This has caught me out a couple of times, so it's about time I write it up on my blog so I can google myself!
Here's the situation: I had a working SSL certificate in place (actually for local development against a fake domain) and all of a sudden when visiting the https URL Chrome is telling me that my SSL certificate is no longer secure.
UK EVENTAttend ffconf.org 2024
The conference for people who are passionate about the web. 8 amazing speakers with real human interaction and content you can't just read in a blog post or watch on a tiktok!
£249+VAT - reserve your place today
The thing that I've noticed when this happens (to me) is there's usually some change in my network. This last happened to me when I was using an airport's wifi, and even though this particular domain resolves locally, it still seemed to do a DNS lookup through the airport's network first (I think).
There was definitely a caching issue at play, because the certificate was fine earlier in the day, but now not working. I thought I should be able to disable my wifi connection and clear the cached SSL cert, but it doesn't quite work like that.
HSTS settings
Quite a few people (via twitter) suggested clearing content settings, cache, etc, but actually the problem came down to HSTS settings.
This excellent post on HSTS settings explains how to clear the domain on Firefox, Chrome and Safari.
For my own record, here's how to do it in Chrome:
- Visit chrome://net-internals/#hsts (no, you can't link to internal chrome:// links!)
- Delete your domain (section 2)
- Optionally, query your domain, and it should say "NOT FOUND"
Now the domain will be clear of the SSL cached nonsense and will re-request your certificate (assuming that it should have been fine in the first place).