sfw/fix
NET::ERR_CERT_AUTHORITY_INVALID critical

NET::ERR_CERT_AUTHORITY_INVALID

The browser doesn't trust who issued the certificate — usually a missing intermediate cert or a self-signed one, not an expired one.

What you see

Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID
Attackers might be trying to steal your information from example.com (for example, passwords, messages, or credit cards).

What’s actually happening

Full-page red warning, every visitor blocked. To validate a certificate the browser walks the chain from your cert up to a root it already trusts. Here it hit a link it can't verify. The dates are fine; the issuer is the problem. The cruel part: it often works on your machine and fails for everyone else, because your browser cached the intermediate from another site and visitors' browsers didn't.

Common causes

  • The certificate is self-signed (default snakeoil cert, a dev cert, or a homegrown CA) and no public root vouches for it
  • The intermediate (chain) certificate wasn't installed — the server sends only the leaf, so browsers can't connect it to a trusted root
  • The CA's intermediate is new and not yet in older clients' trust stores
  • The cert was issued by a private/internal CA whose root isn't installed on the visitor's device
  • A proxy or antivirus is intercepting TLS and presenting its own untrusted cert

How to fix it

  1. Confirm it's a chain problem, not a fake certRun openssl s_client -connect example.com:443 -showcerts and read what the server actually sends. One certificate back = missing intermediate. "self signed certificate" in the output = a real self-signed cert. SSL Labs (ssllabs.com/ssltest) says it plainly: "Chain issues: Incomplete."
  2. Install the full chain, not just the leafPoint the server at the fullchain file, not the bare certificate. Let's Encrypt: use fullchain.pem (Nginx ssl_certificate) — that file is leaf + intermediate already. Paid CAs ship a CA-bundle/intermediate file; concatenate leaf then intermediate(s) into one PEM, or set Apache's SSLCertificateChainFile. Reload the server after.
  3. Reload the web serverThe new chain isn't served until the process reloads. systemctl reload nginx (or apache2). Re-test with openssl or SSL Labs and confirm the chain is now complete and reaches a trusted root.
  4. For internal/self-signed certs, switch to a public CAIf this is a public site on a self-signed or private-CA cert, there's no fixing trust for the public — issue a free cert from Let's Encrypt or your host instead. Self-signed only belongs on internal tools where you can install the root on every client.

Stop it recurring

Always deploy the fullchain (leaf + intermediates) and verify with an external SSL checker after issuing or renewing — never trust your own browser, which may have cached the intermediate.

Related errors

NET::ERR_CERT_DATE_INVALID

critical

The certificate is outside its valid window — expired or not yet active — or the device's clock is wrong, so today falls outside the cert's dates.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.

NET::ERR_CERT_COMMON_NAME_INVALID

high

Chrome blocks the page because the hostname you typed isn't in the certificate's Subject Alternative Name list.