.ssllabs.com/ssltest/

[2] - https://github.com/drwetter/testssl.sh.git

paustint3y ago

No issues there for me. Also clear on crt.sh https://crt.sh/?q=5E+7E+34+26+F0+DB+84+8F+53+5D+3E+A5+63+B2+...

Safari works, but cannot access bitbucket.org in Chrome.

besusOP3y ago

Same here. SSL checks out clean. Safari, Firefox, and older Chrome work just fine.

Way to go Google. My customers are livid and evidently getting auto-updated throughout the day.

paustint3y ago

Yeah, noticed it with Bitbucket and Sendgrid - cannot access their websites from Chrome.

joegyoung3y ago

I have a wildcard cert with Godaddy and all the sites with the cert cant be accessed through Chrome. Qualys reports no issues

MBCook3y ago

Yes my company is. As are Costco and others.

codegeek3y ago

just reported by some of our clients. We have emails sent through sendgrid and the links are throwing this error (assuming sendgrid tracking links use Godaddy SSL).

vinnys723y ago

yes sir, opened a ticket with GoDaddy and they are stating that many people are calling in on this issue within the last few hours

biohazard4213y ago

our GoDaddy wildcard certificate is getting rejected by Chrome. In the GoDaddy chat queue currently...

Alajakara3y ago

we have the same problem, somebody solved?

j / k navigate · click thread line to collapse

23 comments

joegyoung3y ago

biohazard4213y ago

I got the same response from GD...somehow costco got their site back up...different CA.

jerry7777773y ago

Thx for posting this reply from GD.

groundshark3y ago

Atlassian posted that it's been resolved for Bitbucket[1]

[1] https://bitbucket.status.atlassian.com/incidents/r6jvgswd238...

besusOP3y ago

They switched over to Let's Encrypt for their cert.

jerry7777773y ago

andyco013y ago

InvaderFizz3y ago

Fun night ahead.

The weird part is, if you click on the error in chrome, it displays the Cert Details, including this wonderful gem:

    Certificate Transparency:
    SCT Google 'Pilot' log (Embedded in certificate, Verified)
    SCT Google 'Rocketeer' log (Embedded in certificate, Verified)
    SCT DigiCert Log Server (Embedded in certificate, Verified)

1 more reply

jerry7777773y ago

My problem is solved for both of my sites. I renewed both certs and uploaded them and each site now loads fine in chrome. Thank you to everyone who posted in this thread. I can now go get a beer!

jerry7777773y ago

thx for the info. My 2 sites' certs are valid from (before June 2020) Set to auto renew in July. 5/9/2020 to 7/7/2022 5/10/2020 to 7/9/2022

I'll try re-keying one of them and see if that solves the problem... based on your info seems that it would. Thank you!

ivank3y ago

https://twitter.com/__agwa/status/1521283290396864513

andyco013y ago

The response I got from Godaddy and worked for us:

You need to rekey the SSL by generating a new CSR from hosting plan and then you need to upload the new SSL files in the hosting plan please.

LinuxBender3y ago

Out of curiosity, do you get any errors in Qualys [1] or TestSSL [2]? Use the checkbox to hide your domain from results on the Qualys site. Testssl is just bash+openssl that runs from your machine.

[1] - https://www.ssllabs.com/ssltest/

[2] - https://github.com/drwetter/testssl.sh.git

paustint3y ago

No issues there for me. Also clear on crt.sh https://crt.sh/?q=5E+7E+34+26+F0+DB+84+8F+53+5D+3E+A5+63+B2+...

Safari works, but cannot access bitbucket.org in Chrome.

besusOP3y ago

Same here. SSL checks out clean. Safari, Firefox, and older Chrome work just fine.

Way to go Google. My customers are livid and evidently getting auto-updated throughout the day.

paustint3y ago

Yeah, noticed it with Bitbucket and Sendgrid - cannot access their websites from Chrome.

joegyoung3y ago

I have a wildcard cert with Godaddy and all the sites with the cert cant be accessed through Chrome. Qualys reports no issues

MBCook3y ago

Yes my company is. As are Costco and others.

codegeek3y ago

just reported by some of our clients. We have emails sent through sendgrid and the links are throwing this error (assuming sendgrid tracking links use Godaddy SSL).

vinnys723y ago

yes sir, opened a ticket with GoDaddy and they are stating that many people are calling in on this issue within the last few hours

biohazard4213y ago

our GoDaddy wildcard certificate is getting rejected by Chrome. In the GoDaddy chat queue currently...

Alajakara3y ago

we have the same problem, somebody solved?

j / k navigate · click thread line to collapse