Orchestrator Application Down ERR_SSL_KEY_USAGE_INCOMPATIBLE

News Knowledge Base
,
1

How to resolve ERR_SSL_KEY_USAGE_INCOMPATIBLE when accessing Orchestrator via the Chrome browser?

After upgrading Chrome to the release (119.0.6045.160) the error ERR_SSL_KEY_USAGE_INCOMPATIBLE appears when accessing Orchestrator, when the environment uses a self-signed certificate.

In this update, the X.509 key usage extension declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters.

Connections which fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a mis-configured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, administrators should include both in RSA certificates meant for HTTPS. More information is available in the document RSAKeyUsageForLocalAnchorsEnabled.


There are a few workarounds:

  1. Delete the Local State file from the machine using the below steps:
    1. Close Chrome browser
    2. Go to directory - "C:\users\%username%\AppData\Local\Google\Chrome\User Data"
    3. Delete with Shift+Delete the file "Local State"
    4. Start Chrome and try again.

  2. Clear the certificate cache from the internet options

  3. Uninstall the google chrome and remove the google folders from the below location
    C:\Program Files\Google
    C:\Program Files (x86)\Google
    C:\Users\\AppData\Local\Google
    C:\Users\\AppData\Roaming\Google

  4. Add DWORD value RSAKeyUsageForLocalAnchorsEnabled=0 in registry key \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
This will effectively disable the check
A screenshot of a computer Description automatically generated
  1. Update the Orchestrator certificate with a cert generated by our self-signed script.
    1. Use the script from Requesting an SAN SSL Certificate From the Certificate Authority to create the certificate, this will have the correct usage (digital signature and key encipherment).
    2. Update the certificate using the procedure described in KB - Changing The SSL Certificate For UiPath Orchestrator Website.
A screenshot of a computer Description automatically generated
  1. Creating a Self Signed Certificate with a Digital Signature:
  1. Create the cert:
    $cert = New-SelfSignedCertificate -FriendlyName "MyServerSSL" -DnsName www.example.com,example01 -CertStoreLocation "cert:\LocalMachine\My" -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment -KeyAlgorithm RSA -HashAlgorithm SHA256 -KeyLength 2048 -KeyUsageProperty All -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(5)
  2. Define a password:
    $pwd = 'bl@hbl4hBlah'
  3. Convert it to a secure string:
    $SSpwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
  4. Export the cert to a PFX file:
    Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$($cert.Thumbprint)" -FilePath custom_cert.pfx -Password $SSpwd