LetsEncrypt net::err_cert_authority_invalid - CA Untrusted on Chrome Mobile
LetsEncrypt net::err_cert_authority_invalid solution
Seeing NET::ERR_CERT_AUTHORITY_INVALID
SSL warnings on your site in Chrome Mobile with a LetsEncrypt certificate? The fix is easy!
Note
If you’re seeing this problem on a site that isn’t yours, nor have control over, there’s not much you can do. This is a problem which the administrator of that site needs to solve. Get in touch with them and let them know about the problem if you can. Refer them to this article if you like.
While setting this website up, I noticed that the LetsEncrypt certificate was untrusted by Chrome on my Android phone and tablet. My suspicion is the intermediary certificates necessary to complete the chain of trust up to the root CA are not baked into Chrome Mobile, possibly to keep the built-in CA list small.
The fix was simple - I had not included the chain certificate in Apache’s SSL configuration:
SSLCertificateFile /etc/letsencrypt/live/operationnotpermitted.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/operationnotpermitted.com/privkey.pem
All I had to do was add the chain file into the mix:
SSLCertificateFile /etc/letsencrypt/live/operationnotpermitted.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/operationnotpermitted.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/operationnotpermitted.com/chain.pem
Make sure you use chain.pem
and not fullchain.pem
. The fullchain file contains the certificate already specified by SSLCertificateFile
, and some browsers will not be happy with seeing it twice and raise other warnings.
If you’re using a web server other than Apache, such as Nginx, the problem is likely the same and you need to configure your server to also serve the intermediary certificates.
Nginx does not have a special Chain/Intermediary configuration directive like Apache does. All you need to do is concatenate chain.pem
and your certificate:
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
Now use this file in your ssl_certificate directive:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.chained.crt;
ssl_certificate_key www.example.com.key;
...
}