Even if you do have an SSL certificate installed on your website, your users may run into the NET::ERR_CERT_AUTHORITY_INVALID error. Despite its intimidating name, the invalid certificate authority error isn’t something you should panic about.
Simply put, your browser doesn’t recognize the validity of your certificate. To keep you ‘safe’ it displays this error, so you’re aware that there’s something fishy going on. As the website owner, though, there are a lot of things you can do to fix the problem.
In this tutorial, we’ll talk about what the error message means, and how it looks in different browsers. Then we’ll teach you how to fix the NET::ERR_CERT_AUTHORITY_INVALID error by covering all of its likely causes.
Let’s get to work!
Q&A for power users of Apple hardware and software. Stack Exchange network consists of 178 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. February 1, 2021 by Peter van der Woude. This week is all about federated authentication for Managed Apple IDs. When using Microsoft Intune for managing Apple devices, the use of Managed Apple IDs is adding more and more value to the solution. That value gets even more when those Managed Apple IDs are federated with Azure AD. Select the System Preferences option within the Apple menu. Click on the Date & Time icon. Turn on the Set date & time automatically option.
What the NET::ERR_CERT_AUTHORITY_INVALID Error Is
As the name of the error implies, this problem pops up when your browser can’t verify the validity of your website’s SSL certificate. If you haven’t set up a certificate or are using HTTP for your website, which isn’t recommended, you shouldn’t run into this error.
Generally speaking, there are three primary causes for the invalid certificate authority error. Let’s break down each one in turn:
- You’re using a self-signed SSL certificate. Using a self-signed certificate can save you money, but since browsers can’t verify its validity, your visitors may run into the error in question. Browser warnings can scare a lot of users away, so we recommend against this approach.
- Your certificate has expired. SSL certificates expire as a security precaution. How long your certificate lasts can vary, but at some point, you’ll need to renew it or automate the renewal process (some authorities and web hosts enable you to do this easily).
- The certificate comes from a non-trusted source. Just as with self-signed certificates, if browsers can’t verify the authority that generated your certificate, you’ll see an error.
Remember that every time a user visits a website with an SSL certificate, their browser needs to validate and decrypt it. If there are any errors during that process, they’ll see a warning.
In a lot of cases, browsers will actively prevent users from accessing the website in order to protect them. This often comes in the form of the “Your Connection is Not Private” error. As you might imagine, that’s a huge problem if it occurs on your own site.
Sometimes, you may run into the NET::ERR_CERT_AUTHORITY_INVALID error due to local configuration settings. Throughout the next sections, we’ll show you the many faces this error can take and then we’ll talk about how to troubleshoot it.
NET::ERR_CERT_AUTHORITY_INVALID Error Variations
The way an error appears can vary a bit, depending on what browser you’re using. Your operating system and your certificate’s configuration can also play a role in the different error messages that appear.
With that in mind, let’s take a look at the most common variations of the NET::ERR_CERT_AUTHORITY_INVALID error, browser by browser.
Google Chrome
When you run into this error in Chrome, the browser will tell you right away that your connection isn’t private. Since the browser doesn’t recognize your certificate’s validity, it can’t encrypt your data.
That means if you proceed, you do so at your own risk. Here’s what the error message looks like:
Attackers might be trying to steal your information from domain.com (for example, passwords, messages, or credit cards).
The NET::ERR_CERT_AUTHORITY_INVALID error in Chrome
Common variations of this error in Chrome include the following codes:
- NET::ERR_CERT_AUTHORITY_INVALID
- NET::ERR_CERT_COMMON_NAME_INVALID (This occurs when the certificate does not match the domain)
- NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
- NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
- SSL CERTIFICATE ERROR
In every case, Chrome pinpoints the source of the error within the certificate. The browser lets you proceed to the website if you choose, but it warns you against doing so.
Mozilla Firefox
Firefox doesn’t waste any time in telling you that you may have run into a potential security risk. What’s more, this browser does a better job than Chrome when it comes to explaining the potential causes and telling you not to panic.
Here’s how the primary error message reads:
Firefox detected an issue and did not continue to domain.com. The website is either misconfigured or your computer clock is set to the wrong time.It’s likely the website’s certificate is expired, which prevents Firefox from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
The NET::ERR_CERT_AUTHORITY_INVALID error in Firefox
That variation of the error doesn’t include a specific code, though. In most cases, the screen will include one of the following codes as well:
- SEC_ERROR_UNKNOWN_ISSUER
- SSL_ERROR_RX_MALFORMED_HANDSHAKE
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
- SEC_ERROR_REUSED_ISSUER_AND_SERIAL
If you see an error code like one of the above, make sure to copy it down somewhere. That is the browser’s way of telling you where things went wrong. In our experience, a simple search for a specific error code is often enough to help you find a quick solution.
Microsoft Edge
The Microsoft Edge error message you see below should look familiar. It’s almost identical to the message Chrome displays, right down to the included code:
The error can also come in different flavors, including the following:
- DLG_FLAGS_SEC_CERTDATE_INVALID
- DLG_FLAGS_INVALID_CA
- DLG_FLAGS_SEC_CERT_CN_INVALID
- NET::ERR_CERT_COMMON_NAME_INVALID
- ERROR CODE: O
Just as with Chrome, these error messages give you some insight into what’s at the root of your NET::ERR_CERT_AUTHORITY_INVALID error.
Safari
If you’re a Safari user, you’ll run into a variation of the ‘this connection is not private’ error, which lets you know there’s a problem with the website’s certificate and encryption. Here’s what the message says:
This website may be impersonating “domain.com” to steal your personal or financial information. You should go back to the previous page.
The NET::ERR_CERT_AUTHORITY_INVALID error in Safari
That particular error is due to an expired certificate. As we mentioned before, expired certificates are one of the most common causes of the NET::ERR_CERT_AUTHORITY_INVALID error.
How to Fix the NET::ERR_CERT_AUTHORITY_INVALID Error (9 Methods)
Apple Configurator Activation Record Failed Bad Url Download
Now that you know what it looks like across most major browsers, it’s time to check out how to solve the NET::ERR_CERT_AUTHORITY_INVALID error. Earlier, we talked about its most common causes. However, we also mentioned that your local configuration can trigger it in some cases.
That means there are a lot of potential solutions to this issue. To keep things simple, we’ll start by tackling the three most common culprits, i.e. expired, self-signed, and ‘untrustworthy’ certificates. Then we’ll move on to more general solutions.
Here’s what we’ll cover:
1. Run an SSL Server Test
If you installed your SSL certificate shortly before the error began appearing, something may have gone wrong during the setup process. That can often happen if you installed the certificate manually, instead of through your web host.
The easiest way to check and see if your certificate is properly installed is by using an SSL check tool, such as the one offered by Qualys SSL Labs. This particular tool is free to use.
All you have to do is enter the domain where the error is popping up, and click on the Submit button:
Running an SSL check
Now, wait a couple of minutes while the results come up. Ideally, you should get an A+, with perfect scores for all your certificates:
If you don’t get a perfect score, scroll down to the list of certificates the tool shows you. There should be a section that tells you whether your certificate is trusted or not. If the tool gives you a negative result, then you’ll need to install a certificate from a trusted source instead.
2. Get a Certificate from a Valid Authority
There’s no excuse to use a self-signed certificate these days. If cost is the only factor, you can get a free certificate from Let’s Encrypt. Since it’s a valid authority, every browser will recognize your certificate’s validity:
Let’s Encrypt home page
If you’re a Kinsta user, we can help you set up your free Let’s Encrypt certificate in a matter of click through your MyKinsta dashboard:
Want to know how we increased our traffic over 1000%?
Join 20,000+ others who get our weekly newsletter with insider WordPress tips!
For some websites, however, you’ll need more than a free certificate. Free certificates need to be renewed often, which can be a chore. Premium certificates offer more perks, such as insurance in the case of data breaches, encryption for multiple domains, and more.
For ecommerce sites, in particular, it can be worth it to pay for a premium SSL certificate. If you do buy a certificate, make sure it’s from a valid authority, in order to avoid running into the NET::ERR_CERT_AUTHORITY_INVALID error.
3. Renew Your SSL Certificate
SSL certificates need to be renewed every so often for security purposes. The renewal process verifies your domain’s ‘identity’, and without it, certificates would lose some of their validity. Free certificates from Let’s Encrypt renew every 90 days, whereas paid options have longer lifespans.
When the term is up, you’ll need to renew your certificate manually if your web host doesn’t handle that for you. In any case, Let’s Encrypt will contact you when your certificate is about to expire, so you can renew it ahead of time. Depending on which web host you use, however, you might not get access to renewal options through your control panel.
If you’re a Kinsta customer, we’ll take care of SSL certificate renewal for you, so you don’t need to worry about marking your calendar.
The Certbot home page
If you have access to your server, you can use the Certbot tool to install and renew SSL certificates through the command line.
Once you renew your SSL certificate, try loading your website again to see if the NET::ERR_CERT_AUTHORITY_INVALID error persists.
4. Try Reloading the Page (Or Using Incognito Mode)
If neither of the above fixes worked, it’s time to start troubleshooting directly from your computer.
In many cases, the NET::ERR_CERT_AUTHORITY_INVALID error disappears on its own when you try to reload the page. It only takes a second to do so, so it doesn’t hurt to try.
If the error persists across multiple reloads, we recommend that you try accessing the website using an ‘incognito mode’ if your browser offers that option:
If the website loads fine in incognito mode, that means the error is likely caused by your browser attempting to load an outdated cached version of the page. That gives you enough information to tackle the problem directly (as we’ll see in the next section).
5. Clear Your Browser’s Cache and Cookies
If switching your browser to incognito mode made the NET::ERR_CERT_AUTHORITY_INVALID error go away, then the issue is probably related to your browser’s cache.
Clearing your cache and cookies is easy, but the process varies depending on which browser you’re using. Below you can find instructions for clearing the cache in all the major browsers:
Another solution can be to try and force refresh your website specifically, so you don’t have to delete your entire cache. Force refreshing sometimes doesn’t work, however, so clearing your cache is our recommended solution.
6. Sync Your Computer’s Clock
One of the most common causes for the NET::ERR_CERT_AUTHORITY_INVALID is because your computer has the wrong date or time set. To clarify, errors with your device’s clock can interfere with your browser’s ability to verify a website’s certificate.
The good news is that if this is the problem, it’s an easy fix. If you notice a discrepancy between your computer’s clock and the current time, you can adjust it in seconds. Exactly how you do this will depend on which Operating System (OS) you’re using.
Windows
Go to the system tray and right-click on your computer’s time, then select the option that says Adjust date/time:
A settings window will appear. Look for the option that reads Sync now under Synchronize your clock, and click on it: Syncing your computer clock.
Syncing your computer clock
If you have an internet connection, Windows will make sure the date and time are correct. To avoid this issue in the future, we recommend that you enable the Set time automatically option. This setting should ensure that your computer always has the correct time.
Mac
If you’re using macOS, the syncing process is also remarkably simple. All you have to do is follow these steps:
- Select the System Preferences option within the Apple menu.
- Click on the Date & Time icon.
- Turn on the Set date & time automatically option.
Before you close the settings screen, swing by the Time Zone tab and make sure you’re using the correct time zone. Once that’s done, you can check to see if the NET::ERR_CERT_AUTHORITY_INVALID error still persists.
Apple Configurator Activation Record Failed Bad Url Code
7. Try Using a Different Network
In some cases, the NET::ERR_CERT_AUTHORITY_INVALID error pops up when you’re using a public network, such as the ones you can find in coffee shops or tourist spots. These networks often don’t route traffic securely, which can trigger the error.
If you’re using a public network for your computer, we recommend trying to access your website through your smartphone using its mobile data. Your goal here is to determine whether the original network was causing the problem.
If the error disappears when you’re using mobile data, then you know you need to switch networks. Another option to protect your privacy if you regularly use public internet access is to sign up for a Virtual Private Network (VPN).
A good VPN service will help protect your data even if you’re using an unsecured point of access. You will need to pay if you want to use a quality VPN service, but the expense is well worth it if you’re always on the move.
8. Disable Your VPN or Antivirus Software
If you’re already using a VPN and you run into the NET::ERR_CERT_AUTHORITY_INVALID error, the service itself may be triggering it.
Another common culprit is antivirus software. After you’ve tried everything else, we recommend that you temporarily turn off your VPN and disable your antivirus software. Then try accessing your site again and use force refresh to make sure it’s not loading from your browser’s cache.
Apple Configurator Activation Record Failed Bad Url Removal
If the error is gone, try re-enabling both services, one at a time, and see if you get the invalid certificate notification once more. This will let you know which is at fault. You may then choose to try and update the software, contact its support team for help, or look for an alternative solution.
9. Wipe Your Computer’s SSL State
Your computer keeps cached copies of certificates from websites you visit on a temporary basis, so it doesn’t have to run through the entire verification process each time you access them.
You can think of your SSL state as a cache, only for certificates. Just as with your cache, you can wipe your computer’s SSL state when you run into invalid certificate authority errors.
In Windows, you can do this by accessing the Internet Options menu from your control panel, and moving to the Content tab:
Clearing your SSL state in Windows
Click on the button that says Clear SSL state, close the window, and try reloading your website.
If you’re using macOS, and have accepted an untrusted certificate in the past, you may need to delete the certificate exception created for it from your Mac Keychain.
To do this, click on the Finder icon, followed by Go > Utilities > Keychain Access:
Under the Category section, select Certificates. Any untrusted certificates should have a red ‘X’ under their names. To delete them, click on Edit at the top of the screen, followed by Delete.
Summary
The NET::ERR_CERT_AUTHORITY_INVALID error can take a while to troubleshoot if you’re unable to determine what’s causing it. Plus, if your visitors are seeing it as well, that can harm both your traffic and your reputation.
The good news is that most fixes take little time to implement. You’ll want to start by making sure your SSL certificate is up to date and valid, then perform some basic troubleshooting tasks such as reloading the page and clearing your browser’s cache.
After that, you can move on to more involved fixes, like wiping your SSL state and running an SSL server test.
If you enjoyed this tutorial, then you’ll love our support. All Kinsta’s hosting plans include 24/7 support from our veteran WordPress developers and engineers. Chat with the same team that backs our Fortune 500 clients. Check out our plans
Comments are closed.