Service worker with SSL certificate cache

4
votes

We have a number of sites hosted on a Google Cloud server.

We have added a renewed SSL certificate to the server recently; all our sites loaded the new certificate afterward, except the one that has service-worker setup. It seems like that site is still loading the old certificate (that is still valid at the moment - expires tomorrow).

It looks like it is related to the cache - after clearing the browser cache the new certificate is also loaded for this site.

Would it be an issue for the client when the certificate does expire? When the browsers (Chrome, Firefox, etc.) find the expired certificate in the cache, will they check the server for the new certificate automatically, or will they show a SSL warning page (like https://expired.badssl.com/)?

Is there a way that we could ensure that the client/browsers will load the renewed certificate from the server?

1
sslcachingssl-certificatebrowser-cacheservice-worker
I'm not sure why guilermo's answer got accepted. He did say that chrome won't download new certs until cache is busted, but he didn't provide an answer to the main question: "How to make sure that the cache is busted when the cert expires?" @Jee Mok, did you figure out a way?Dmitry Efimenko
@Dmitry I didn't figure out the way to force the cache to reload manually or scripting; However, based on the Chrome developers from the forum replied that Google Chrome doesn't re-verify SSL on disk, those are the test cases (next comment)Jee Mok
" - If someone loads your site and they've not contacted it before, they will see your new certificate. - If someone loads your site entirely from the disk cache, they will see your old certificate, as that was the certificate used for the cached resource, the same as they'd see the headers used from the disk cache. - If someone loads your site, and it has to make a network request to revalidate the resource as cached on disk, then they will see the new certificate. "Jee Mok
@Dmitry so it should work fine if the SSL expired on the service worker and it ~should~ make a network request to revalidate the resource and get the new SSL. That's why I accepted the answer, unless someone has a way to control it manuallyJee Mok

1 Answers

5
votes

Google Chrome doesn't re-verify certificates on disk, it does this to not break Chrome's offline feature. Whenever Chrome updates the cache, it will get the new certificate, until that happens there should be no worries about the validation of the old certificate.

You can refer to this thread on the Chromium forum