I have a HAProxy / stunnel server that handles SSL for our sites on AWS. During testing, I created a self-signed cert on this server and hit it from my desktop using Chrome to test that stunnel was working correctly.
Now I have installed the legitimate cert on that server. When I hit the site from my machine in Chrome it throws the following error:
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
My guess is that Chrome cached the key for the self-signed cert and it doesn’t match that of the legitimate cert. This site works in all other browsers on my machine so it’s just a Chrome problem.
One interesting note: When hitting the page from a incognito session (Ctrl+Shift+N), it works correctly. So it is clearly some sort of cache thing.
I did all the things I could think of (dumped my cache, deleted certs from the Personal and Other People page in the Manage Certificates dialog, Ctrl+F5, etc.).
My machine is Windows 7 x64. Chrome version: 12.0.742.91.
On the Google Chrome Help Form, there is a description of what sounds like the same issue; however, no resolution is found.
UPDATE: It seems to have “fixed itself” today. I hate problems like this. I still don’t know what caused it or how it resolved itself. Presumably the cached cert expired or something, but I am still interested to know where this information is stored and how to verify it.
Chrome stores SSL certificate state per host in browser history.
So just clear browser history (
Ctrl+Shift+Del), at least the following parts:Solution 2. If the above doesn't help, try this:
chromebackground processes%USERPROFILE%/AppData/Local/Google/Chrome/User Data/CertificateTransparencyMany problems with SSL certificates can be solved by simply removing the file from the cache folder.
In Chrome or Chromium, the file to be removed is
cert9.dbin the folder~/.pki/nssdb. (In Firefox, you’d want to removecert8.db.)Attention! After removing these files, you will need to re-register CAs in your browser.
This is solution is for linux systems, the steps for Windows users would be somewhat different.
As far as I know, certificates are not specific to Google Chrome (at least on Windows) but to the whole system. You’ve already deleted that cert through Chrome’s interface, so it should gone.
Just to be certain, you could try.
Another tool to try is CCleaner. It should help with better cleaning of Chrome’s caches.
For Windows 10, there is a way to clear only OCSP and CRL information without clearing Chrome history.
More details can be found from Mr. Dimcev's blog post http://www.carbonwind.net/blog/post/Viewing-clearing-and-disabling-the-OCSP-and-CRL-cache-on-Windows-7.aspx
Running the suggested
certutil -urlcache ocsp deleteis likely to result inFAILED: 0x80070020 (WIN32: 32 ERROR_SHARING_VIOLATION)if Chrome is running.I confirmed this worked for me on Windows 10:
In Windows:
Internet Options/Properties > Content > Clear SSL state
Then type in any address bar:
chrome://restartYou don't need to clear your entire history.
More accurate way:
Ctrl+Shift+Del ( or Settings > Advanced > Clear browsing data )
[ Time range: All time ]
press: Clear data