ErrorNotes

Fixing NET::ERR_CERT_AUTHORITY_INVALID: A Guide to Trusted SSL Certificates

intermediate๐Ÿ”’ SSL/TLS2026-04-05| Web Browsers (Chrome, Edge, Brave), Linux (Ubuntu/CentOS), macOS, Windows, Nginx, Apache

Error Message

NET::ERR_CERT_AUTHORITY_INVALID โ€” The server's security certificate is not trusted.
#ssl#security#devops#nginx

Quick Fixes

This error is your browser's way of saying it doesn't recognize the entity that issued the website's security certificate. You can usually fix it by following these steps:

  • Production Sites: Replace self-signed certificates with a valid CA-signed one from a provider like Let's Encrypt.
  • Local Development: Use mkcert to generate certificates that your local machine actually trusts.
  • End Users: Check that your system clock is accurate to the minute. An incorrect date often makes perfectly valid certificates look expired or invalid.

Why This Error Happens

When you load a site over HTTPS, the server hands over a certificate to prove its identity. Your browser then checks this against a built-in "Trust Store" containing verified Certificate Authorities (CAs) like DigiCert or Sectigo. If the issuer isn't on that list, Chrome or Edge will block the connection with the NET::ERR_CERT_AUTHORITY_INVALID warning.

Here is what usually triggers the red screen:

  • Self-signed certificates: You created your own certificate rather than getting one from a trusted CA.
  • Broken certificate chains: The server forgot to send the intermediate certificate that links your site to the root CA.
  • Legacy Operating Systems: Older systems, like Windows 7 or Android 7.1.1, may lack the modern root certificates required for newer HTTPS standards.

Fix 1: Move to Let's Encrypt for Production

Public-facing websites should never use self-signed certificates. They confuse users and hurt your SEO. Instead, use Certbot to install a free, automated certificate from Let's Encrypt. This process takes less than five minutes.

On an Ubuntu server running Nginx, use these commands:

sudo apt update
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot automatically modifies your Nginx configuration. It adds the necessary paths for the full certificate chain, ensuring browsers can verify the path back to the Root CA.

Fix 2: Professional Local Development with mkcert

Many developers ignore SSL errors on localhost by clicking "Advanced -> Proceed." This is a bad habit that can hide real configuration bugs. Standard OpenSSL self-signed certs are untrusted by default. To fix this properly, use mkcert.

First, install the tool. On macOS using Homebrew:

brew install mkcert
brew install nss # Required if you use Firefox

Next, set up the local CA on your machine:

mkcert -install

Finally, generate a certificate for your project:

mkcert localhost dev.local 127.0.0.1

This generates two files: localhost+2.pem and localhost+2-key.pem. Configure your local web server to use them. Your browser will now show a valid green lock for local testing.

Fix 3: Repairing the Intermediate Certificate Chain

A common mistake is providing only the "leaf" certificate in your server config. While some browsers cache intermediate certificates, many will fail if the full chain isn't provided by your server.

If you use Nginx, check your ssl_certificate path. It must point to fullchain.pem, not cert.pem. The full chain file contains your certificate followed by the CA's intermediate certificates.

server {
    listen 443 ssl;
    server_name example.com;
    # Use fullchain.pem, not cert.pem
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Fix 4: Updating Outdated Client Trust Stores

Sometimes the server is perfect, but the visitor's computer is out of date. A famous example is the September 2021 expiration of the IdentTrust DST Root CA X3. This caused millions of older devices to suddenly see CERT_AUTHORITY_INVALID errors.

  • Windows Users: Run Windows Update. This forces the system to refresh its list of trusted root certificates.
  • Linux Users: Reinstall the CA certificate package to ensure you have the latest bundle:

sudo apt-get install --reinstall ca-certificates sudo update-ca-certificates

  
  - **macOS Users:** If you must trust a specific custom certificate, drag the `.crt` file into **Keychain Access**. Double-click it and change the trust settings to **Always Trust**.

## How to Verify the Fix
Avoid testing only in your primary browser, as cached data can be misleading. Use the command line for a definitive answer.

**Test with OpenSSL:**

openssl s_client -connect yourdomain.com:443 -showcerts


Scroll to the bottom of the output. You want to see `Verification: OK`. If you see `Verification error: self signed certificate`, your server is still not sending the correct chain.

**Test with Curl:**

curl -vI https://yourdomain.com


If the handshake completes without an SSL error, your configuration is now standard-compliant and secure.

## Further Reading

  - [The 2021 Root CA Expiration Explained](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)
  - [mkcert Documentation on GitHub](https://github.com/FiloSottile/mkcert)
  - [Official Nginx HTTPS Guide](https://nginx.org/en/docs/http/configuring_https_servers.html)

Related Error Notes

Fixing NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: Moving Beyond SHA-1

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Fixing ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome: A TLS 1.3 Guide

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Fix SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE When Your Intermediate CA Has Expired

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE