NET::ERR_CERT_AUTHORITY_INVALID
The browser doesn’t trust the certificate’s issuer — either the chain is incomplete, the CA is private, or the certificate is self-signed.
Common causes
- A missing intermediate certificate breaks the path to a trusted root.
- The certificate is issued by a private/internal CA not in the trust store.
- The certificate is self-signed.
How to fix it
- 1
Check what chain the server actually sends:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null - 2
If an intermediate is missing, serve the full chain (see UNABLE_TO_VERIFY_LEAF_SIGNATURE).
- 3
If it’s a private CA used intentionally, distribute that CA’s root to clients.
Catch these before your users do
SSLNudge detects NET::ERR_CERT_AUTHORITY_INVALID and expiry issues daily and alerts you.