How to Fix the NET::ERR_CERT_AUTHORITY_INVALID Error

How to Fix the NET::ERR_CERT_AUTHORITY_INVALID Error (9 Methods) · Run an SSL Server Test · Get a Certificate from a Valid Authority · Renew Your ... Yourcurrenthostcouldbecostingyoutimeandmoney—getthembackwithKinsta.Learnmore SSLquestions HowtoFixtheNET::ERR_CERT_AUTHORITY_INVALIDError Lastupdated:June18,2021 EvenifyoudohaveanSSLcertificateinstalledonyourwebsite,yourusersmayrunintotheNET::ERR_CERT_AUTHORITY_INVALIDerror.Despiteitsintimidatingname,theinvalidcertificateauthorityerrorisn’tsomethingyoushouldpanicabout. Tryafreedemo Simplyput,yourbrowserdoesn’trecognizethevalidityofyourcertificate.Tokeepyou‘safe’itdisplaysthiserror,soyou’reawarethatthere’ssomethingfishygoingon.Asthewebsiteowner,though,therearealotofthingsyoucandotofixtheproblem. Inthistutorial,we’lltalkaboutwhattheerrormessagemeans,andhowitlooksindifferentbrowsers.Thenwe’llteachyouhowtofixtheNET::ERR_CERT_AUTHORITY_INVALIDerrorbycoveringallofitslikelycauses. Let’sgettowork! WhattheNET::ERR_CERT_AUTHORITY_INVALIDErrorIs Asthenameoftheerrorimplies,thisproblempopsupwhenyourbrowsercan’tverifythevalidityofyourwebsite’sSSLcertificate.Ifyouhaven’tsetupacertificateorareusingHTTPforyourwebsite,whichisn’trecommended,youshouldn’trunintothiserror. Generallyspeaking,therearethreeprimarycausesfortheinvalidcertificateauthorityerror.Let’sbreakdowneachoneinturn: You’reusingaself-signedSSLcertificate.Usingaself-signedcertificatecansaveyoumoney,butsincebrowserscan’tverifyitsvalidity,yourvisitorsmayrunintotheerrorinquestion.Browserwarningscanscarealotofusersaway,sowerecommendagainstthisapproach. Yourcertificatehasexpired.SSLcertificatesexpireasasecurityprecaution.Howlongyourcertificatelastscanvary,butatsomepoint,you’llneedtorenewitorautomatetherenewalprocess(someauthoritiesandwebhostsenableyoutodothiseasily). Thecertificatecomesfromanon-trustedsource.Justaswithself-signedcertificates,ifbrowserscan’tverifytheauthoritythatgeneratedyourcertificate,you’llseeanerror. RememberthateverytimeauservisitsawebsitewithanSSLcertificate,theirbrowserneedstovalidateanddecryptit.Ifthereareanyerrorsduringthatprocess,they’llseeawarning. Inalotofcases,browserswillactivelypreventusersfromaccessingthewebsiteinordertoprotectthem.Thisoftencomesintheformofthe“YourConnectionisNotPrivate”error.Asyoumightimagine,that’sahugeproblemifitoccursonyourownsite. Sometimes,youmayrunintotheNET::ERR_CERT_AUTHORITY_INVALIDerrorduetolocalconfigurationsettings.Throughoutthenextsections,we’llshowyouthemanyfacesthiserrorcantakeandthenwe’lltalkabouthowtotroubleshootit. WhenyouseeaNET::ERR_CERT_AUTHORITY_INVALIDerrormessagepopup,youmightbeconcerned😬.Despiteitsintimidatingname,thisinvalidcertificateauthorityerrorisn'tcauseforalarm.😅Learnhowtofixitinafewsimplesteps.⬇️ClicktoTweet NET::ERR_CERT_AUTHORITY_INVALIDErrorVariations Thewayanerrorappearscanvaryabit,dependingonwhatbrowseryou’reusing.Youroperatingsystemandyourcertificate’sconfigurationcanalsoplayaroleinthedifferenterrormessagesthatappear. Withthatinmind,let’stakealookatthemostcommonvariationsoftheNET::ERR_CERT_AUTHORITY_INVALIDerror,browserbybrowser. GoogleChrome WhenyourunintothiserrorinChrome,thebrowserwilltellyourightawaythatyourconnectionisn’tprivate.Sincethebrowserdoesn’trecognizeyourcertificate’svalidity,itcan’tencryptyourdata. Thatmeansifyouproceed,youdosoatyourownrisk.Here’swhattheerrormessagelookslike: Attackersmightbetryingtostealyourinformationfromdomain.com(forexample,passwords,messages,orcreditcards). TheNET::ERR_CERT_AUTHORITY_INVALIDerrorinChrome CommonvariationsofthiserrorinChromeincludethefollowingcodes: NET::ERR_CERT_AUTHORITY_INVALID NET::ERR_CERT_COMMON_NAME_INVALID(Thisoccurswhenthecertificatedoesnotmatchthedomain) NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED NET::ERR_CERT_DATE_INVALID SSLCERTIFICATEERROR Ineverycase,Chromepinpointsthesourceoftheerrorwithinthecertificate.Thebrowserletsyouproceedtothewebsiteifyouchoose,butitwarnsyouagainstdoingso. MozillaFirefox Firefoxdoesn’twasteanytimeintellingyouthatyoumayhaverunintoapotentialsecurityrisk.What’smore,thisbrowserdoesabetterjobthanChromewhenitcomestoexplainingthepotentialcausesandtellingyounottopanic. Here’showtheprimaryerrormessagereads: Firefoxdetectedanissueanddidnotcontinuetodomain.com.Thewebsiteiseithermisconfiguredoryourcomputerclockissettothewrongtime.It’slikelythewebsite’scertificateisexpired,whichpreventsFirefoxfromconnectingsecurely.Ifyouvisitthissite,attackerscouldtrytostealinformationlikeyourpasswords,emails,orcreditcarddetails. TheNET::ERR_CERT_AUTHORITY_INVALIDerrorinFirefox Thatvariationoftheerrordoesn’tincludeaspecificcode,though.Inmostcases,thescreenwillincludeoneofthefollowingcodesaswell: SEC_ERROR_UNKNOWN_ISSUER SSL_ERROR_RX_MALFORMED_HANDSHAKE MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE SEC_ERROR_REUSED_ISSUER_AND_SERIAL Ifyouseeanerrorcodelikeoneoftheabove,makesuretocopyitdownsomewhere.Thatisthebrowser’swayoftellingyouwherethingswentwrong.Inourexperience,asimplesearchforaspecificerrorcodeisoftenenoughtohelpyoufindaquicksolution. MicrosoftEdge TheMicrosoftEdgeerrormessageyouseebelowshouldlookfamiliar.It’salmostidenticaltothemessageChromedisplays,rightdowntotheincludedcode: TheNET::ERR_CERT_AUTHORITY_INVALIDerrorinEdge Theerrorcanalsocomeindifferentflavors,includingthefollowing: DLG_FLAGS_SEC_CERTDATE_INVALID DLG_FLAGS_INVALID_CA DLG_FLAGS_SEC_CERT_CN_INVALID NET::ERR_CERT_COMMON_NAME_INVALID ERRORCODE:O JustaswithChrome,theseerrormessagesgiveyousomeinsightintowhat’sattherootofyourNET::ERR_CERT_AUTHORITY_INVALIDerror. Safari Ifyou’reaSafariuser,you’llrunintoavariationofthe‘thisconnectionisnotprivate’error,whichletsyouknowthere’saproblemwiththewebsite’scertificateandencryption.Here’swhatthemessagesays: Thiswebsitemaybeimpersonating“domain.com”tostealyourpersonalorfinancialinformation.Youshouldgobacktothepreviouspage. TheNET::ERR_CERT_AUTHORITY_INVALIDerrorinSafari Thatparticularerrorisduetoanexpiredcertificate.Aswementionedbefore,expiredcertificatesareoneofthemostcommoncausesoftheNET::ERR_CERT_AUTHORITY_INVALIDerror. HowtoFixtheNET::ERR_CERT_AUTHORITY_INVALIDError(9Methods) Nowthatyouknowwhatitlookslikeacrossmostmajorbrowsers,it’stimetocheckouthowtosolvetheNET::ERR_CERT_AUTHORITY_INVALIDerror.Earlier,wetalkedaboutitsmostcommoncauses.However,wealsomentionedthatyourlocalconfigurationcantriggeritinsomecases. Thatmeanstherearealotofpotentialsolutionstothisissue.Tokeepthingssimple,we’llstartbytacklingthethreemostcommonculprits,i.e.expired,self-signed,and‘untrustworthy’certificates.Thenwe’llmoveontomoregeneralsolutions. Here’swhatwe’llcover: 1.RunanSSLServerTest IfyouinstalledyourSSLcertificateshortlybeforetheerrorbeganappearing,somethingmayhavegonewrongduringthesetupprocess.Thatcanoftenhappenifyouinstalledthecertificatemanually,insteadofthroughyourwebhost. TheeasiestwaytocheckandseeifyourcertificateisproperlyinstalledisbyusinganSSLchecktool,suchastheoneofferedbyQualysSSLLabs.Thisparticulartoolisfreetouse. Allyouhavetodoisenterthedomainwheretheerrorispoppingup,andclickontheSubmitbutton: RunninganSSLcheck Now,waitacoupleofminuteswhiletheresultscomeup.Ideally,youshouldgetanA+,withperfectscoresforallyourcertificates: TheresultsofanSSLtest Ifyoudon’tgetaperfectscore,scrolldowntothelistofcertificatesthetoolshowsyou.Thereshouldbeasectionthattellsyouwhetheryourcertificateistrustedornot.Ifthetoolgivesyouanegativeresult,thenyou’llneedtoinstallacertificatefromatrustedsourceinstead. 2.GetaCertificatefromaValidAuthority There’snoexcusetouseaself-signedcertificatethesedays.Ifcostistheonlyfactor,youcangetafreecertificatefromLet’sEncrypt.Sinceit’savalidauthority,everybrowserwillrecognizeyourcertificate’svalidity: Let’sEncrypthomepage Ifyou’reaKinstauser,wecanhelpyousetupyourfreeLet’sEncryptcertificateinamatterofclickthroughyourMyKinstadashboard: SignUpFortheNewsletter Wanttoknowhowweincreasedourtrafficover1000%? Join20,000+otherswhogetourweeklynewsletterwithinsiderWordPresstips! SubscribeNow AddingafreeSSLcertificatethroughMyKinsta Forsomewebsites,however,you’llneedmorethanafreecertificate.Freecertificatesneedtoberenewedoften,whichcanbeachore.Premiumcertificatesoffermoreperks,suchasinsuranceinthecaseofdatabreaches,encryptionformultipledomains,andmore. Forecommercesites,inparticular,itcanbeworthittopayforapremiumSSLcertificate.Ifyoudobuyacertificate,makesureit’sfromavalidauthority,inordertoavoidrunningintotheNET::ERR_CERT_AUTHORITY_INVALIDerror. 3.RenewYourSSLCertificate SSLcertificatesneedtoberenewedeverysooftenforsecuritypurposes.Therenewalprocessverifiesyourdomain’s‘identity’,andwithoutit,certificateswouldlosesomeoftheirvalidity.FreecertificatesfromLet’sEncryptrenewevery90days,whereaspaidoptionshavelongerlifespans. Whenthetermisup,you’llneedtorenewyourcertificatemanuallyifyourwebhostdoesn’thandlethatforyou.Inanycase,Let’sEncryptwillcontactyouwhenyourcertificateisabouttoexpire,soyoucanrenewitaheadoftime.Dependingonwhichwebhostyouuse,however,youmightnotgetaccesstorenewaloptionsthroughyourcontrolpanel. Info Ifyou’reaKinstacustomer,we’lltakecareofSSLcertificaterenewalforyou,soyoudon’tneedtoworryaboutmarkingyourcalendar. TheCertbothomepage Ifyouhaveaccesstoyourserver,youcanusetheCertbot tooltoinstallandrenewSSLcertificatesthroughthecommandline. OnceyourenewyourSSLcertificate,tryloadingyourwebsiteagaintoseeiftheNET::ERR_CERT_AUTHORITY_INVALIDerrorpersists. 4.TryReloadingthePage(OrUsingIncognitoMode) Ifneitheroftheabovefixesworked,it’stimetostarttroubleshootingdirectlyfromyourcomputer. Inmanycases,theNET::ERR_CERT_AUTHORITY_INVALIDerrordisappearsonitsownwhenyoutrytoreloadthepage.Itonlytakesasecondtodoso,soitdoesn’thurttotry. Iftheerrorpersistsacrossmultiplereloads,werecommendthatyoutryaccessingthewebsiteusingan‘incognitomode’ ifyourbrowseroffersthatoption: Chrome’sincognitomode Ifthewebsiteloadsfineinincognitomode,thatmeanstheerrorislikelycausedbyyourbrowserattemptingtoloadanoutdatedcachedversionofthepage.Thatgivesyouenoughinformationtotackletheproblemdirectly(aswe’llseeinthenextsection). 5.ClearYourBrowser’sCacheandCookies IfswitchingyourbrowsertoincognitomodemadetheNET::ERR_CERT_AUTHORITY_INVALIDerrorgoaway,thentheissueisprobablyrelatedtoyourbrowser’scache. Clearingyourcacheandcookiesiseasy,buttheprocessvariesdependingonwhichbrowseryou’reusing.Belowyoucanfindinstructionsforclearingthecacheinallthemajorbrowsers: StrugglingwithdowntimeandWordPressproblems?Kinstaisthehostingsolutiondesignedtosaveyoutime!Checkoutourfeatures HowtoClearBrowserCacheforGoogleChrome HowtoClearBrowserCacheforMozillaFirefox HowtoClearBrowserCacheforSafari HowtoClearBrowserCacheforInternetExplorer HowtoClearBrowserCacheforMicrosoftEdge HowtoClearBrowserCacheforOpera Anothersolutioncanbetotryandforcerefreshyourwebsite specifically,soyoudon’thavetodeleteyourentirecache.Forcerefreshingsometimesdoesn’twork,however,soclearingyourcacheisourrecommendedsolution. 6.SyncYourComputer’sClock OneofthemostcommoncausesfortheNET::ERR_CERT_AUTHORITY_INVALIDisbecauseyourcomputerhasthewrongdateortimeset.Toclarify,errorswithyourdevice’sclockcaninterferewithyourbrowser’sabilitytoverifyawebsite’scertificate. Thegoodnewsisthatifthisistheproblem,it’saneasyfix.Ifyounoticeadiscrepancybetweenyourcomputer’sclockandthecurrenttime,youcanadjustitinseconds.ExactlyhowyoudothiswilldependonwhichOperatingSystem(OS)you’reusing. Windows Gotothesystemtrayandright-clickonyourcomputer’stime,thenselecttheoptionthatsaysAdjustdate/time: AdjustingthetimeinWindows Asettingswindowwillappear.LookfortheoptionthatreadsSyncnowunderSynchronizeyourclock,andclickonit:Syncingyourcomputerclock. Syncingyourcomputerclock Ifyouhaveaninternetconnection,Windowswillmakesurethedateandtimearecorrect.Toavoidthisissueinthefuture,werecommendthatyouenabletheSettimeautomaticallyoption.Thissettingshouldensurethatyourcomputeralwayshasthecorrecttime. Mac Ifyou’reusingmacOS,thesyncingprocessisalsoremarkablysimple.Allyouhavetodoisfollowthesesteps: AdjustingthetimeinmacOS SelecttheSystemPreferencesoptionwithintheApplemenu. ClickontheDate&Timeicon. TurnontheSetdate&timeautomaticallyoption. Beforeyouclosethesettingsscreen,swingbytheTimeZonetabandmakesureyou’reusingthecorrecttimezone.Oncethat’sdone,youcanchecktoseeiftheNET::ERR_CERT_AUTHORITY_INVALIDerrorstillpersists. 7.TryUsingaDifferentNetwork Insomecases,theNET::ERR_CERT_AUTHORITY_INVALIDerrorpopsupwhenyou’reusingapublicnetwork,suchastheonesyoucanfindincoffeeshopsortouristspots.Thesenetworksoftendon’troutetrafficsecurely,whichcantriggertheerror. Ifyou’reusingapublicnetworkforyourcomputer,werecommendtryingtoaccessyourwebsitethroughyoursmartphoneusingitsmobiledata.Yourgoalhereistodeterminewhethertheoriginalnetworkwascausingtheproblem. Iftheerrordisappearswhenyou’reusingmobiledata,thenyouknowyouneedtoswitchnetworks.AnotheroptiontoprotectyourprivacyifyouregularlyusepublicinternetaccessistosignupforaVirtualPrivateNetwork(VPN). AgoodVPNservicewillhelpprotectyourdataevenifyou’reusinganunsecuredpointofaccess. YouwillneedtopayifyouwanttouseaqualityVPNservice,buttheexpenseiswellworthitifyou’realwaysonthemove. 8.DisableYourVPNorAntivirusSoftware Ifyou’realreadyusingaVPNandyourunintotheNET::ERR_CERT_AUTHORITY_INVALIDerror,theserviceitselfmaybetriggeringit. Anothercommonculpritisantivirussoftware.Afteryou’vetriedeverythingelse,werecommendthatyoutemporarilyturnoffyourVPNanddisableyourantivirussoftware.Thentryaccessingyoursiteagainanduseforcerefreshtomakesureit’snotloadingfromyourbrowser’scache. Iftheerrorisgone,tryre-enablingbothservices,oneatatime,andseeifyougettheinvalidcertificatenotificationoncemore.Thiswillletyouknowwhichisatfault.Youmaythenchoosetotryandupdatethesoftware,contactitssupportteamforhelp,orlookforanalternativesolution. 9.WipeYourComputer’sSSLState Yourcomputerkeepscachedcopiesofcertificatesfromwebsitesyouvisitonatemporarybasis,soitdoesn’thavetorunthroughtheentireverificationprocesseachtimeyouaccessthem. YoucanthinkofyourSSLstateasacache,onlyforcertificates.Justaswithyourcache,youcanwipeyourcomputer’sSSLstatewhenyourunintoinvalidcertificateauthorityerrors. InWindows,youcandothisbyaccessingtheInternetOptionsmenufromyourcontrolpanel,andmovingtotheContenttab: ClearingyourSSLstateinWindows   ClickonthebuttonthatsaysClearSSLstate,closethewindow,andtryreloadingyourwebsite. Ifyou’reusingmacOS,andhaveacceptedanuntrustedcertificateinthepast,youmayneedtodeletethecertificateexceptioncreatedforitfromyourMacKeychain. Todothis,clickontheFinder icon,followedbyGo> Utilities>KeychainAccess: KeychainAccessinmacOS UndertheCategory section,selectCertificates.Anyuntrustedcertificatesshouldhaveared‘X’undertheirnames.Todeletethem,clickon Edit atthetopofthescreen,followedbyDelete. TheNET::ERR_CERT_AUTHORITY_INVALIDmightlookscary😱,butthisguidewillgiveyouthetoolsyouneedtotackleitacrossbrowsers💪ClicktoTweet Summary TheNET::ERR_CERT_AUTHORITY_INVALIDerrorcantakeawhiletotroubleshootifyou’reunabletodeterminewhat’scausingit.Plus,ifyourvisitorsareseeingitaswell,thatcanharmbothyourtrafficandyourreputation. Thegoodnewsisthatmostfixestakelittletimetoimplement.You’llwanttostartbymakingsureyourSSLcertificateisuptodateandvalid,thenperformsomebasictroubleshootingtaskssuchasreloadingthepageandclearingyourbrowser’scache. Afterthat,youcanmoveontomoreinvolvedfixes,likewipingyourSSLstateandrunninganSSLservertest. Savetime,costsandmaximizesiteperformancewith: InstanthelpfromWordPresshostingexperts,24/7. CloudflareEnterpriseintegration. Globalaudiencereachwith28datacentersworldwide. Optimizationwithourbuilt-inApplicationPerformanceMonitoring. Allofthatandmuchmore,inoneplanwithnolong-termcontracts,assistedmigrations,anda30-day-money-back-guarantee.Checkoutourplansortalktosalestofindtheplanthat’srightforyou. Hand-pickedrelatedarticles KnowledgeBase HowtoFixtheNET::ERR_CERT_COMMON_NAME_INVALIDError(9Methods) Gettingthenet::err_cert_common_name_invaliderror?Althoughtitmightlookscary,it'saneasyfix.Learnhowwiththisin-depthguide. KnowledgeBase HowtoFixtheERR_SSL_PROTOCOL_ERROR Astep-by-stepguideonhowtofixtheERR_SSL_PROTOCOL_ERRORmessage.ThisistypicallyduetoacachedSSLstateormisconfiguredcertificate. KnowledgeBase DoIneedaServerType,CSRCode,andRSAKeytoActivateSSL? Usethispagetolearnaboutthe3piecesofinformation,servertype,CSRcode,andRSAkey,you'llneedtogetSSLupandrunningonyourWordPre…