LetsEncrypt net::err_cert_authority_invalid - CA Untrusted on Chrome Mobile

LetsEncrypt net::err_cert_authority_invalid solution

Seeing NET::ERR_CERT_AUTHORITY_INVALID SSL warnings on your site in Chrome Mobile with a LetsEncrypt certificate? The fix is easy!

Note

If you’re seeing this problem on a site that isn’t yours, nor have control over, there’s not much you can do. This is a problem which the administrator of that site needs to solve. Get in touch with them and let them know about the problem if you can. Refer them to this article if you like.

While setting this website up, I noticed that the LetsEncrypt certificate was untrusted by Chrome on my Android phone and tablet. My suspicion is the intermediary certificates necessary to complete the chain of trust up to the root CA are not baked into Chrome Mobile, possibly to keep the built-in CA list small.

The fix was simple - I had not included the chain certificate in Apache’s SSL configuration:

SSLCertificateFile /etc/letsencrypt/live/operationnotpermitted.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/operationnotpermitted.com/privkey.pem

All I had to do was add the chain file into the mix:

SSLCertificateFile /etc/letsencrypt/live/operationnotpermitted.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/operationnotpermitted.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/operationnotpermitted.com/chain.pem

Make sure you use chain.pem and not fullchain.pem. The fullchain file contains the certificate already specified by SSLCertificateFile, and some browsers will not be happy with seeing it twice and raise other warnings.

If you’re using a web server other than Apache, such as Nginx, the problem is likely the same and you need to configure your server to also serve the intermediary certificates.

Nginx does not have a special Chain/Intermediary configuration directive like Apache does. All you need to do is concatenate chain.pem and your certificate:

cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Now use this file in your ssl_certificate directive:

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}