HSTS & NET::ERR_CERT_COMMON_NAME_INVALID

Without understanding, I had enabled HSTS on amerkhalid.com with option includeSubDomains. I had a subdomain that was used as “Custom Domain” to SmugMug site. After enabling HSTS, these subdomains started to throw NET::ERR_CERT_COMMON_NAME_INVALID.

The fix is of course simple, don’t use includeSubDomains. But that opens up your top level domain to man in middle attacks.

For now, I decided to follow the best practices and leave includeSubDomains enabled. And decided to not use custom domain for my SmugMug site.

Lastly, you can clear HSTS settings in Chrome by:

  1. Enter in Address Bar chrome://net-internals/#hsts
  2. Under “Delete domain” type your domain
  3. Hit “Delete” button.

 

Leave a Reply