[xZuki]

This is all confusing to me but I've been having certificate issues today and it seems like this could be related. It's a weird coincidence if not!

Basically on Chrome one of my sites is throwing:

"NETT::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"

for most users but not all, even though they're all on Chrome. It seems to work fine in other browsers.

https://transparencyreport.google.com/https/certificates

When I check my domain here it seems like I have got the transparency certificate so I shouldn't be getting this error.

Is this related to what you're talking about? I would really appreciate any help. I'm using https://letsencrypt.org/ for the cert.

[geofft]

Does your cert have an SCT? It would be strange for a Let's Encrypt cert to be missing it but certainly possible. Try running (replace both example.coms with your domain name)

    openssl s_client -connect example.com:443 -servername example.com </dev/null | openssl x509 -noout -text

which should print an SCT extension at the end - my version displays it by numeric identifier "1.3.6.1.4.1.11129.2.4.2" but maybe newer versions display it by name.

Alternatively, I think you might able to go to https://www.ssllabs.com/ssltest/ and see if your cert has "Certificate Transparency: Yes", but I'm not sure exactly what that means.

Anyway, I don't think this is related, the question at hand is about OCSP, which is a different mechanism from Certificate Transparency. (Arguably Certificate Transparency is a replacement for revocation in general being flawed in practice for many reasons, but they're different mechanisms.)

[tialaramex]

It's a weird coincidence for you but for everybody else it's to be expected as there are dozens or hundreds of people having issues every day.

It's extremely unlikely to have anything to do with this incident.

You should obtain a copy of the certificate which triggers NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED and take a look at that. There's an excellent chance there's something else even more obvious wrong (from your point of view as a human) but Chrome decided to focus on the lack of trustworthy SCTs.

My instinct would be that it's likely a middle box (e.g. "anti-virus software" on a PC can install itself to snoop on all HTTPS sites, or a corporate "data loss prevention" proxy or that sort of thing) and the bogus certificate will likely make that pretty obvious if you examine it.

[regecks]

I think it's an interplay between system clock skew, Chromium's SCT validation implementation, and (very) recently issued certificates (which are backdated by 1 hour).

It's a bit of a heisenbug but it's occasionally reported on the Let's Encrypt forums. It always goes away for the reporters just by waiting a little bit.

It would be really nice if a user who runs into this could generate a Chromium event log which would hopefully include the SCT events (chrome://net-internals).

[xZuki]

Thanks! It does seem to have gone away today. Very strange.

[floatingatoll]

That is probably not related.

If you run SSLLabs against your host name, does it say “Certificate Transparency: Yes” or No?

https://www.ssllabs.com/ssltest/analyze.html?d=your-hostname

[xZuki]

Thanks. It says "yes".