Zscaler RootCA installed but not recognised correctly by chrome

Hi,
we have seen lots of issues lately were Chrome (Version 98.0.4758.102 (Official Build) (64-bit)) sometimes indicates that the Zscaler Root CA is not installed, “NET:ERR_CERT_AUTHORITY_INVALID”, despite the fact that the Certificate is installed. The error is only on some https sites. It also disappears and re-appears randomly.
If we check the certificate path, everything is OK an RootCA cert is present:

We are quite clueless what causes this issue.

Has anyone seen this?
BTW: The current example is with yandex… but yesterday it was with software.cisco.com - so most likely not an issue caused by the current “situation”.

Thank you & best regards
Andreas

I would go into certificate management and verify the root cert was installed correctly. It should be in Trusted Root Certification - Certificates.

Hi,

thank you, I have asked them to check, also if it is “physical” or “registry”. However, I think it must be installed, since we see the “injected” block pages and it is also not a permanent issue.

Best regards
Andreas

No registry key that I remember. Is this on a Mac or Windows? I know Mac’s had a problem with getting the root certificate installed and we had to install it manually.

Hi,
It is a Windows 10 - most likely. The certificate was installed via GPO.
Currently we use browser + pac and no Zscaler Client Connector.

Best regards
Andreas

Gotcha, sounds like the root cert didn’t get installed properly! Let me know if you are able to find out if it is there or not.

Hi,
in the meantime, the issue does not longer occur.

Two things may have influence on that:
Whitelisting httpX://gateway.zscloud.net/zscaler-zscrl—4.crl on local firewall.
Reason: Chrome uses the system cert store. We see firewall blocks for this URL from MS crypto API, which most likley does not use winINET but WinHTTP proxy settings. We assume that failing to obtain the CRL may trigger Chrome to mark the Certificate as invalid. (BTW: Traffic forwarding is PAC via IPSec)

New Version of chrome was rolled out.

There is no evidence that either one or both steps actually caused the solution.

Best regards
Andreas

1 Like