I’ve been using the Brave browser for some time now, but when setting up the SSL certificate for my Allsky camera (see instructions), the browser was really bitchy. While Chrome and Safari accepted my Let’s Encrypt certificate immediately, Brave continued to display “Broken HTTPS” – even though the server was configured correctly and openssl confirmed a clean TLS chain. And this is how to solve the problem!
*** Note: A friendly reader pointed out to me that sometimes a restart of Brave is sufficient. However, I was unable to verify this. But maybe try it first before following the steps below! ***
I first tested whether the SSL was set up correctly:
curl -I https://access.allsky-rodgau.de
I also added
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
was set up:
sudo nano /etc/apache2/sites-available/indi‑allsky.conf
and then added the following:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
After some analysis, it was clear that the problem was not with the Raspberry Pi, not with Apache and not with the certificate, but exclusively with the Brave profile. Brave is apparently much stricter than other browsers when it comes to HTTPS and also saves various security settings for each domain, which remain active even after a normal reload or deleting the browser cache.
1. Delete domain entries for the page in Brave
Brave saves its own settings for each domain (e.g. mixed content rules or security ratings). To reset these:
Simply enter the following address in the address bar of the browser:
brave://settings/content/all
Search for your own domain there and delete all entries. Brave will then remove all locally saved security rules. I simply deleted everything – but beware: this will log you out of all websites and delete your history. I do this often anyway, so it’s all good.
2. Delete HSTS cache
Brave keeps a separate, persistent HSTS cache. This is not reset during normal cache deletion.
The cache can be accessed at the following address (simply enter it in the address bar!):
brave://net-internals/#hsts
Enter and remove your own domain under “Delete domain security policies”. This will remove outdated or incorrect HSTS entries that prevent Brave from correctly classifying HTTPS.
3. Reset DNS and socket cache
To ensure that Brave completely reloads all TLS information, the network caches should also be reset.
Delete the DNS cache:
brave://net-internals/#dns → “Clear host cache”
Empty the socket pools:
brave://net-internals/#sockets → “Flush socket pools”
Then close the browser completely and restart it.
That’s it!
The TLS configuration on the Raspberry was correct – Brave had only saved outdated security information. After resetting the domain-related settings, the HSTS cache and the network caches, Brave accepted the certificate just like Safari and Chrome.