After update, Chrome on MacOS can't load page

Hello:

I have a jitsi-meet server on Debian 10 which has been working fine. But a recent jitisi package(s) update introduced a problem. I can connect, open a room, communicate with more than one party from Linux and Windows using Chrome, but when I try to join using Chrome on MacOS (Catalina), I get an error page: “Connection Error” in big print, then “Your device may be offline or our servers may be experiencing problems.”

Even on that same MacOS computer I can connect normally with Firefox.

Any ideas?

Thanks.

Answering my own question, I think its an expired ssl cert … oops! If that’s not the case I’ll update.

*** TL;DR Chrome seems to be caching the expired cert, not loading current one. Firefox does not.

Ok… not so simple. Maybe someone has an idea. The cert was not expired, it’s a normal letsencrypt cert (via dehydrated) renewed automatically and symlinked the way it does so an update redoes the link to the new cert.

Yes, I have restarted nginx to pick up the new cert. I have deleted the old certs from the standard dehydrated location ( /var/lib/dehydrated/certs/ ) so the only existing cert is the current, unexpired one.

I have tried pointing the jitsi vhost ssl_certificate directives to the literal (not symlinked) path, does not help.

I run my jitis main web interface on a custom port (443 is not used on the server). So, to test the cert another way, I created a new vhost on port 443 and pointed it to the same certs. Works fine!

Something about the jisti vhost (or other nested config) is causing nginx to serve an old, no longer existing certificate on my jisti vhost but serves correctly on a test vhost. ONLY ON CHROME!

Everything was auto-updating and working fine for years. The cert which shows in Chrome expired in Feb 2021.

Oh! More info - if I load jitsi on Firefox and check the cert, it is the correct cert! Chrome has cached something?

Need client to clear Chrome’s stored site data!

Ok, this seems too crazy to be correct. I think the problem may have been exacerbated by two things: one is the expired/retired letsencrypt ‘R3’ certificate and two was I was pointing to cert.pem not fullchain.pem.

After clearing Chrome’s cache I got the error about expired intermediate cert. Changing the ssl_certificate path to point to the fullchain.pem make it work.

Perhaps if I had that set originally this whole problem would not have popped up for me!

Hope this helps someone else.

1 Like