KNOWLEDGE BASE

Error "NET::ERR_CERT_INVALID" in Chrome 105 and later but not in Edge or Firefox to access Tableau Server


Published: 10 Nov 2022
Last Modified Date: 15 Nov 2022

Issue

When accessing Tableau Server with a self-signed SSL certificate including all the necessary SANs (Subject Alternative Name), an error occurs in Chrome 105 and later but NOT in Edge or Firefox.

The following error may occur when selecting "more detail" after "Your connection is not private" is displayed:

NET::ERR_CERT_INVALID

Environment

  • Tableau Server
  • SSL Enabled (self-signed SSL certificate including necessary SANs)
  • Google Chrome 105 and later
  • Windows
  • MacOS

Cause

From Chrome 105, Chrome is doing a platform-by-platform transition from relying on the host operating system’s root store (platform root store) to its own, which is named as "Chrome Root Store".  The Chrome Root Store and Certificate Verifier have begun rolling out on Windows and macOS in Chrome 105, with other platforms to follow.

This change is not friendly to self-signed SSL certificates (including necessary SANs), even though the certificate is installed in the user's Trusted Root CA. The Chrome Root Store does not treat a self-signed SSL certificate as trusted, and marks it as an invalid certificate.

For more details, please refer to the google document below:
Announcing the Launch of the Chrome Root Program
Chrome Root Store - Frequently Asked Questions

Additional Information

Chrome starts to use its own root store in Chrome 105 and later. Google does not enable the new feature for all of Chrome users at the same time. To confirm if your browser is using the new feature, check your CHROME > SETTINGS > PRIVACY and SECURITY > SECURITY (chrome://settings/security) as described below.

If you do NOT have the issue described, you should only have the old security option below:
  • “Manage Certificates”

When your Chrome browser has been changed to use the new Chrome Root Store, you should have both of the two new security options below:
  • “Manage Device Certificates”
  • “Certificates Managed by Chrome”
Did this article resolve the issue?