Remove domain from HPKP preload list

Question

So, this is a fun story regarding HTTP Public Key Pinning (HPKP) and HTTP Strict Transport Security (HSTS).

I was playing with the HTST Always and HPKP preload options, not being fully aware of the consequences.

About the same time, I discovered that my "test" account that I used to 'test' on how I can fully secure users, was not secure. I was deleting it, remaking it, and one time I forgot to secure it.

It was a normal user, with little to no rights, I deleted the user, by killing the the processes owned by the user "test". Then I rm -rfv /home/test/.

However, I still did not feel save, thus I reinstalled my server, thinking that I could renew cert with Let's Encrypt, add them again, and we're done.

Alas, that was not meant to be. When I browse my website(*.eurobytes.nl), with chrome, I get the following message:

ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

When browsing one of my subdomains, Mozilla Firefox, wont even display the website, it just doesn't go there.

I'm assuming all this can be fixed by delisting myself from the Mozilla Firefox/Google Chrome HTST and HPKP list.

How can I delist myself from HTST and HPKP?

Answer 1

Actually there is no way you can change this. Usually you don't have access to the browsers of your web site visitors.

HSTS - HTTP Strict Transport Security

I assume that you have only set HSTS via header and not via list (register a domain to be https only via HSTS preload). If this is the case all browsers that have visited your site have stored your domain with the preference of using HTTPS for the given max-age.

If you have registered your domain to be a HTTPS only site (this includes all subdomains) via https://hstspreload.org/ than you have to remove your domain from this list first (removing not recommended - needs a quite long time).

HPKP - HTTP Public Key Pinning

Same here: All your web site visitor have stored the allowed pins for your domain in their browsers and if you setup a new SSL certificate not matching one of pins, the browser does not open your site.

I would recommend to use a different domain name.

Answer 2

Ok there's a few things going on here.

First of all HSTS says your site has to use HTTPS for whatever time you specified previously that the browser has cached. Since you've installed a new cert you're still using HTTPS and that's not a problem and not what the error message is telling you.

HSTS can also be preloaded (hardcoded) into the browsers code. But again that's not an issue here, even if you had done that, since you are still using HTTPS.

HPKP says only certain HTTPS certificates can be used on your site. As you've a new certificate that wasn't on the previously defined list that's where your problem is.

Thankfully browsers don't let you preload HPKP, as I think that is a terrible idea.

So how to fix?

1. Delete it from the browser. In Chrome and Opera you can type chrome://net-internals/#hsts in your web browser and search and delete your domain for both HSTS and HPKP. Doing similar for Firefox requires editing a file (see here for details). Obviously this only works if your site is only used by a few people and you can visit their PCs and/or talk them trough this.

2. You wait until the expiry time of your HPKP policy ends. Hopefully you had a short policy expiry time as just testing this. Chrome caps HPKP policies at a maximum of 60 days (even if you have specified a longer policy).

Answer 3

I wanted to note for posterity – in 2021 you can likely safely deprecate HPKP. No modern browsers currently allow HPKP. Chrome dropped it in 2017, and I believe Firefox is 2018. As such, there is no worry of removing headers, and your clients browsers can still access your site.

Complete Browser Support List: https://caniuse.com/?search=hpkp If you're concerned about baked-in ancient browsers.

More on why it was deprecated here for those interested. https://scotthelme.co.uk/hpkp-is-no-more/