NET::ERR_CERT_AUTHORITY_INVALID on my site with chrome v.57 only

Question

Site https://sorada.gov.ua has WoSign Certificate. Got "A" on https://www.ssllabs.com/ssltest/analyze.html?d=sorada.gov.ua But when google chrome updated to v.57 we got NET::ERR_CERT_AUTHORITY_INVALID error. All other browsers are OK. Does anybody meet same problems?

Answer 1

Given the behavior of WoSign certificates issued after 10/26/2016 where distrusted since Chrome 56. And it was announced that in further releases this CA would be distrusted fully. To cite from Distrusting WoSign and StartCom Certificates:

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. ... In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs.

According to https://news.ycombinator.com/item?id=13866234 Google now distrusted this CA more than in the last release. To cite from the commit mentioned in the post:

Restrict the set of domains for which WoSign/StartCom certificates are trusted to the set of domains intersecting the Alexa Top 1M whose certificates are unexpired and unrevoked.

The problem you see is a result of this change. For a discussion of the problem see Chromium issue 685826.