https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/629338#M122107 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/279610">@AlonTabak</a>&nbsp;,</P> <P>&nbsp;</P> <P>Its likely that the websites you are getting those errors on are using tls 1.3:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JayGolf_0-1732075296170.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/64135i830C48A82D07AE69/image-size/medium?v=v2&amp;px=400" role="button" title="JayGolf_0-1732075296170.png" alt="JayGolf_0-1732075296170.png" /></span></P> <P>Test this out by modifying your decryption profile and set min version to 1.2 and max version to max.&nbsp;</P> Wed, 20 Nov 2024 04:07:41 GMT JayGolf 2024-11-20T04:07:41Z https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/628112#M122101 <P>We updated PANOS (on Friday before h6 was released on Sat) to 10.1.14-h4, rebooted and now our users are sporadically complaining about when using google Chrome (Edge not effected), getting a "Your connection is not private" NET::ERR_CERT_AUTHORITY_INVALID - specifically going to some banking sites (Chase.com, being a major culprit).&nbsp; Doesn't happen to everyone, and is very sporadic, then starts working later on.&nbsp; The only change we did was the 10.1.14 upgrade.&nbsp; We are not decrypting financial sites, and you can see Chase's cert in chrome - however adding to no-decrypt sometimes helps the user.&nbsp; I noticed our user-decrypt-profile is limited to TLS 1.2 (so maybe that's the issue) but called support (hasn't been helpful) next step is updating to h6.&nbsp; Any ideas or suggestions would be greatly appreciated!&nbsp; thanks in advance</P> Tue, 19 Nov 2024 20:53:39 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/628112#M122101 AlonTabak 2024-11-19T20:53:39Z https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/629338#M122107 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/279610">@AlonTabak</a>&nbsp;,</P> <P>&nbsp;</P> <P>Its likely that the websites you are getting those errors on are using tls 1.3:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JayGolf_0-1732075296170.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/64135i830C48A82D07AE69/image-size/medium?v=v2&amp;px=400" role="button" title="JayGolf_0-1732075296170.png" alt="JayGolf_0-1732075296170.png" /></span></P> <P>Test this out by modifying your decryption profile and set min version to 1.2 and max version to max.&nbsp;</P> Wed, 20 Nov 2024 04:07:41 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/629338#M122107 JayGolf 2024-11-20T04:07:41Z https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/639977#M122122 <P>Thanks for the recommendation but no dice (just yet).&nbsp; Added TLS 1.3/Max as an option (which is good to have in either case), but still an issue with specific banking sites Chase, Merril, etc (only for some users).&nbsp; Palo support recommends flow based debugging as a next step, and I'm upgrading to the latest 10.1.14-h6 on Friday as another option.&nbsp;&nbsp;</P> Wed, 20 Nov 2024 14:25:53 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-hsts-net-err-cert-authority-invalid-with-10-1-14h4-update/m-p/639977#M122122 AlonTabak 2024-11-20T14:25:53Z