When testing scirra.com's SSL implementation (SSL Labs Report), we observe an interesting discrepancy: Chrome displays certificate warnings while Firefox and IE properly recognize the EV SSL. This typically indicates one of several potential configuration issues.
The most common culprits for Chrome-specific SSL validation failures include:
- Missing intermediate certificates in the chain
- SHA-1 signatures in the certificate chain
- Certificate Transparency (CT) log requirements not met
- Incorrect Subject Alternative Name (SAN) configurations
Here's how to verify your server's certificate chain completeness using OpenSSL:
openssl s_client -connect scirra.com:443 -showcerts
For Apache servers, ensure your configuration includes the full chain:
SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/private.key SSLCertificateChainFile /path/to/intermediate.crt
Modern Chrome versions enforce stricter requirements than other browsers. Key checks include:
// JavaScript snippet to detect certificate errors
window.addEventListener('load', function() {
if (window.chrome && window.chrome.loadTimes) {
const loadTimes = window.chrome.loadTimes();
if (loadTimes && loadTimes.wasFetchedViaSpdy === false &&
loadTimes.wasNpnNegotiated === false) {
console.warn('Potential SSL handshake issues detected');
}
}
});
Chrome requires EV certificates to be logged in Certificate Transparency logs. Verify your CT compliance:
# Using crt.sh to check CT logs curl -s "https://crt.sh/?q=scirra.com" | grep -i "certificate transparency"
For Nginx servers experiencing similar issues:
ssl_certificate /etc/ssl/certs/scirra_com.crt; ssl_certificate_key /etc/ssl/private/scirra_com.key; ssl_trusted_certificate /etc/ssl/certs/scirra_com.ca-bundle;
Remember to always restart your web server after making changes:
sudo systemctl restart nginx # or for Apache sudo systemctl restart apache2
When Chrome flags an Extended Validation (EV) SSL certificate as invalid while other browsers accept it, we're typically looking at one of these scenarios:
// Example: Checking certificate chain in Node.js
const https = require('https');
const options = {
hostname: 'scirra.com',
port: 443,
method: 'GET',
rejectUnauthorized: true // This would fail if Chrome rejects
};
const req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
});
req.on('error', (e) => {
console.error('Certificate validation failed:', e);
});
req.end();From the SSL Labs report, we can identify several potential technical culprits:
- Missing intermediate certificates in the chain
- Certificate Transparency (CT) log requirements not met
- SHA-1 signatures in the chain (deprecated in Chrome)
- OCSP stapling configuration issues
To inspect the certificate chain like Chrome does:
openssl s_client -connect scirra.com:443 -servername scirra.com -showcerts | openssl x509 -text -nooutCompare the output with Firefox's certificate viewer to spot discrepancies in the chain.
Recent Chrome versions enforce stricter rules for EV certificates:
# Example of checking CT logs via API
curl "https://ct.googleapis.com/logs/argon2020/ct/v1/get-entries?start=0&end=0"The server configuration should include all intermediate certificates:
# Nginx example
ssl_certificate /path/to/fullchain.pem; # primary cert + intermediates
ssl_certificate_key /path/to/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;After making changes, verify with these tools:
# Check certificate installation
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /path/to/cert.pem
# Test OCSP stapling
openssl s_client -connect scirra.com:443 -status < /dev/null 2>&1 | grep -A 17 'OCSP response'