net::ERR_INSECURE_RESPONSE in Chrome

Google Chrome

Google Chrome Problem Overview


I am getting an error net::ERR_INSECURE_RESPONSE in the Chrome console when fetching some data from my API

This error usually occurs as a result of an unsigned certificate; however, it is not an issue with this because I have a valid and signed certificate.

The error doesn't happen often at all and it goes away if I restart my Chrome browser. It also doesn't occur in any other browser at all (tested on Safari, Mozilla, Opera)

Any idea why this is happening? Is this just a browser bug?

Google Chrome Solutions


Solution 1 - Google Chrome

This happens when you update from Chrome 55 to Chrome 56 (56.0.2924.87).
This is an increase in security enforcement.
It doesn't go away by restarting the browser, and it's not a bug.

> Mountain View says it's hoping you don't ever encounter the message, > because Certificate Authorities are required to stop issuing SHA-1 > certificates in 2016. Just in case, Google plans to continue issuing > warnings until Chrome completely stops supporting SHA-1 on January > 1st, 2017. When that day comes, a website that still uses the function > will trigger a fatal network error. (Source: Engadget.com)

If this happens, the most-likely cause is that your (or the website's) SSL-certificate uses SHA1.
SHA1 is broken, and SSL certificates using SHA1 are not secure anymore (it's now been a long time that Chrome showed this to you - now it blocks NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM).

Another likely cause is that your SSL-certificate expired
Also, you should disable backwards-compatiblity with SSL2 & SSL3 (Poodle Attack).
You should only be using TLS (SSL 3.1+).

To test your domain's SSL-certificate, you can use SSL labs SSL test.

To find out what exactly the issue is: Open the chrome developer console (CTRL + SHIFT + J OR F12) And change to the security tab

Security

Console

Details

For more information:
https://support.google.com/chrome/answer/95617?visit_id=1-636221396724527190-3454695657&p=ui_security_indicator&rd=1

FYI:

> SHA-1 has been growing weaker and more insecure everyday for a decade > now, which is dangerous considering we tend to trust websites with > "https://" in their URLs. Other browsers like Mozilla Firefox and > Microsoft Edge also plan to stop supporting it in an effort to > encourage website owners to switch to more secure SHA-2 certificates > as soon as possible.

If you urgently need to get around it (you need to close all running instances of Chrome first - otherwise it won't work):

chrome --args --ignore-certificate-errors

Please note: don't go online-banking or gmail'ing with those command-line settings active in your Chrome instance.

Solution 2 - Google Chrome

I had a similar issue recently. I was trying to access an https REST endpoint which had a self signed certificate. I was getting net::ERR_INSECURE_RESPONSE in the Google Chrome console. Did a bit of searching on the web to find this solution that worked for me:

  1. Open a new tab in the same window that you are trying to make the API call.
  2. Navigate to the https URL that you are trying to access programmatically.
  3. You should see a screen similar this: enter image description here
  4. Click on Advanced > proceed to <url> and you should see the response (if there is one)
  5. Now try making the API call through your script.

Solution 3 - Google Chrome

A missing intermediate certificate might be the problem.

You may want to check your https://hostname with curl, openssl or a website like https://www.digicert.com/help/.

No idea why Chrome (possibly) sometimes has problems validating these certs.

Solution 4 - Google Chrome

I was getting this error on amazon.ca, meetup.com, and the Symantec homepage.

I went to the update page in the Chrome browser (it was at 53.*) and checked for an upgrade, and it showed there was no updates available. After asking around my office, it turns out the latest version was 55 but I was stuck on 53 for some reason.

After upgrading (had to manually download from the Chrome website) the issues were gone!

Solution 5 - Google Chrome

For me the answer to this was available here on StackOverflow:

ERR_INSECURE_RESPONSE caused by change to Fiddler's root certificate generation using CertEnroll for Windows 7 and later

> Unfortunately, this change can cause problems for users who have > previously trusted the Fiddler root certificate; the browser may show > an error message like NET::ERR_CERT_AUTHORITY_INVALID or The > certificate was not issued by a trusted certificate authority.

(Quote from the original source)

I had this ERR_CERT_AUTHORITY_INVALID error on the browser and ERR_INSECURE_RESPONSE shown in Developer Tools of Chrome.

Solution 6 - Google Chrome

Maybe you have run into this problem: [net::ERR_INSECURE_RESPONSE][1]

You need to check the encryption algorithms supported by your server. For example for apache you can configure the cipher suite this way: [cipher suite][2].

Which version of chrome are you running and what is the server serving your APIs?

[1]: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-discuss/4ctMmhOTDFg "error" [2]: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html "cipher suite"

Solution 7 - Google Chrome

I was having this issue when testing my Cordova app on android. It just so happens that this android device does not persist its date, and will reset back to its factory date somehow. The API that it calls has a cert that is valid starting this year, while the device date after bootup is in 2017. For now, I have to adb shell and change the date manually.

Solution 8 - Google Chrome

Don't know if this question is relevant anymore, but this happened to me on a client wich had an incorrect datetime set on Windows. This will be an alternative to watch. If is this case, it will reproduce on other browsers as well (at least, on firefox and chrome).

I fixed it updating datetime on Windows to actual's real datetime. Hope it helps somebody.

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionKarimView Question on Stackoverflow
Solution 1 - Google ChromeStefan SteigerView Answer on Stackoverflow
Solution 2 - Google ChromeRadiumView Answer on Stackoverflow
Solution 3 - Google ChromeHerriView Answer on Stackoverflow
Solution 4 - Google Chromejames2doyleView Answer on Stackoverflow
Solution 5 - Google ChromeB Charles HView Answer on Stackoverflow
Solution 6 - Google ChromepinturicView Answer on Stackoverflow
Solution 7 - Google ChromeZaidView Answer on Stackoverflow
Solution 8 - Google ChromeSergio A.View Answer on Stackoverflow