Home

Certifcate Errors only in Edge Insider

%3CLINGO-SUB%20id%3D%22lingo-sub-1099276%22%20slang%3D%22en-US%22%3ECertifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099276%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20a%20number%20of%20sites%2C%20I%20get%20a%20certificate%20error%2C%20%3CSPAN%3ENET%3A%3AERR_CERT_COMMON_NAME_INVALID.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20sites%20work%20fine%20in%20IE%2C%20Chrome%2C%20Firefox%20and%20old%20Edge%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20example%20if%20I%20go%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmyapplications.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyapplications.microsoft.com%2F%3C%2FA%3E%2C%20I%20get%20the%20error%20and%20the%20certifcate%20is%20issued%20to%20graph.windows.net.%20If%20I%20go%20to%20Engadget%20it%20redirects%20me%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fconsent.yahoo.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fconsent.yahoo.com%2F%3C%2FA%3E%26nbsp%3Band%20i%20get%20the%20error%20and%20the%20cert%20is%20for%26nbsp%3Bguce.oath.com%20with%20no%20SAN%20for%20the%20orginal%20site.%20There%20are%20other%20example%20to.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhy%20is%20this%20just%20an%20issue%20in%20Edge%20Chromium%20(running%20Dev%20channel%2081)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099349%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099349%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BThis%20was%20an%20error%20I%20received%20regularly%2C%20on%20this%20and%20the%20previous%20version%20of%20Dev%20on%20particular%20sites.%20What%20worked%20for%20me%20was%20to%20Reset%20Settings%20to%20default%2C%20and%20Clear%20All%20Browsing%20Data.%20All%20I%20kept%20was%20my%20Passwords.%20After%20restarting%20I%20could%20access%20those%20sites%20without%20a%20problem.%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%20id%3D%22toc-hId--1436512805%22%3E%26nbsp%3B%3C%2FH2%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099825%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099825%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3Etry%20disabling%20your%20extensions%2C%20see%20if%20it%20changes%20anything%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105006%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105006%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20both%20for%20the%20replies%2C%20unfortuenly%20neither%20of%20these%20have%20worked%2C%20even%20updating%20to%26nbsp%3B%3CSPAN%3EVersion%2081.0.381.0%20(Official%20build)%20dev%20(64-bit)%20has%20not%20resolved%20the%20issue%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105430%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105430%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BNot%20sure%20if%20this%20would%20help%20or%20not%2C%20but%20to%20get%20to%20my%20work's%20myapplications%20site%2C%20I%20had%20to%20log%20in%20using%20my%20work%20ID%20(e-mail%20and%20password)%2C%20as%20opposed%20to%20my%20personal%20user%20ID%2Fpassword.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1107431%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1107431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510944%22%20target%3D%22_blank%22%3E%40bradmacdonald%3C%2FA%3E%26nbsp%3BThanks%20but%20I%20need%20to%20use%20my%20work%20account%20as%20I'm%20tetsing%20the%20new%20workspaces.%20myapps%20works%20but%20the%20new%20experience%20myapplications.microsoft.com%20gives%20the%20cert%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20said%20all%20work%20fine%20in%20Chrome%2C%20IE%2C%20Firefox%20and%20the%20old%20edge%2C%20so%20I%20will%20have%20to%20use%20one%20of%20them%20for%20now%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1128080%22%20slang%3D%22en-US%22%3ERe%3A%20Certifcate%20Errors%20only%20in%20Edge%20Insider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92295%22%20target%3D%22_blank%22%3E%40Andrew%20Sparks%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20report!%20This%20issue%20should%20be%20fixed%20by%20now%2C%20as%20Edge%20Dev%20should%20contain%20the%20workaround%2Ffix.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20my%20psychic%20debugging%20skills%2C%20I%20predict%20that%20your%20network%20has%20deployed%20a%20ZScaler%20network%20interception%20device.%20If%20you're%20still%20on%20a%20build%20with%20the%20problem%2C%20try%20upgrading.%20If%20you%20can't%20for%20whatever%20reason%2C%20as%20a%20workaround%2C%20try%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Close%20all%20Edge%20instances.%3C%2FP%3E%0A%3CP%3E2.%20Win%2BR%20and%20run%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3Bmsedge.exe%26nbsp%3B%3CSPAN%3E--disable-features%3DPostQuantumCECPQ%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Retry%20the%20sites.%3CBR%20%2F%3E%3CBR%20%2F%3ETechnical%20explanation%3A%3CBR%20%2F%3EThese%20ZScaler%20devices%20attempt%20to%20parse%20the%20ClientHello%20TLS%20message%20before%20sending%20the%20request%20to%20the%20target%20server.%20However%2C%20if%20a%20ClientHello%20message%20spans%20multiple%20packets%20(as%20will%20happen%20when%20the%20request%20is%20large)%20the%20ZScaler%20device%20does%20not%20see%20the%20ServerNameIndicator%20TLS%20extension%20in%20the%20client%20hello%20and%20fails%20to%20send%20that%20extension%20to%20the%20target%20server.%20As%20a%20consequence%20the%20target%20server%20gets%20a%20request%20without%20the%20SNI%20telling%20it%20what%20certificate%20to%20return%20to%20the%20client%2C%20and%20depending%20on%20the%20configuration%2C%20it%20sends%20the%20wrong%20certificate%2C%20meaning%20that%20the%20hostname(s)%20in%20the%20certificate%20do%20not%20match%20the%20URL%20requested%2C%20leading%20to%20the%20security%20error%20message.%3CBR%20%2F%3E%3CBR%20%2F%3ENow%2C%20why%20did%20the%20ClientHello%20messages%20start%20getting%20large%3F%20There%20was%20an%20experiment%20(see%20%3CA%20href%3D%22https%3A%2F%2Fcrbug.com%2F1028602%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcrbug.com%2F1028602%3C%2FA%3E)%20that%20resulted%20in%20the%20key_share%20TLS%20extension%20growing%20by%20~1200%20bytes%2C%20causing%20the%20ClientHello%20to%20grow%20bigger%20than%20what%20could%20fit%20in%20one%20TCP%2FIP%20packet.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWhat's%20next%3A%3C%2FP%3E%0A%3CP%3E1.%20Zscaler%20is%20working%20on%20a%20fix%20for%20their%20software.%20Your%20network%20admins%20will%20need%20to%20deploy%20the%20update%20when%20available.%3C%2FP%3E%0A%3CP%3E2.%20T%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3Ehe%20reason%20that%20it%20doesn't%20repro%20in%20Edge%20Stable%20is%20that%20the%20regression%20landed%20in%20Chromium%2080.0.3967.0%2C%20and%20the%20reason%20it%20doesn't%20repro%20in%20Edge%20Dev%2FCanary%20is%20it%20was%20disabled%20in%20%3CSTRONG%3E81.0.4021.0%3C%2FSTRONG%3E.%20%3CBR%20%2F%3EFor%20Edge%2080%20Beta%2C%20it%20was%20fixed%20in%20Edge%20Beta%20v80.0.361.33%20because%20that%20uses%20Chromium%20v80.0.3987.53.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Sparks
Contributor

On a number of sites, I get a certificate error, NET::ERR_CERT_COMMON_NAME_INVALID.

 

The sites work fine in IE, Chrome, Firefox and old Edge

 

For example if I go to https://myapplications.microsoft.com/, I get the error and the certifcate is issued to graph.windows.net. If I go to Engadget it redirects me to https://consent.yahoo.com/ and i get the error and the cert is for guce.oath.com with no SAN for the orginal site. There are other example to.

 

Why is this just an issue in Edge Chromium (running Dev channel 81)?

6 Replies

@Andrew Sparks This was an error I received regularly, on this and the previous version of Dev on particular sites. What worked for me was to Reset Settings to default, and Clear All Browsing Data. All I kept was my Passwords. After restarting I could access those sites without a problem.

 

Hi,
try disabling your extensions, see if it changes anything

thanks both for the replies, unfortuenly neither of these have worked, even updating to Version 81.0.381.0 (Official build) dev (64-bit) has not resolved the issue

@Andrew Sparks Not sure if this would help or not, but to get to my work's myapplications site, I had to log in using my work ID (e-mail and password), as opposed to my personal user ID/password.

@bradmacdonald Thanks but I need to use my work account as I'm tetsing the new workspaces. myapps works but the new experience myapplications.microsoft.com gives the cert error.

 

As I said all work fine in Chrome, IE, Firefox and the old edge, so I will have to use one of them for now

@Andrew Sparks Thanks for the report! This issue should be fixed by now, as Edge Dev should contain the workaround/fix.

 

Using my psychic debugging skills, I predict that your network has deployed a ZScaler network interception device. If you're still on a build with the problem, try upgrading. If you can't for whatever reason, as a workaround, try:

 

1. Close all Edge instances.

2. Win+R and run

 

   msedge.exe --disable-features=PostQuantumCECPQ

 

3. Retry the sites.

Technical explanation:
These ZScaler devices attempt to parse the ClientHello TLS message before sending the request to the target server. However, if a ClientHello message spans multiple packets (as will happen when the request is large) the ZScaler device does not see the ServerNameIndicator TLS extension in the client hello and fails to send that extension to the target server. As a consequence the target server gets a request without the SNI telling it what certificate to return to the client, and depending on the configuration, it sends the wrong certificate, meaning that the hostname(s) in the certificate do not match the URL requested, leading to the security error message.

Now, why did the ClientHello messages start getting large? There was an experiment (see https://crbug.com/1028602) that resulted in the key_share TLS extension growing by ~1200 bytes, causing the ClientHello to grow bigger than what could fit in one TCP/IP packet. 

What's next:

1. Zscaler is working on a fix for their software. Your network admins will need to deploy the update when available.

2. The reason that it doesn't repro in Edge Stable is that the regression landed in Chromium 80.0.3967.0, and the reason it doesn't repro in Edge Dev/Canary is it was disabled in 81.0.4021.0.
For Edge 80 Beta, it was fixed in Edge Beta v80.0.361.33 because that uses Chromium v80.0.3987.53.

Related Conversations
When this insider extension going to be available?
HotCakeX in Discussions on
2 Replies
What's new in Edge insider Canary Version 79.0.290.0
HotCakeX in Discussions on
4 Replies
Dark new tab
UltraPako in Discussions on
12 Replies