SOLVED

Certifcate Errors only in Edge Insider

%3CLINGO-SUB%20id%3D%22lingo-sub-1099276%22%20slang%3D%22en-US%22%3ECertifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099276%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20a%20number%20of%20sites%2C%20I%20get%20a%20certificate%20error%2C%20%3CSPAN%3ENET%3A%3AERR_CERT_COMMON_NAME_INVALID.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20sites%20work%20fine%20in%20IE%2C%20Chrome%2C%20Firefox%20and%20old%20Edge%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20example%20if%20I%20go%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmyapplications.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyapplications.microsoft.com%2F%3C%2FA%3E%2C%20I%20get%20the%20error%20and%20the%20certifcate%20is%20issued%20to%20graph.windows.net.%20If%20I%20go%20to%20Engadget%20it%20redirects%20me%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fconsent.yahoo.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fconsent.yahoo.com%2F%3C%2FA%3E%26nbsp%3Band%20i%20get%20the%20error%20and%20the%20cert%20is%20for%26nbsp%3Bguce.oath.com%20with%20no%20SAN%20for%20the%20orginal%20site.%20There%20are%20other%20example%20to.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhy%20is%20this%20just%20an%20issue%20in%20Edge%20Chromium%20(running%20Dev%20channel%2081)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099349%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099349%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BThis%20was%20an%20error%20I%20received%20regularly%2C%20on%20this%20and%20the%20previous%20version%20of%20Dev%20on%20particular%20sites.%20What%20worked%20for%20me%20was%20to%20Reset%20Settings%20to%20default%2C%20and%20Clear%20All%20Browsing%20Data.%20All%20I%20kept%20was%20my%20Passwords.%20After%20restarting%20I%20could%20access%20those%20sites%20without%20a%20problem.%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%3E%26nbsp%3B%3C%2FH2%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099825%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099825%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3Etry%20disabling%20your%20extensions%2C%20see%20if%20it%20changes%20anything%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105006%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105006%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20both%20for%20the%20replies%2C%20unfortuenly%20neither%20of%20these%20have%20worked%2C%20even%20updating%20to%26nbsp%3B%3CSPAN%3EVersion%2081.0.381.0%20(Official%20build)%20dev%20(64-bit)%20has%20not%20resolved%20the%20issue%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105430%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105430%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BNot%20sure%20if%20this%20would%20help%20or%20not%2C%20but%20to%20get%20to%20my%20work's%20myapplications%20site%2C%20I%20had%20to%20log%20in%20using%20my%20work%20ID%20(e-mail%20and%20password)%2C%20as%20opposed%20to%20my%20personal%20user%20ID%2Fpassword.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1107431%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1107431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510944%22%20target%3D%22_blank%22%3E%40bradmacdonald%3C%2FA%3E%26nbsp%3BThanks%20but%20I%20need%20to%20use%20my%20work%20account%20as%20I'm%20tetsing%20the%20new%20workspaces.%20myapps%20works%20but%20the%20new%20experience%20myapplications.microsoft.com%20gives%20the%20cert%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20said%20all%20work%20fine%20in%20Chrome%2C%20IE%2C%20Firefox%20and%20the%20old%20edge%2C%20so%20I%20will%20have%20to%20use%20one%20of%20them%20for%20now%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130829%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3BOh%20my%2C%20you%20are%20good!%20We%20are%20using%20Zscaler%20and%20I've%20updated%20this%20weekend%20to%26nbsp%3B%3CSPAN%3EVersion%2081.0.396.0%20and%20its%20working%20again.%20Thanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1128080%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20report!%20This%20issue%20should%20be%20fixed%20by%20now%2C%20as%20Edge%20Dev%20should%20contain%20the%20workaround%2Ffix.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20my%20psychic%20debugging%20skills%2C%20I%20predict%20that%20your%20network%20has%20deployed%20a%20ZScaler%20network%20interception%20device.%20If%20you're%20still%20on%20a%20build%20with%20the%20problem%2C%20try%20upgrading.%20If%20you%20can't%20for%20whatever%20reason%2C%20as%20a%20workaround%2C%20try%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Close%20all%20Edge%20instances.%3C%2FP%3E%0A%3CP%3E2.%20Win%2BR%20and%20run%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3Bmsedge.exe%26nbsp%3B%3CSPAN%3E--disable-features%3DPostQuantumCECPQ%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Retry%20the%20sites.%3CBR%20%2F%3E%3CBR%20%2F%3ETechnical%20explanation%3A%3CBR%20%2F%3EThese%20ZScaler%20devices%20attempt%20to%20parse%20the%20ClientHello%20TLS%20message%20before%20sending%20the%20request%20to%20the%20target%20server.%20However%2C%20if%20a%20ClientHello%20message%20spans%20multiple%20packets%20(as%20will%20happen%20when%20the%20request%20is%20large)%20the%20ZScaler%20device%20does%20not%20see%20the%20ServerNameIndicator%20TLS%20extension%20in%20the%20client%20hello%20and%20fails%20to%20send%20that%20extension%20to%20the%20target%20server.%20As%20a%20consequence%20the%20target%20server%20gets%20a%20request%20without%20the%20SNI%20telling%20it%20what%20certificate%20to%20return%20to%20the%20client%2C%20and%20depending%20on%20the%20configuration%2C%20it%20sends%20the%20wrong%20certificate%2C%20meaning%20that%20the%20hostname(s)%20in%20the%20certificate%20do%20not%20match%20the%20URL%20requested%2C%20leading%20to%20the%20security%20error%20message.%3CBR%20%2F%3E%3CBR%20%2F%3ENow%2C%20why%20did%20the%20ClientHello%20messages%20start%20getting%20large%3F%20There%20was%20an%20experiment%20(see%20%3CA%20href%3D%22https%3A%2F%2Fcrbug.com%2F1028602%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcrbug.com%2F1028602%3C%2FA%3E)%20that%20resulted%20in%20the%20key_share%20TLS%20extension%20growing%20by%20~1200%20bytes%2C%20causing%20the%20ClientHello%20to%20grow%20bigger%20than%20what%20could%20fit%20in%20one%20TCP%2FIP%20packet.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWhat's%20next%3A%3C%2FP%3E%0A%3CP%3E1.%20Zscaler%20is%20working%20on%20a%20fix%20for%20their%20software.%20Your%20network%20admins%20will%20need%20to%20deploy%20the%20update%20when%20available.%3C%2FP%3E%0A%3CP%3E2.%20T%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3Ehe%20reason%20that%20it%20doesn't%20repro%20in%20Edge%20Stable%20is%20that%20the%20regression%20landed%20in%20Chromium%2080.0.3967.0%2C%20and%20the%20reason%20it%20doesn't%20repro%20in%20Edge%20Dev%2FCanary%20is%20it%20was%20disabled%20in%20%3CSTRONG%3E81.0.4021.0%3C%2FSTRONG%3E.%20%3CBR%20%2F%3EFor%20Edge%2080%20Beta%2C%20it%20was%20fixed%20in%20Edge%20Beta%20v80.0.361.33%20because%20that%20uses%20Chromium%20v80.0.3987.53.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

On a number of sites, I get a certificate error, NET::ERR_CERT_COMMON_NAME_INVALID.

 

The sites work fine in IE, Chrome, Firefox and old Edge

 

For example if I go to https://myapplications.microsoft.com/, I get the error and the certifcate is issued to graph.windows.net. If I go to Engadget it redirects me to https://consent.yahoo.com/ and i get the error and the cert is for guce.oath.com with no SAN for the orginal site. There are other example to.

 

Why is this just an issue in Edge Chromium (running Dev channel 81)?

8 Replies
Highlighted

@Andrew Sparks This was an error I received regularly, on this and the previous version of Dev on particular sites. What worked for me was to Reset Settings to default, and Clear All Browsing Data. All I kept was my Passwords. After restarting I could access those sites without a problem.

 

Highlighted
Hi,
try disabling your extensions, see if it changes anything
Highlighted

thanks both for the replies, unfortuenly neither of these have worked, even updating to Version 81.0.381.0 (Official build) dev (64-bit) has not resolved the issue

Highlighted

@Andrew Sparks Not sure if this would help or not, but to get to my work's myapplications site, I had to log in using my work ID (e-mail and password), as opposed to my personal user ID/password.

Highlighted

@bradmacdonald Thanks but I need to use my work account as I'm tetsing the new workspaces. myapps works but the new experience myapplications.microsoft.com gives the cert error.

 

As I said all work fine in Chrome, IE, Firefox and the old edge, so I will have to use one of them for now

Highlighted
Best Response confirmed by Andrew Sparks (Contributor)
Solution

@Andrew Sparks Thanks for the report! This issue should be fixed by now, as Edge Dev should contain the workaround/fix.

 

Using my psychic debugging skills, I predict that your network has deployed a ZScaler network interception device. If you're still on a build with the problem, try upgrading. If you can't for whatever reason, as a workaround, try:

 

1. Close all Edge instances.

2. Win+R and run

 

   msedge.exe --disable-features=PostQuantumCECPQ

 

3. Retry the sites.

Technical explanation:
These ZScaler devices attempt to parse the ClientHello TLS message before sending the request to the target server. However, if a ClientHello message spans multiple packets (as will happen when the request is large) the ZScaler device does not see the ServerNameIndicator TLS extension in the client hello and fails to send that extension to the target server. As a consequence the target server gets a request without the SNI telling it what certificate to return to the client, and depending on the configuration, it sends the wrong certificate, meaning that the hostname(s) in the certificate do not match the URL requested, leading to the security error message.

Now, why did the ClientHello messages start getting large? There was an experiment (see https://crbug.com/1028602) that resulted in the key_share TLS extension growing by ~1200 bytes, causing the ClientHello to grow bigger than what could fit in one TCP/IP packet. 

What's next:

1. Zscaler is working on a fix for their software. Your network admins will need to deploy the update when available.

2. The reason that it doesn't repro in Edge Stable is that the regression landed in Chromium 80.0.3967.0, and the reason it doesn't repro in Edge Dev/Canary is it was disabled in 81.0.4021.0.
For Edge 80 Beta, it was fixed in Edge Beta v80.0.361.33 because that uses Chromium v80.0.3987.53.

Highlighted

@ericlaw Oh my, you are good! We are using Zscaler and I've updated this weekend to Version 81.0.396.0 and its working again. Thanks!

Highlighted

@ericlaw 

Hi,

I am on Version 84.0.522.52 (Official build) (64-bit) but still, I am getting the error. But after some seconds of showing error page, it redirects me to the page but not always. Sometimes many ajax requests from the site gets failed. I tried clearing my 4 weeks browsing data as well.

 

The page I am trying to access is my community page created on Tribe and later I got the URL changed through CNAME mapping at my domain.

Is it Microsoft edge issue or tribe's or my CNAME configurations? Please help.