browsers, security, Uncategorized

Google Internet Authority G3

For some time now, operating behind the scenes and going mostly unnoticed, Google has been changing the infrastructure used to provide HTTPS certificates for its sites and services.

You’ll note that I said mostly. Over the last few months, I’ve periodically encountered complaints from users who try to load a Google site and get an unexpected error page:

certerror

Now, there are a variety of different problems that can cause errors like this one– in most cases, the problem is that the user has some software (security software or malware) installed locally that is generating fake certificates that are deemed invalid for various reasons.

However, when following troubleshooting steps, we’ve determined that a small number of users encountering this NET::ERR_CERT_AUTHORITY_INVALID error page are hitting it for the correct and valid Google certificates that chain through Google’s new intermediate Google Internet Authority G3. That’s weird.

What’s going on?

The first thing to understand is that Google operates a number of different certificate trust chains, and we have multiple trust chains deployed at the same time. So a given user will likely encounter some certificate chains that go through the older Google Internet Authority G2 chain and some that go through the newer Google Internet Authority G3 chain– this isn’t something the client controls.

G2vG3

You can visit this GIA G3-specific test page to see if the G3 root is properly trusted by your system.

More surprisingly, it’s also the case that you might be getting a G3 chain for a particular Google site (e.g. https://mail.google.com) while some other user is getting a G2 chain for the same URL. You might even end up with a different chain simply based on what Google sites you’ve visited first, due to a feature called HTTP/2 connection coalescing.

In order to see the raw details of the certificate encountered on an error page, you can click the error code text on the blocking page. (If the site loaded without errors, you can view the certificate like so).

Google’s new certificate chain is certainly supposed to be trusted automatically– if your operating system (e.g. Windows 7) didn’t already have the proper certificates installed, it’s expected to automatically download the root certificate from the update servers (e.g. Microsoft WindowsUpdate) and install it so that the certificate chain is recognized as trusted. In rare instances, we’ve heard of this process not working– for instance, some network administrators have disabled root certificate updates for their enterprise’s PCs.

On modern versions of Windows, you can direct Windows to check its trusted certificate list against the WindowsUpdate servers by running the following from a command prompt:

certutil -f -verifyCTL AuthRootWU

Older versions of Windows might not support the -verifyCTL command. You might instead try downloading the R2 GlobalSign Root Certificate directly and then installing it in your Trusted Root Certification Authorities:

InstallBtnLocalMachineTrustedRootFinishyay

Overall, the number of users reporting problems here is very low, but I’m determined to help ensure that Chrome and Google sites work for everyone.

-Eric

Standard

33 thoughts on “Google Internet Authority G3

  1. larrylaca says:

    Excellent! Remarks..

    (Editorial) The first thing you need to know…
    (better) A site certificate needs a valid Certificate Path or Issuer chain of site..intermediate..root certificates. (cont..) Google operates…at the same time. The new G3 is a new intermediate and also has a new root.

    So a given user…
    (end of editorial stuff)

    The RootR2.crt file should have GlobalSign in it’s name.

    Installing the new GlobalSign root fixes the Connection Not Private failure, but doesn’t cache the new G3 intermediate. This is only an efficiency hit. I’m guessing the SSL connection gets the new G3 in memory, but fails to save it to the Intermediate store, for the same reason the root is not being saved to the Trusted Root store. Inspecting the cert store with certmgr.msc never sees G3, even when the client automatically installs the root cert, unless G3 is manually installed,

    E.g. my Win10 laptop auto loads the GlobalSign-R2 root, but doesn’t save G3 to the Intermediate store. If I wasn’t debugging this I would never have noticed. GMail works just fine.

    I’ll begin redirecting trouble reports to text/plain. I was going to setup a similar condensed Chrome forum thread. This is much nicer..

    Liked by 1 person

  2. larrylaca says:

    All:

    To check if this fix applies to your problem: click the NET:ERR_CERT_AUTHORITY_INVALID tag,
    to display the diagnostic text,
    if the second PEM block begins: MIIEXDCCA0SgAwIB…
    then installing the new Google root certificate will likely fix the problem.

    Like

  3. larrylaca says:

    Eric
    I just ran a certUtil AuthRootWU test, I did:

    delete the new Google root: GlobalSignGoogleTrustSvcsRootCA-R2
    from certmgr.msc, close the certmgr.
    ran certutil -f -verifyCTL AuthRootWU (as me, with admin privs, but not runAs Admin)
    which updated many, then failed.
    It installed a GlobalSign ECC Root CA – R5, but not the new Google GlobalSign Root CA-R2.

    Accessing GMail then updated the missing Google root -R2.

    The certutil AuthRootWU update may not fix the GMail problem for users..

    Like

  4. larrylaca says:

    Eric:
    I have a user or two who is willing to post a net-export log for the GMail root cert failure. Is there a CR where we can focus the technical discussion?

    Like

  5. larrylaca says:

    Eric: The failed root cert install is affecting: IE & Chome, YouTube ads, text/plain, and a few *.google.countryCode sites.

    As this is a Windows cert management issue, who can help us track this down with Microsoft network stack experience? Are there registry/policy values we should look at?

    E.g. HKLM/Software/Policies/Microsoft/SystemCertificates/
    AuthRoot/DisableRootAutoUpdate

    Like

    • Unfortunately, no, I don’t know anyone at Microsoft that works on this space anymore. The G3 issue likely affects many different Google sites. text/plain does not use a Google certificate and any user having problems reaching this blog likely has a different problem. It will affect any browser that uses the Windows certificate store (so, most browsers other than Firefox).

      Like

  6. nat says:

    Please help

    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: *.google.co.th
    Issuer: Google Internet Authority G3
    Expires on: Jan 9, 2018
    Current date: Oct 30, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIEmjCCA4KgAwIBAgIIQQOo+4ZJLiswDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
    BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xNzEwMTcxMTAxMjhaFw0x
    ODAxMDkxMDAwMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMRcw
    FQYDVQQDDA4qLmdvb2dsZS5jby50aDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBALdGp9fQ2Ful6z+369LILc9qYQvwQk3efw4QLa6J5ynS8IaUJ7qyvkeP
    EGFKD/igLJEELNd2iZK0Yo4ZMGwaqRmQbL5j6QOfDFZjTxEGseHFOtNtQlEZGeHI
    A08elXaCjCKm5yRTqM4abfT2MZaesqQENS79hDdiASeO55Mynxae8l18RFs5g9pr
    gjlVXx1jpN8MPxA/nvvBNQmkETkGC8m0vlMJYEroc+CjIoUu5iQVgIKz8Vq8uOcM
    qZp8cQRUZ4Orri0YEQU5N/OfAnlKV44YP4yBnJxBbDI2F74hoghwEoyqUEWjw9OC
    POMeW/iRlfHvWlgTdUh7AN1AHB8/A2kCAwEAAaOCAVowggFWMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjAnBgNVHREEIDAegg4qLmdvb2dsZS5jby50aIIM
    Z29vZ2xlLmNvLnRoMGgGCCsGAQUFBwEBBFwwWjAtBggrBgEFBQcwAoYhaHR0cDov
    L3BraS5nb29nL2dzcjIvR1RTR0lBRzMuY3J0MCkGCCsGAQUFBzABhh1odHRwOi8v
    b2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAdBgNVHQ4EFgQUan4jxk2VwITzmWtatEuh
    7Q2OprAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR3wrhQmmd2drEtwobQg6B+
    pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQq
    MCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtpLmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqG
    SIb3DQEBCwUAA4IBAQBBbP+rvRWMQxrFoXUmYc391tMLygLO6yfaFP9PgYIWHQCl
    CZe5pRILayQuDm8w2CLTJ0qPvPBlU3aEUE8m1YyqrLr3aw0q5h6PTWXSb6sjIluP
    DtHXd6FTdW7bQpvtSLqW6OWvuJemiwiRwLn+vyztdi6zWRTryjSDTAD8ud14TRHI
    8mF1veXi5IzF1nTcqgGLvlDWUn0iGmNKXRXL+HkklRmFTKauKpmsgh/2YJVT+aEX
    LDrEXKIjXumiUvIXNZq9/N4ZMK6Dx1wpPHB4SavVtqMV7GH1F+Uhpup+66Txzxj4
    voq/1OCvdq2Q6pa/36gZCxdMGFDgXrgTXZWYWz/r
    —–END CERTIFICATE—–

    Like

  7. larrylaca says:

    Eric: Are we looking at a short fuze? When will other (US) *.google.com servers update to the new intermediate G3 and new root GlobalSign certificates?

    Most of the Chrome forum posts are from google…CountryCode sites – several/day in the Chrome forum, similar rates in external forums (e.g. UC Browser Connection not private:
    http://forum.ucweb.com/search.php?mod=forum,
    search for ‘Connection not private’ )

    Are these rates a pre-cursor to when other servers update to G3?

    There is also a catch-22 aspect: some users cannot post their failures, because their help requests are being blocked by the same failure. Is there a fail-safe, non-HSTS URL for this situation?

    Like

      • larrylaca says:

        OK, confirms my assumption that the GlobalSign R2-CA root cert was in the Microsoft list.

        My understanding of the root cert update process is:
        -client (user), when not in store, back tracks and receives root cert
        -polls microsoft update service to verify cert is in list
        -if OK, install in Trusted Root store (local cache)… continue

        What I meant or was leading up to is:
        is there a way to check that the affected users poll the list OK?

        I believe the windows event is: Windows Log\Application, source CAPI2,
        Event ID 7(OK), 8(fail)
        ref: https://technet.microsoft.com/en-us/library/cc749331(ws.10).aspx

        I have a broken Win7Pro user/tester who receives Win updates regularly (last 10/11),
        who fetches the GMail root R2-CA cert, but fails the install step.
        We’re trying to understand why.

        Like

  8. larrylaca says:

    Eric: I opened CR 787898 11/22 while trying to find another route for a user (SStack) who could not reach text/plain for the same reason (DST root update failed). The CR quickly moved to WontFix, as expected, as this is a user Microsoft config problem.

    Along the way, rsleevi has raised concerns that manually installing a root cert may have downsides when the cert updates in the future. Could you look at the CR comments and weigh in?

    ASFAIK the future risk is minimal, and this is the only recourse we have at this time. If you have any thoughts on a better solution to restoring general windows certificate health, that would be appreciated too. I have yet to find a certutil command that works.

    https://bugs.chromium.org/p/chromium/issues/detail?id=787898

    Like

  9. larrylaca says:

    Per the 9/11 Google Security Blog on Symantec Distrust, Chrome 66 will distrust Symantec and partner (root) certs. Partners include GeoTrust.

    Many *.google.com services use the intermediate Google Internet Authority G2 valid 5/22/17 – 12/31/18 and GeoTrust Global CA, root cert valid 5/20/2002 – 5/20/2022. Does the v66 distrust include these Google services? Examples: {productforums, myaccount, support}.google.com

    Per the article, DevTools is already providing alerts for the target certs.
    What do the alerts look like?
    Is there a demo server, like badSSL, that will trigger the alerts?

    9/11 Security Blog:
    https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

    Like

    • I don’t think there’s a specific Symantec-deprecation test site, but you can see the warnings in Chrome’s Developer Tools console by visiting many popular sites, e.g. load https://www.1800flowers.com/

      As the GeoTrust-rooted certs used by the Google sites you’re listed don’t light up the warning, my assumption is that the GeoTrust root wasn’t one of the ones that had poor validation practices and thus it’s not subject to the change.

      Like

  10. Heidi says:

    This is great if you’re on a PC, though not thrilled about doing it on the 6 computes used in my house, but what about the 4 tablets and 3 mobile phones?

    Like

    • This problem rarely occurs on a single device. If you’re seeing it on multiple devices, it’s very likely that you have a different problem entirely.

      Like

      • Heidi says:

        It is concurring on every device used in our house. So far this is the closest I’ve come to any solution and as much as I’ve been a fan of Chrome other than searching for a new web browser I’m at a loss. Perhaps Chronium will not have the problem, though that only helps a few of them, luckily the computers most often used, and the mobile device can be left not connected to the network unless printing.

        Like

  11. Eric J. Medina says:

    I am using a HP 2000 Notebook PC with Windows 10 Home Version 1511 OS build 10586.633…

    I get this error message:

    Your connection is not private

    Attackers might be trying to steal your information from mail.google.com (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: mail.google.com
    Issuer: Google Internet Authority G3
    Expires on: Feb 8, 2018
    Current date: Dec 5, 2017

    Like

  12. Gina says:

    Hi, i have the same error but when I go to check certification path it is not G2 or G3 but DST root CA X3. What should I do then? when i go to chrome settings -> manage certificates i can see that http://www.google.com is in the untrusted publishers tab. maybe if I could remove google.com from there it will solve my problem, but i do not know how to do it.

    Like

  13. Farhad says:

    Hi, please help me, windows 7 64 bit, Version Chrome 63.0.3239.132 ( 64bit)
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIEqzCCA5OgAwIBAgIIbzP+2qo1TYowDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
    BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODAxMTYwOTUzMDRaFw0x
    ODA0MTAwODQzMDBaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMRgw
    FgYDVQQDDA8qLmdvb2dsZS5jb20ucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQDJc+8r4UhsoaZDoauDQN1z0ThtG6zn6vVjpQPa8ULB3OJvOE/zLxjb
    74Xr0R3cLBv1HP9tZNsCYDEcIUtGsefip2U3fJGIv4j/CXgoQlA2BgpQvugqvxB1
    ui0YAToh2Fhoe+ZzdyEAuPQ7NBQacNn/LCRb96DtgpqmDJm5FU9vnXPp5oQsBOfQ
    1uRxB/H34zgP+UVWHuqzLY3k3ZwASq1t7s0OZ5KXZCcF/8akcFQt7V5XJLJvYV0e
    WL8xGdu7LuUWLmg54Cm2U8UudbnLf6Y6OyII4+bYF8WMVlaOWK7dfPmSNMsLxvZL
    sJcy8wfbdEvuioRnR/Nzfupujju5b60zAgMBAAGjggFqMIIBZjATBgNVHSUEDDAK
    BggrBgEFBQcDATBBBgNVHREEOjA4gg8qLmdvb2dsZS5jb20ucnWCCyouZ29vZ2xl
    LnJ1gg1nb29nbGUuY29tLnJ1gglnb29nbGUucnUwaAYIKwYBBQUHAQEEXDBaMC0G
    CCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYI
    KwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQW
    BBRXEj6L8nYMkL+7/VUGm2mEHkynIjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
    FHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAI
    BgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9H
    VFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAJsaTOWLE5nZQq4bVM+6wiqS
    qXadaxwLEOvEYzOAe0CiQkVUXL08vHYcLeVYsUfQtaiJGaj/iSRdlOxK9VwUSUOp
    1tqDaaprv7/nfrd4lQ4L257nUHkCham+Qq9onZrai9yU2DEFAcBsCNOjCnDPz3r7
    PRw9r/Cqw2IpCy7U/MgCWF/9woL7KaEv2zJJHzWX9dnJhssuO3J4CN8NI2DN0tr0
    JBwR0eSUvHDzJZWE+4nf1qmBxpNPLmak7qW3EHcXcGU9yx2++4dMhTCyMkVLXbQg
    v/IHdmSnNgh8uurYt6Y4zUExornxp0AwXpneMus/EdmlhggKXXUtd0eMbbvR5as=
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
    HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
    U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
    MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
    U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
    XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
    71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
    RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
    ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
    kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
    AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
    AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
    Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
    MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
    b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
    cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
    aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
    HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
    ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
    wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
    FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
    7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
    c7o835DLAFshEWfC7TIe3g==
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
    A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
    Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
    MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
    A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
    v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
    eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
    tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
    C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
    zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
    mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
    V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
    bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
    3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
    J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
    291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
    ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
    AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
    TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
    —–END CERTIFICATE—–

    Like

    • This appears to be a legitimate certificate. What problem are you encountering specifically? (What URL are you visiting, and what error code is shown in the page?)

      Like

  14. larrylaca says:

    Eric – Looks like some India Rail (IRCTC) users are stumbling on a failed root cert update on old Android phones (4.4.4). Any suggestions? Look here
    https://productforums.google.com/forum/#!topic/chrome/Np-f9eQ3_ek

    It’s a short thread. Pretty easy to digest, except the term used for reply is ‘revert’

    I’m hard pressed to believe that this root cert valid from 8/1/13 is causing a problem today, but it’s hard to argue with Dharmesh’s screenshot.

    Like

    • larrylaca says:

      IRCTC resolved the root cert issue 4/17 by changing (again) to use an older cert: DigiCert High Assurance EV Root CA issued 11/9/06

      Like

  15. larrylaca says:

    Eric: It looks like other Google services are upgrading to the Google Internet Authority G3 (GIA G3) intermediate cert, in the last few days (since 4/2). And this means the new GlobalSign Root CA-R2 root.

    The Chrome Help forum is now using GIA G3, but the Google Drive forum is still GIA G2.
    http://www.google.com (search) switched, first in some of the country code sites like http://www.google.com.hk and http://www.google.se, and now in the US.

    Users with an uninstalled GlobalSign Root CA-R2 root cert will no longer be able to reach the forum with their Authority_Invalid problems.. a real catch-22.

    Suggestions?

    P.S. This Chrome Help Forum thread is a prime example. When the OP started with a http://www.google.se GIA G3 problem, the forum was still reachable via the old GIA G2. It took a couple of attempts and several posts for them to get the GlobalSign R2 root installed. The last redo instructions were yesterday 4/5 with GIA G2. Their ‘it works’ confirmation came today via GIA G3, just hours after they fixed their GS R2 problem.
    https://productforums.google.com/forum/#!msg/chrome/DojLqwgDEHY/Onek99huAwAJ

    Like

    • > Suggestions?
      I’m not really sure what you’re asking; in general, Windows installs root certificates on an on-demand basis. It’s always been the case that a user with a sufficiently broken system may be blocked from reading HTTPS Help articles; Chrome recently took a change to include more in-product help to address the scenario where the user’s got HTTPS problems and cannot reach the help center.

      Like

      • larrylaca says:

        Thanks. I was looking for suggestions when users cannot reach the Help forum (or HTTPS Help articles). Where can I see an example of the improved Chrome in-product help, when the help center is not reachable?

        Like

  16. larrylaca says:

    Eric (Suggestions): Would it be worthwhile for Google to email all active Google Chrome users without GMail accounts to test the GlobalSign Root CA-R2 root, and if they have problems redirect to Chrome Forum or other help, before they are cutoff with the root cert change?

    This is not unprecedented. When Supervised Users was deactivated abruptly Jan 2018, there was a warning email sent 1/8/18.

    Gmail users will have already seen the problem, if present, already had a chance to get help and can be excluded.

    Limiting the list to active Chrome users eliminates historic stale accounts.

    I’m sure there are many other privacy and branding issues to be considered.
    Just a suggestion.

    Like

      • Larry Seward says:

        Re: ‘Google does not have email addresses’ – I’d settle for the active users who signin with a Google account. I assume Google has access to the account email addresses since the email address is used for origination and subsequent signin.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s