Skip to content

NET::ERR_CERT_AUTHORITY_INVALID Error: Causes and Solution

TL;DR:

NET::ERR_CERT_AUTHORITY_INVALID means Chrome/Edge does not trust the site's SSL certificate — the certificate chain does not lead to a trusted root CA. 90% of cases are caused by a self-signed certificate, expired root CA, or incomplete chain. Fix: install a certificate from a public CA (Let's Encrypt, DigiCert) and configure the full chain on your server.

This error blocks access to your site and scares visitors away. In 90% of cases the problem is server-side — misconfigured SSL certificate. We cover all causes and give a step-by-step fix.

Check your site's SSL →

What does NET::ERR_CERT_AUTHORITY_INVALID mean

When a browser opens an HTTPS site, it validates the SSL certificate chain: site cert → intermediate CA → root CA. If any link is untrusted or missing, Chrome shows NET::ERR_CERT_AUTHORITY_INVALID.

This doesn't mean the site is hacked. Most commonly the cause is server administration:

  • Self-signed certificate (not issued by a public CA)
  • Root CA not installed in the OS
  • Incomplete certificate chain on server (missing intermediate CA)
  • Expired root CA (rare, happens with legacy certificates)
  • Certificate from an untrusted CA (example: COMODO, no longer in chrome root store)

How to fix (step-by-step)

  1. Check your SSL certificate online — use the Enterno.io SSL checker. Enter your domain to see the full chain, issuer and any issues.
  2. If the certificate is self-signed — replace with Let's Encrypt (free) or a commercial CA.
  3. If the chain is incomplete — add the intermediate CA to your bundle. For nginx: ssl_certificate /path/to/fullchain.pem; (not just cert.pem).
  4. Check Root CA in browser — Chrome uses its own trust store, not the system one. Update Chrome.
  5. Clear browser SSL cache — Chrome: chrome://net-internals/#ssl → Flush sockets.

Check SSL certificate →

TL;DR: Fixing NET::ERR_CERT_AUTHORITY_INVALID

The NET::ERR_CERT_AUTHORITY_INVALID error occurs when a browser cannot verify the SSL certificate's authority. To fix this, ensure your SSL certificate is issued by a trusted Certificate Authority (CA), correctly installed, and configured. Check your server settings and consider using tools like openssl s_client -connect yourdomain.com:443 to diagnose the certificate chain.

Understanding NET::ERR_CERT_AUTHORITY_INVALID

The NET::ERR_CERT_AUTHORITY_INVALID error indicates that the SSL certificate presented by your website is not trusted by the browser. This can occur for various reasons, including self-signed certificates, expired certificates, or certificates issued by an unrecognized authority. Understanding the underlying causes is crucial for effectively resolving this issue.

Common Causes of the Error

  • Self-Signed Certificates: Certificates that are generated and signed by yourself rather than a trusted CA.
  • Expired Certificates: SSL certificates have a validity period, typically ranging from 90 days to 2 years. Once this period expires, the certificate becomes invalid.
  • Unrecognized Certificate Authorities: If the SSL certificate is issued by a CA that is not included in the browser's trusted root certificate store, the browser will flag it as invalid.
  • Misconfigured SSL/TLS Settings: Incorrect server configuration can lead to improper certificate installation, resulting in trust issues.

Step-by-Step Fix for NET::ERR_CERT_AUTHORITY_INVALID

To resolve the NET::ERR_CERT_AUTHORITY_INVALID error, follow these steps:

  1. Verify the SSL Certificate: Use the following command to check the SSL certificate details:
openssl s_client -connect yourdomain.com:443 -showcerts

This command will display the certificate chain. Ensure that the certificate is issued by a trusted CA and that the entire chain is correctly presented.

  1. Check Certificate Expiry: Ensure that your SSL certificate is still valid. You can verify the expiration date in the output from the previous command or use an online SSL checker.
  2. Update the Certificate: If your certificate is expired, you need to renew it through your CA. Follow their specific instructions to generate a Certificate Signing Request (CSR) and obtain a new certificate.
  3. Install the Certificate Properly: Ensure the SSL certificate is installed correctly on your server. If you are using Apache, your configuration might look like this:
SSLEngine on
SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/ca_bundle.crt

Make sure to restart your web server after making changes.

  1. Check CA Trust: If you are using a less common CA, ensure that it is included in the trusted root authorities of the browser. You can check the list of trusted CAs in your browser settings or through the operating system’s certificate management tool.
  2. Clear Browser Cache: Sometimes, cached data can lead to persistent errors. Clear your browser's cache and cookies to ensure that you are loading the most recent version of the site.
  3. Consider Using Let’s Encrypt: If you need a free and trusted SSL certificate, consider using Let’s Encrypt, which is recognized by all major browsers. Their certificates are valid for 90 days but can be auto-renewed.

Testing After Fixing

After implementing the above steps, retest your website using the openssl command or online SSL testing tools like SSL Labs. Confirm that there are no warnings or errors regarding the certificate status.

Best Practices for SSL Management

  • Regularly Monitor SSL Certificates: Use tools or scripts to check for certificate expiration dates and ensure timely renewals.
  • Implement HTTP Strict Transport Security (HSTS): This helps enforce secure connections to your server.
  • Educate Users: Inform users about potential warnings they might encounter due to certificate issues and guide them on how to report these problems.
CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

Is it safe to bypass NET::ERR_CERT_AUTHORITY_INVALID?

No. Chrome shows this error because it cannot verify site authenticity. Bypassing (chrome://flags or "thisisunsafe") makes your connection vulnerable to man-in-the-middle attacks. Only safe for your own dev servers.

Why does the error show only in Chrome but Firefox works?

Chrome and Firefox use different trust stores. Chrome uses its own root CA list (chrome-root-store), Firefox uses Mozilla's CA list. If your CA is in Mozilla but not Chrome, the error appears only in Chrome.

Can I fix this client-side?

If only one site shows the error — fix server-side. If all HTTPS sites error out — check system clock, update Chrome, check corporate proxy (may be inspecting certificates).

How can I check SSL chain online?

Use the <a href="/en/ssl">Enterno.io SSL/TLS checker</a> — enter domain, get full certificate chain, expiry, issuer and warnings. Free, no signup.

Is Let's Encrypt free — will it be trusted?

Yes. Let's Encrypt is included in all major trust stores (Chrome, Firefox, Safari, Edge). Certificates valid for 90 days with automatic renewal via certbot.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.