Description of the issue:
When the SSL certificate for a site has expired, the owner will often renew it because Brave provides the very helpful message that the site is no longer secure. Once the owner has renewed the certificate, subsequent reloads of the page apparently discover that the certificate has been renewed (see my screenshot below), but the “Not secure” and little red circle are still there.
Wait for the SSL certificate on one of your websites to expire.
Visit your website and note the red circle icon and the “Not secure” message.
Renew your SSL certificate and get it installed.
Prove that your site is now properly configured by visiting the https version from a different browser.
Go back to Brave and reload your page to see that Brave continues to show that your site is not secure, but also that it now has a valid certificate (see screenshot above).
Expected result:
The “Not secure” icon and message should be gone upon reload after the new SSL certificate is properly installed.
Brave Version( check About Brave):
Version 1.71.118 Chromium: 130.0.6723.70 (Official Build) (64-bit)
Additional Information:
I believe the indicator is incorrect, but I might be wrong. If I am wrong, this is still a bug that should be fixed: As you see in the screenshot, “Certificate is valid” and the text above that provides no indication of why the “not secure” message is being displayed. The code that produces the message “You should not enter… attackers.” should access the logic that sets the flag to include “Not secure” in order to get some text explaining WHY the flag is set. I assume it would usually be “invalid certificate”, but if there are other possible reasons, the user should get to know which one it is.
Just FYI, I just went to that website and I’m not seeing that error in Brave for it… doesn’t really help you much but just thought I’d share that with you, I’m not an expert but just thought I’d say something and that I checked myself and didn’t get it…
Maybe try going here: brave://settings/security
and clicking on the very bottom option that says “Manage certificates” (Manage HTTPS/SSL certificates and settings) and see if that leads you to find anything… maybe there is just a corrupt certificate you could remove and then that way the new one would come in and refresh it? … I’m on macOS and it let me to the Passwords app so it didn’t work for me, and I’m not on my Windows PC to try right now but maybe that’ll help you
Windows 11. Since other browsers show that the cert is valid, and Brave itself shows that the cert is valid, I have no suspicion that there’s anything wrong with it. The image I included is self-contradictory and I figured the devs would want to address that.
It could very well be that Brave is relying on Windows 11 to validate the certificate, and Windows is not properly updating it’s own cache, but Brave still shows both “Not Secure” and “Certificate is Valid”.
@dscotese as other person mentioned, no such thing appearing here. Perhaps you need to clear the site data for that site, assuming that it’s pulling from cache of your prior visit. Have you tried in a private window or anything?
I had some thought and decided to check with ChatGPT. I think it’s going with what I was mentioning earlier. Figured I’d paste it in to see what you think.
From the screenshot and description in the post, it looks like the issue might be related to caching or how Brave is handling the expired certificate state after the renewal. Here’s what could be happening:
Browser Cache: After the SSL certificate expires, Brave might cache the fact that the site was previously insecure. Once the certificate is renewed, the browser may still be holding onto this information in its cache, leading to the persistent “Not Secure” warning despite the valid certificate. A hard refresh (Ctrl + F5) or clearing the browser cache might resolve the issue.
HSTS (HTTP Strict Transport Security): If the site was flagged as non-secure before the SSL certificate renewal, Brave might have cached the site’s state using HSTS. Even though the certificate is valid now, the browser could still remember the insecure state.
SSL State Cache: Browsers like Brave store SSL certificates in a separate cache (sometimes called the SSL state). Even after renewing a certificate, if this cache isn’t refreshed, the browser might still show the old security state. Flushing the SSL state can fix this issue.
Steps to Resolve:
Hard Refresh: Try refreshing the page with Ctrl + F5 to force the browser to reload the page without using the cache.
Clear Cache: Go to the browser settings and clear the cache, particularly for the affected site.
Clear SSL State: If clearing the cache doesn’t work, try clearing the SSL state from the browser settings.
HSTS Preload: If the site is using HSTS, you might need to wait for Brave to refresh the HSTS status or manually clear it via the browser’s settings.
Yes, ChatGPT’s options 1 and 3 reflect my theory too, that some sort of cache, either in Brave or in Windows 11, is responsible for the self-contradictory image. Since I used other browsers and A) they would also rely on Windows 11 and B) they did not exhibit the same problem, I conclude that it is not Windows 11, but Brave itself. The mystery is why it says the certificate is valid but also reports the site is not secure. That suggests to me that there is a disconnect between the the code that checks the certificate (asks Windows 11 to validate it, I suppose) and the record from the cache that says the site is not secure. As ChatGPT suggested, I tried the “hard refresh” (CTRL-F5) but the situation persisted.
I’m not interested in getting rid of the evidence of a problem since there really isn’t any problem. I prefer to keep the evidence and the browser’s state in case any dev would like me to collect more information about it to see if there’s an easy fix that will avoid confusing users who don’t understand what’s happening when they renew their SSL certificate and the issue seems to persist.
Agreed. I’ll tag in @Mattches to see if he might have any ideas later. Keep in mind with it being Saturday night, most likely won’t be hearing from him until sometime during the week. Support is rarely ever active on weekends, as they typically have weekends and American holidays off.
