Did installing the SSL cert on your email tracking domain resolve the issue and stop the error from occurring? We're experiencing the exact same issue at the moment.
Yes it did, and I've been meaning to write the follow up conclusion to this post and now might be helpful for you all.
The issue began for us when google chrome started enforcing HTTPS for any domain connected with the top level HSTS set. In our case because our top level domain Armor.com has HTTPS, chrome and several other browsers automatically change any HTTP addresses to HTTPS. so HTTP://marketo.armor.com/XXXXXX became HTTPS://marketo.armor.com/XXXXXX in Chrome, Firefox and others (Safari is one of the only browsers we tested which does not enforce HTTPS based on top level domain HSTS)
If you were on the default mkto-XXXXX.com tracking domain, you might never notice the change, (as this domain doesn't utilize SSL or HSTS) however, if you use a branded tracking link with a CNAME redirect, and YourDomain.com uses HTTPS, your branded tracking subdomain Example.YourDomain.com will not work in Chrome, Firefox, and most browsers. (It should be noted that there is NO roll-back to the default tracking link)
The solution is: Contact your Marketo rep, tell them you need a secure email tracking server running a SSL certificate and the branded tracking domain you have chosen, example: marketo.armor.com pointed to your Marketo email tracking link (found in the admin panel and under email)
It will take a few days to spin up the new server and get the SSL cert. installed but it will fix the issue.
One of our frustrations was first level Marketo support told me they can't do SSL certs. on email tracking servers. As Sanford Whiteman correctly points out above, this IS possible and a common practice for security minded users. We have SSL on both our landing page server and email server.
Until they can get you the SSL secured email server up, one option we used was to disable tracking on email links. (this bypasses the tracking domain) You will lose tracking on email links but the links will function. It's not ideal, but it will get you by until the new SSL secured email tracking server can be up and running.
This was a tricky issue for us to solve and it took our Dev Ops. team, Marketo Support and some excellent Community feedback to solve it. I hope this will help you get it resolved fast and give you an option in the interim.
Please feel free to reach out to me with any questions and I'll be happy to help or provide further details.
Thank you for your very thorough reply! This was extremely helpful for you to document and it validates the issue we've been having the last 4 months. We are actually already in the process of installing our SSL cert on our email tracking domain and already have it installed on our landing pages. It was quite a frustrating process to isolate the issue and even come to terms on a solution to fix it with Marketo Support. There was conflicting information provided from their team on whether the SSL cert would actually work, so hearing this confirmation from you makes me so happy!
As an interim solution, we've disabled the marketo link tracking in our emails so recipients can access our links with no error messages. The negative impact is we're unable to track click link activity but it's the best case scenario until the SSL cert is installed.
I'm looking forward to no longer having email recipients reach out letting us know the email links aren't working.
Glad I could be of some help Jamie.
I can't imagine how frustrated you must be after 4 months! I ran into much of the same conflicting information and leaned heavily on our internal security operation team and the input here on the community to find the solution. Even then, it took some time to solve the issue.
"As an interim solution, we've disabled the Marketo link tracking in our emails so recipients can access our links with no error messages. The negative impact is we're unable to track click link activity but it's the best case scenario until the SSL cert is installed."
We did the same and lost analytics on links for a time, but as you say it was better than sending broken links out.
Let me know when your new server is spun up and all is back up and functioning. We're 3 months into the new server and no issues.
Happy to help!
Of course the other thing you can do is use a built-in cert on a CDN (like Amazon CloudFront) and route your DNS there. Problem solved for pennies.
Spent much of my day today setting clients' LP and click domains to go through CF, since we're dealing with the Chrome 62 change.