err_cert_authority_invalid – LetsEncrypt SSL Certificate – Fix Error – Solution

0

Seeing NET::ERR_CERT_AUTHORITY_INVALID SSL warnings on your site in Chrome Mobile with a LetsEncrypt certificate? The fix is easy!

Note:
If you’re seeing this problem on a site that isn’t yours, nor have control over, there’s not much you can do. This is a problem which the administrator of that site needs to solve. Get in touch with them and let them know about the problem if you can. Refer them to this article if you like.

While setting this website up, I noticed that the LetsEncrypt certificate was untrusted by Chrome on my Android phone and tablet. My suspicion is the intermediary certificates necessary to complete the chain of trust up to the root CA are not baked into Chrome Mobile, possibly to keep the built-in CA list small.

The fix was simple – I had not included the chain certificate in Apache’s SSL configuration:

All I had to do was add the chain file into the mix:

Make sure you use chain.pem and not fullchain.pem. The fullchain file contains the certificate already specified by SSLCertificateFile, and some browsers will not be happy with seeing it twice and raise other warnings.

If you’re using a web server other than Apache, such as Nginx, the problem is likely the same and you need to configure your server to also serve the intermediary certificates.

Nginx does not have a special Chain/Intermediary configuration directive like Apache does. All you need to do is concatenate chain.pem and your certificate:

Now use this file in your ssl_certificate directive:

Hope this Helps

Leave A Reply