0

On a Windows Server 2012(R2) I have users who connect to it via RDP.

When using Chrome on that server just ONE user receives certificate warning when connecting to an internal HTTPS website. Chrome on that terminal server is latest 64bit version (as told by the Chrome Help | About page).

All the rest of users can connect to the site normally from this and other terminal servers, with no warnings (the lock icon is locked).

It is NET::ERR_CERT_SYMANTEC_LEGACY error, but our server uses RapidSSL wildcard certificate, which was created in 2017, not Symantec one.

I tried to clear all Chrome caches for that user and restart Chrome, but that didn't help.

Any ideas how to fix this or what could be the problem?

Gnudiff
  • 533
  • 6
  • 21
  • Check the certificat that is shown to the user - do you use some Symantic software that could do some ManInTheMiddle scans or something like that? – Tobias Nov 06 '18 at 10:37
  • @Tobias Nope, we don't use any Symantec. Just to make sure there is no certificate spoofing, I exported the certificates (X509 CER) from the affected user's session, from another user's session, and from my PC workstation -- they all are the same file (compared with diff and with openssl modulo md5). And the Windows details on the certificate (from the affected user's session), says "Certificate is OK". It is only the Chrome which balks at it. – Gnudiff Nov 06 '18 at 11:07
  • 1
    **RapidSSL is** a brand of GeoTrust which is among the CAs **owned by Symantec** which late last year was caught cheating and scheduled for distrust by Google/Chrome (see answer) and ended up selling to Digicert. See https://knowledge.digicert.com/alerts/ALERT2562.html . – dave_thompson_085 Dec 05 '18 at 18:58

1 Answers1

2

Sounds like the Google "distrusting" of Legacy Symantec PKIs.

https://productforums.google.com/forum/#!msg/chromebook-central/c_OUU8KPIqQ/uJkWySlOBgAJ

techkilljoy
  • 36
  • 4
  • That turned out to be the correct answer. I was misled by the fact that the certificates and the CA don't include Symantec anywhere, but the solution was for them to issue new certificates. – Gnudiff Dec 11 '18 at 09:55