Skip to content

ERR_CERTIFICATE_TRANSPARENCY_REQUIRED: Fix

Key idea:

NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED — since October 2017 Chrome requires every public SSL cert to be logged in Certificate Transparency (CT). Cert without an SCT (Signed Certificate Timestamp) is rejected. Causes: issued before 2017, commercial CA did not submit to CT log, corporate proxy swapping cert. Fix: reissue via Let's Encrypt/DigiCert (all mainstream CAs write to CT automatically).

Below: causes, fixes, FAQ.

Check your site's SSL →

Common Causes

  • Cert issued by a commercial CA not complying with CT policy (rare in 2026)
  • Corporate MITM proxy swapped the cert — private root without CT
  • Self-signed cert — no SCT by definition
  • Cert expired + renewed from cache without CT
  • Chromium flag CT enforcement enabled for the domain

Step-by-Step Fix

  1. Reissue the cert via Let's Encrypt (SCT embedded automatically)
  2. For commercial CAs confirm SCT embedded: openssl x509 -in cert.pem -text | grep -A1 SCT
  3. If corporate — ask IT to add a CT-compliant root
  4. Check cert in CT log: crt.sh
  5. Temporary workaround (NOT production): chrome://flags/#chrome-root-store-cert-transparency-policy

Check SSL Certificate →

Related SSL Errors

TL;DR: Fixing NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

To resolve the NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error, ensure that your SSL/TLS certificate complies with Certificate Transparency (CT) requirements. This involves using a certificate from a Certificate Authority (CA) that has logged the certificate in public CT logs. Validate your certificate using tools like crt.sh and consider reissuing it if it’s not logged. Additionally, ensure your server is configured to send the appropriate CT information.

Understanding Certificate Transparency Requirements

Certificate Transparency (CT) is a security standard designed to prevent the issuance of fraudulent SSL/TLS certificates. As of 2018, major browsers like Chrome and Firefox enforce CT logs for certificates issued by recognized Certificate Authorities (CAs). This means that when your website's SSL certificate is issued, it must be publicly logged in a CT log to be trusted by browsers. Failing to meet these requirements will result in users encountering the NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error.

To comply with CT, follow these steps:

  • Select a Trusted Certificate Authority: Choose a CA that supports Certificate Transparency. Examples include Let's Encrypt, DigiCert, and GlobalSign.
  • Request Certificate Logging: When applying for an SSL certificate, ensure that your CA includes the necessary CT log entries.
  • Verify CT Logging: Use tools like Certificate Transparency logs to check if your certificate is logged correctly.

By adhering to these requirements, you can avoid the NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error and enhance your website's security.

Practical Steps to Fix NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

To effectively address the NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error, follow these practical steps:

  1. Check Your SSL Certificate: Run the following command to inspect your certificate:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

This command will display your certificate details. Look for the Certificate chain section.

  1. Verify Certificate Logging: Use crt.sh to check if your certificate is logged. Enter your domain name, and ensure that your certificate appears in the search results.
  2. Reissue Your Certificate: If your certificate is not logged, contact your CA to reissue it with the necessary CT log entries. Specify that you require CT compliance.
  3. Configure Your Web Server: Ensure your web server is correctly set up to provide the CT information. For example, if you are using Apache, add the following directives to your configuration file:
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(128000)"

These configurations will help enable OCSP Stapling, which can assist in ensuring your certificate is compliant with CT.

  1. Test Your Configuration: After reissuing and configuring your SSL certificate, test your site using tools like SSL Labs. This will confirm that your SSL certificate is properly set up and logged.
  2. Monitor for Errors: Regularly check your site for SSL errors and ensure that your certificate remains compliant with CT requirements.

By following these practical steps, you can effectively fix the NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error and maintain a secure browsing experience for your users.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

What is SCT?

Signed Certificate Timestamp — cryptographic proof that the cert was logged in a public CT log (Google Argon, Cloudflare Nimbus, etc). Embedded in the cert extension, presented during TLS handshake, or stapled via OCSP.

Does Let's Encrypt include SCT?

Yes, automatically since 2018. The ISRG Root X1 cert has an SCT in the embedded CT extension.

How to verify SCT?

<a href="/en/ssl">Enterno SSL Checker</a> shows CT compliance in its report. Or <code>openssl x509 -in cert.pem -text | grep -A5 "SCT List"</code>.

Compliance impact?

CT compliance required by Chrome, Safari, Edge (Firefox not yet). Browser share ~85% — without SCT you lose most users.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.