net::ERR_INSECURE_RESPONSE in Chrome

Solution 1:

This happens when you update from Chrome 55 to Chrome 56 (56.0.2924.87).
This is an increase in security enforcement.
It doesn't go away by restarting the browser, and it's not a bug.

Mountain View says it's hoping you don't ever encounter the message, because Certificate Authorities are required to stop issuing SHA-1 certificates in 2016. Just in case, Google plans to continue issuing warnings until Chrome completely stops supporting SHA-1 on January 1st, 2017. When that day comes, a website that still uses the function will trigger a fatal network error. (Source: Engadget.com)

If this happens, the most-likely cause is that your (or the website's) SSL-certificate uses SHA1.
SHA1 is broken, and SSL certificates using SHA1 are not secure anymore (it's now been a long time that Chrome showed this to you - now it blocks NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM).

Another likely cause is that your SSL-certificate expired
Also, you should disable backwards-compatiblity with SSL2 & SSL3 (Poodle Attack).
You should only be using TLS (SSL 3.1+).

To test your domain's SSL-certificate, you can use SSL labs SSL test.

To find out what exactly the issue is: Open the chrome developer console (CTRL + SHIFT + J OR F12) And change to the security tab

For more information:
https://support.google.com/chrome/answer/95617?visit_id=1-636221396724527190-3454695657&p=ui_security_indicator&rd=1

FYI:

SHA-1 has been growing weaker and more insecure everyday for a decade now, which is dangerous considering we tend to trust websites with "https://" in their URLs. Other browsers like Mozilla Firefox and Microsoft Edge also plan to stop supporting it in an effort to encourage website owners to switch to more secure SHA-2 certificates as soon as possible.

If you urgently need to get around it (you need to close all running instances of Chrome first - otherwise it won't work):

chrome --args --ignore-certificate-errors

Please note: don't go online-banking or gmail'ing with those command-line settings active in your Chrome instance.

Solution 2:

I had a similar issue recently. I was trying to access an https REST endpoint which had a self signed certificate. I was getting net::ERR_INSECURE_RESPONSE in the Google Chrome console. Did a bit of searching on the web to find this solution that worked for me:

1. Open a new tab in the same window that you are trying to make the API call.
2. Navigate to the https URL that you are trying to access programmatically.
3. You should see a screen similar this:
4. Click on Advanced > proceed to <url> and you should see the response (if there is one)
5. Now try making the API call through your script.

Solution 3:

A missing intermediate certificate might be the problem.

You may want to check your https://hostname with curl, openssl or a website like https://www.digicert.com/help/.

No idea why Chrome (possibly) sometimes has problems validating these certs.

Solution 4:

I was getting this error on amazon.ca, meetup.com, and the Symantec homepage.

I went to the update page in the Chrome browser (it was at 53.*) and checked for an upgrade, and it showed there was no updates available. After asking around my office, it turns out the latest version was 55 but I was stuck on 53 for some reason.

After upgrading (had to manually download from the Chrome website) the issues were gone!

Solution 5:

For me the answer to this was available here on StackOverflow:

ERR_INSECURE_RESPONSE caused by change to Fiddler's root certificate generation using CertEnroll for Windows 7 and later

Unfortunately, this change can cause problems for users who have previously trusted the Fiddler root certificate; the browser may show an error message like NET::ERR_CERT_AUTHORITY_INVALID or The certificate was not issued by a trusted certificate authority.

(Quote from the original source)

I had this ERR_CERT_AUTHORITY_INVALID error on the browser and ERR_INSECURE_RESPONSE shown in Developer Tools of Chrome.