Fix NET::ERR_CERT_SYMANTEC_LEGACY in Chrome

If you’ve been trying to access a website and encountered the NET::ERR_CERT_SYMANTEC_LEGACY error in Google Chrome, you’re not alone. This error has been an issue for many users, especially after Symantec’s SSL certificates were deprecated in 2018. Chrome, along with other modern browsers, no longer trusts SSL certificates issued by Symantec and its associated Certificate Authorities (CAs), which include companies like GeoTrust, Thawte, and RapidSSL. As a result, websites using these certificates will trigger the NET::ERR_CERT_SYMANTEC_LEGACY error, preventing users from accessing the site securely.

This blog will provide a comprehensive guide on how to fix the NET::ERR_CERT_SYMANTEC_LEGACY error for both website owners and visitors, ensuring that users can either resolve the issue or understand the steps they can take.

Understanding the NET::ERR_CERT_SYMANTEC_LEGACY Error

Before diving into how to fix the error, it’s important to understand what causes it.

The NET::ERR_CERT_SYMANTEC_LEGACY error occurs because Google Chrome, and other modern browsers, no longer trust SSL certificates issued by Symantec and its sub-brands. In 2018, Symantec was found to have mismanaged its certificate issuance practices. As a result, Google and other browser vendors stopped trusting these certificates. Websites that still use these outdated certificates will display the NET::ERR_CERT_SYMANTEC_LEGACY error.

This error is part of Chrome’s security measures to ensure that users’ connections are secure and trustworthy. When a website uses an SSL certificate issued by a deprecated or untrusted CA, Chrome blocks the connection, preventing potential security threats such as man-in-the-middle attacks.

What Causes NET::ERR_CERT_SYMANTEC_LEGACY in Google Chrome?

The NET::ERR_CERT_SYMANTEC_LEGACY error is triggered when the SSL certificate of a website is issued by Symantec or one of its subsidiaries, including:

• GeoTrust
• Thawte
• RapidSSL

Since 2018, Google and other browsers no longer trust these certificates due to mismanagement and security concerns. As a result, users attempting to access websites with these legacy certificates will see the NET::ERR_CERT_SYMANTEC_LEGACY error.

How to Fix NET::ERR_CERT_SYMANTEC_LEGACY?

There are two main parties that need to resolve this error: website owners and website visitors. Let’s explore how each group can tackle the issue.

For Website Owners:

As a website owner, you need to replace your outdated Symantec-issued SSL certificate with a new certificate issued by a trusted Certificate Authority (CA). Let’s break down the steps.

Step 1: Replace the Outdated Symantec SSL Certificate

Since Symantec certificates are no longer trusted, your first action should be to replace your current SSL certificate with a new one from a trusted CA like Let’s Encrypt, DigiCert, GlobalSign, or Comodo.

1.1 Generate a New Certificate Signing Request (CSR)

To replace the old SSL certificate, you will need to generate a new CSR on your server. The CSR is a crucial step in obtaining a new SSL certificate. It contains the information necessary for the certificate authority to create a new certificate.

Example of generating a CSR:

1. Log in to your web hosting control panel (like cPanel, Plesk, or DirectAdmin).
2. Find the SSL/TLS or Security section.
3. Click on Generate a new CSR and fill in the required fields such as:
   • Domain Name (the domain you want the certificate for).
   • Country.
   • Organization.
   • Email Address.
4. Once the CSR is generated, keep a copy of the private key and submit the CSR to your new SSL provider.

1.2 Obtain a New SSL Certificate

After generating the CSR, submit it to the SSL provider to issue a new certificate. Once the SSL provider issues the certificate, you will receive the public key, which you will need to install on your server.

1.3 Install the New SSL Certificate

Once you have the new SSL certificate, you can install it on your server. If you’re using cPanel, this can usually be done by navigating to the SSL/TLS Manager, selecting the Install an SSL Certificate option, and pasting the certificate into the appropriate fields.

Example of installing an SSL certificate:

1. Open your cPanel or hosting control panel.
2. Navigate to SSL/TLS.
3. Select Manage SSL sites and paste your newly issued certificate in the provided fields.
4. Click Install Certificate.

1.4 Verify the New Certificate

After installing the new SSL certificate, it’s essential to verify that it’s working correctly.

• Use SSL Labs’ SSL Test (https://www.ssllabs.com/ssltest/) to check if the new certificate is installed correctly and trusted by browsers.
• Ensure that your website no longer uses any outdated Symantec-issued certificates.

Step 2: Test the Installation

To confirm that the NET::ERR_CERT_SYMANTEC_LEGACY error has been resolved, visit your website and check the SSL status:

1. Open Google Chrome and type your website URL in the address bar.
2. If the website is properly configured, you should see a padlock icon next to the URL, indicating a secure connection.
3. If there is no error, your website is now using a trusted SSL certificate.

Step 3: Implement HSTS (Optional)

HTTP Strict Transport Security (HSTS) is a security feature that tells browsers to always connect to your website using HTTPS, even if the user tries to access it through HTTP. Enabling HSTS can help avoid future SSL-related errors.

How to enable HSTS:

1. Add the following header to your server configuration:
   arduino

   Copy code

   Strict-Transport-Security: max-age=31536000; includeSubDomains

2. Restart your server to apply the changes.

For Website Visitors:

If you are a visitor to a website showing the NET::ERR_CERT_SYMANTEC_LEGACY error, it means the website is using an outdated Symantec SSL certificate. As a user, there are a few steps you can take to resolve or bypass the issue temporarily.

Step 1: Try a Different Browser

The NET::ERR_CERT_SYMANTEC_LEGACY error is specific to Google Chrome and may not appear in other browsers. If you need immediate access to the website, try opening it in a different browser such as Mozilla Firefox, Microsoft Edge, or Safari. These browsers may still allow you to access the website if the SSL certificate issue is not present.

Step 2: Clear Browser Cache and Cookies

Sometimes, your browser might be caching the old SSL certificate. Clearing your browser’s cache and cookies can often resolve SSL errors.

How to clear cache and cookies in Chrome:

1. Open Google Chrome.
2. Click on the three dots in the upper-right corner and go to More tools > Clear browsing data.
3. Choose All time in the time range dropdown.
4. Check Cookies and other site data and Cached images and files.
5. Click Clear data.

Step 3: Manually Accept the SSL Certificate (Not Recommended)

If you trust the website and need to access it despite the certificate error, you can manually accept the certificate. However, this is not recommended as it can expose you to security risks.

How to accept the SSL certificate:

1. When the NET::ERR_CERT_SYMANTEC_LEGACY error appears, click Advanced.
2. Click Proceed to [website] (unsafe).

This will allow you to bypass the certificate warning temporarily.

Conclusion

The NET::ERR_CERT_SYMANTEC_LEGACY error is a result of outdated SSL certificates from Symantec and its subsidiaries. It affects website owners who are still using these deprecated certificates. The solution involves replacing the old certificate with a new one from a trusted Certificate Authority like DigiCert, GlobalSign, or Let’s Encrypt.

For visitors, the error can be bypassed by using different browsers, clearing cache and cookies, or accepting the certificate manually. However, website owners should prioritize updating their SSL certificates to maintain secure and trusted connections.

By following the steps outlined above, you can easily resolve the NET::ERR_CERT_SYMANTEC_LEGACY error and ensure secure browsing experiences for both website owners and visitors.