JIYIK CN >

Sometimes even after you have an SSL certificate installed on your website, your website’s users may encounter NET::ERR_CERT_AUTHORITY_INVALIDan invalid certificate authority error. Despite the intimidating name, the invalid certificate authority error is not something you should panic about.

In short, the browser doesn't recognize the validity of your certificate. In order to keep you "safe," it displays this error so you know something fishy is going on. However, there are a lot of things you can do as a website owner to fix the problem.

In this tutorial, we will discuss what the error message means, and how it looks in different browsers. Then we will teach you how to fix the NET::ERR_CERT_AUTHORITY_INVALID error by covering all possible causes.

Let’s get started!

What is NET::ERR_CERT_AUTHORITY_INVALID

As the name suggests, this problem occurs when your browser cannot verify the validity of the website's SSL certificate. If you haven't set up a certificate or are using HTTP for your website (not recommended), you shouldn't encounter this error.

Generally speaking, there are three main reasons for the invalid certificate authority error. Let’s break down each one in turn:

1. You are using a self-signed SSL certificate . Using a self-signed certificate saves money, but your visitors may encounter errors because the browser cannot verify its validity. Browser warnings scare away many users, so we recommend not using this method.
2. Your certificate has expired . SSL certificates expire as a security precaution. The duration of a certificate can vary, but at some point you’ll need to renew it or automate the renewal process (some authorities and web hosts make it easy for you to do this).
3. This certificate is from an untrusted source . As with self-signed certificates, if your browser cannot verify the authority that generated the certificate, you will see an error.

Remember, every time a user visits a website using an SSL certificate, their browser will need to verify and decrypt it. If there are any errors in the process, they will see a warning.

In many cases, browsers will proactively block users from accessing websites to protect them. This usually comes in the form of a “your connection is not private” error. As you might imagine, this can be a huge problem if it happens on your own website.

Sometimes you might encounter NET::ERR_CERT_AUTHORITY_INVALIDan error due to local configuration settings. In the following sections, we’ll show you a number of scenarios in which this error might appear, and then we’ll discuss how to troubleshoot it.

When you see the NET::ERR_CERT_AUTHORITY_INVALID error message pop up, you might get worried 😬. Despite the intimidating name, this invalid certificate authority error is nothing to cause alarm. 😅 Learn how to fix it in a few simple steps.

NET::ERR_CERT_AUTHORITY_INVALID Error Variation

The error may appear differently depending on the browser you are using. The configuration of your operating system and certificate also plays a role in the different error messages that appear.

With that in mind, let’s look at the most common variations of the NET::ERR_CERT_AUTHORITY_INVALID error one by one.

Google Chrome

When encountering this error in Chrome, the browser immediately tells us that the connection is not private. Since the browser does not recognize the validity of your certificate, it cannot encrypt your data.

This means that if you continue, you do so at your own risk. The error message looks like this:

An attacker might try to steal your information (for example, passwords, messages, or credit cards) from domain.com.

Common variations of this error in Chrome include the following code:

• NET::ERR_CERT_AUTHORITY_INVALID
• NET::ERR_CERT_COMMON_NAME_INVALID (this happens when the certificate does not match the domain)
• NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
• NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
• NET::ERR_CERT_DATE_INVALID
• SSL Certificate Error

In each case, Chrome pinpoints the source of the error in the certificate. The browser lets you continue to the site if you want, but it warns you not to do so.

Mozilla Firefox

Firefox doesn't waste any time telling us that we might be experiencing a potential security risk. More importantly, the browser does a much better job than Chrome at explaining the potential cause and telling you not to panic.

Here are the main error messages:

Firefox detected a problem and didn't continue accessing domain.com. The website is misconfigured or your computer's clock is set incorrectly. The website's certificate might have expired, which would prevent Firefox from connecting securely. If you visit this site, attackers could try to steal information like your passwords, email or credit card details.

However, this variation of the error does not include a specific code. In most cases, it will also include one of the following codes:

• SEC_ERROR_UNKNOWN_ISSUER
• SSL_ERROR_RX_MALFORMED_HANDSHAKE
• MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
• SEC_ERROR_REUSED_ISSUER_AND_SERIAL

If you see an error code like one of the above, make sure to copy it somewhere. This is your browser's way of telling you what went wrong. In our experience, a simple search for the specific error code is usually enough to help you find a solution quickly.

Microsoft Edge

The Microsoft Edge error message you see below should look familiar. It’s almost identical to the message Chrome displays, including the code:

Errors can also take different forms, including the following:

• DLG_FLAGS_SEC_CERTDATE_INVALID
• DLG_FLAGS_INVALID_CA
• DLG_FLAGS_SEC_CERT_CN_INVALID
• NET::ERR_CERT_COMMON_NAME_INVALID
• 错误代码：O

与 Chrome 一样，这些错误消息可让您深入了解 NET::ERR_CERT_AUTHORITY_INVALID 错误的根源。

Safari

如果是 Safari 用户，您会遇到“此连接不是私有的”错误的变体，这让您知道网站的证书和加密存在问题。 消息内容如下：

该网站可能会冒充“domain.com”来窃取您的个人或财务信息。 您应该返回上一页。

该特定错误是由于证书过期造成的。 正如我们之前提到的，过期的证书是 NET::ERR_CERT_AUTHORITY_INVALID 错误的最常见原因之一。

如何修复 NET::ERR_CERT_AUTHORITY_INVALID (9 种方式)

既然知道了它在大多数主要浏览器中的样子，是时候看看如何解决 NET::ERR_CERT_AUTHORITY_INVALID 错误了。 早些时候，我们讨论了其最常见的原因。 但是，我们还提到您的本地配置在某些情况下可以触发它。

这意味着这个问题有很多潜在的解决方案。 为了简单起见，我们将首先解决三个最常见的罪魁祸首，即过期、自签名和“不可信”的证书。 然后我们将转向更通用的解决方案。

1. 运行 SSL 服务器测试

如果在错误开始出现前不久安装了 SSL 证书，则安装过程中可能出现问题。 如果您手动安装证书，而不是通过您的 Web 主机安装，就通常会发生这样的情况。

检查证书是否正确安装的最简单方法是使用 SSL 检查工具，例如 Qualys SSL Labs 提供的工具。 这个特殊的工具可以免费使用。

您所要做的就是输入出现错误的域，然后单击“提交”按钮：

现在，等待几分钟，等待结果出现。 理想情况下，您应该获得 A+，并且所有证书都获得满分：

如果您没有获得满分，请向下滚动到工具显示的证书列表。 应该有一个部分告诉我们该网站证书是否受信任。 如果该工具给您一个负面的结果，那么您需要安装来自可信来源的证书。

2. 从有效机构获取证书

现在没有理由使用自签名证书。 如果成本是唯一因素，您可以从 Let’s Encrypt 获得免费证书。 由于它是一个有效的权威，每个浏览器都会识别你的证书的有效性：

对于某些网站，我们需要的不仅仅是免费证书。 免费证书需要经常更新，这可能是件苦差事。 高级证书提供更多好处，例如数据泄露时的保险、多个域的加密等等。

特别是对于电子商务网站，支付高级 SSL 证书是值得的。 如果您确实购买了证书，请确保它来自有效的授权机构，以避免遇到 NET::ERR_CERT_AUTHORITY_INVALID 错误。

3. 更新你的 SSL 证书

出于安全目的，SSL 证书需要经常更新。 续订过程会验证您域的“身份”，如果没有它，证书将失去部分有效性。 Let's Encrypt 的免费证书每 90 天更新一次，而付费选项的使用时间更长。

当期限结束时，如果您的虚拟主机不能自动处理，您将需要手动更新您的证书。 无论如何，Let's Encrypt 会在您的证书即将到期时与您联系，以便您提前续订。 但是，根据您使用的虚拟主机，您可能无法通过控制面板访问续订选项。

如果有权访问服务器，则可以使用 Certbot 工具通过命令行安装和更新 SSL 证书。

续订 SSL 证书后，请再次尝试加载您的网站，以查看 NET::ERR_CERT_AUTHORITY_INVALID 错误是否仍然存在。

4. 尝试重新加载页面（或使用隐身模式）

如果上述修复均无效，则是时候直接从您的计算机开始故障排除了。

在许多情况下，当您尝试重新加载页面时，NET::ERR_CERT_AUTHORITY_INVALID 错误会自行消失。 这样做只需要一秒钟，所以尝试不会有什么坏处。

如果错误在多次重新加载后仍然存在，我们建议您尝试使用“隐身模式”访问网站，前提是您的浏览器支持该模式：

如果网站在隐身模式下正常加载，则意味着错误可能是由您的浏览器尝试加载页面的过时缓存版本引起的。 这为我们提供了足够的信息来直接解决问题（我们将在下一节中看到）。

5. 清除浏览器的缓存和 Cookie

如果将浏览器切换到隐身模式使 NET::ERR_CERT_AUTHORITY_INVALID 错误消失，则问题可能与浏览器的缓存有关。

清除缓存和 cookie 很容易，但过程会因您使用的浏览器而异。 我们可以在如何清除所有主要浏览器的缓存这篇文章中找到所有主要浏览器中清除缓存的说明

另一种解决方案是尝试强制刷新您的网站，这样您就不必删除整个缓存。 然而，强制刷新有时不起作用，因此清除缓存是我们推荐的解决方案。

6. 同步计算机的时钟

NET::ERR_CERT_AUTHORITY_INVALID 的最常见原因之一是因为您的计算机设置了错误的日期或时间。 澄清一下，设备时钟的错误会干扰浏览器验证网站证书的能力。

如果这是问题所在，那就很容易解决。 如果发现计算机时钟与当前时间之间存在差异，您可以以秒为单位进行调整。 具体如何执行取决于您使用的操作系统 (OS)。

Windows

转到系统选项并右键单击计算机的时间，然后选择显示调整日期/时间的选项：

将出现一个设置窗口。 在 Synchronize your clock 下查找显示 Sync now 的选项，然后单击它：同步您的计算机时钟。

如果您有 Internet 连接，计算机能联网，Windows 将确保日期和时间正确。 为避免将来出现此问题，我们建议您启用自动设置时间选项。 此设置应确保您的计算机始终具有正确的时间。

Mac

如果您使用的是 macOS，同步过程也非常简单。 您所要做的就是按照以下步骤操作：

1. 在 Apple 菜单中选择系统偏好选项。
2. 单击日期和时间图标。
3. 打开自动设置日期和时间选项。

在关闭设置屏幕之前，请浏览时区选项卡并确保您使用的是正确的时区。 完成后，可以检查 NET::ERR_CERT_AUTHORITY_INVALID 错误是否仍然存在。

7. 尝试使用不同的网络

在某些情况下，当您使用公共网络时会弹出 NET::ERR_CERT_AUTHORITY_INVALID 错误，例如您可以在咖啡店或旅游景点中找到的网络。 这些网络通常不会安全地路由流量，这可能会引发错误。

如果计算机使用公共网络，我们建议尝试使用智能手机的移动数据访问您的网站。 这里的目标是确定是否是原始网络导致了错误的产生。

If the error goes away when using mobile data, then you know you need to switch networks. Another option for protecting your privacy if you frequently use public internet access is to sign up for a virtual private network (VPN).

A good VPN service will help protect your data even if you are using an unsecured access point. If you want to use a premium VPN service, you will have to pay for it, but it can be worth the expense if you are always on the go.

8. Disable your VPN or antivirus software

If you’re already using a VPN and encounter NET::ERR_CERT_AUTHORITY_INVALIDthe error, the service itself may be triggering it.

Another common culprit is antivirus software. After trying everything else, we recommend temporarily turning off your VPN and disabling your antivirus software. Then try accessing the website again and use a force refresh to make sure it’s not loading from your browser’s cache.

If the error goes away, try re-enabling both services, one at a time, and see if you get the invalid certificate notification again. This will let you know which one has the problem. You can then choose to try updating the software, contact their support team for help, or look for an alternative solution.

9. Clear your computer's SSL state

Your computer temporarily saves cached copies of the certificates for websites you visit so it doesn't have to run the entire verification process every time you visit them.

We can think of the SSL state as a cache, only for certificates. Like the cache, you can try clearing your machine's SSL state when you encounter an invalid certificate authority error.

In Windows, this can be done by accessing the Internet Options menu from the Control Panel and moving to the Content tab:

Click the Clear SSL state button, close the window, and try reloading your website.

If you're using macOS and have accepted an untrusted certificate in the past, you may need to delete the certificate exception you created for it from your Mac's Keychain.

To do this, click the Finder icon, then click Go > Utilities > Keychain Access:

Under the Category section, select Certificates . Any untrusted certificates should have a red "X" under their name. To delete them, click Edit at the top of the screen , then click Delete.

NET::ERR_CERT_AUTHORITY_INVALID may look scary 😱, but this post will give you the tools you need to fix it across browsers 💪