NET::ERR\_CERT\_AUTHORITY\_INVALID - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- NET::ERR\_CERT\_AUTHORITY\_INVALID ================================== ### [\#Errors](https://rocketeersapp.com/knowledge/errors) This browser error means the SSL certificate was not issued by a trusted authority, or the chain is incomplete. Usually a self-signed certificate, a missing intermediate, or an untrusted CA. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read 1. [About the error](#content-about-the-error) 2. [Why do I see this error](#content-why-do-i-see-this-error) 3. [Solution](#content-solution) 4. [Serve the full certificate chain](#content-serve-the-full-certificate-chain) 5. [Verify the chain](#content-verify-the-chain) 6. [Use a real certificate (not self-signed) in production](#content-use-a-real-certificate-not-self-signed-in-production) 7. [Local development](#content-local-development) [\#](#content-about-the-error "Permalink")About the error --------------------------------------------------------- Chrome shows `NET::ERR_CERT_AUTHORITY_INVALID` behind a "Your connection is not private" warning. The browser received a certificate it can't trace back to a Certificate Authority it trusts, so it refuses to proceed. [\#](#content-why-do-i-see-this-error "Permalink")Why do I see this error ------------------------------------------------------------------------- - A **self-signed certificate** (common in local dev and on staging). - A **missing intermediate certificate**, the leaf is valid but the browser can't build the chain to a trusted root. - A certificate from an **untrusted or unknown CA**. - A certificate that doesn't match the domain, or has expired (often a slightly different error, but related). [\#](#content-solution "Permalink")Solution ------------------------------------------- ### [\#](#content-serve-the-full-certificate-chain "Permalink")Serve the full certificate chain This is the most common production cause. nginx does not fetch intermediates for you, so `ssl_certificate` must point at the **full chain** (leaf + intermediates), not just your domain's certificate: ``` ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ``` Using `fullchain.pem` (not `cert.pem`) is what fixes the "authority invalid" error for an otherwise valid Let's Encrypt certificate. Reload after changing it: ``` nginx -t && systemctl reload nginx ``` ### [\#](#content-verify-the-chain "Permalink")Verify the chain Check what the server actually sends. A complete chain shows the intermediate; a broken one stops at your leaf: ``` openssl s_client -connect example.com:443 -servername example.com -showcerts ``` ### [\#](#content-use-a-real-certificate-not-self-signed-in-production "Permalink")Use a real certificate (not self-signed) in production If this is a public site, issue a free, trusted certificate with Certbot instead of a self-signed one: ``` sudo certbot --nginx -d example.com -d www.example.com ``` ### [\#](#content-local-development "Permalink")Local development For a local self-signed certificate the warning is expected. Use a tool that installs a locally-trusted CA (such as Laravel Valet's TLS, or `mkcert`) rather than clicking through the warning every time. This is the browser-facing cousin of two server-side TLS errors: [SSL handshake failed in nginx](/ssl-handshake-failed-nginx) and [curl (60) SSL certificate problem](/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate). ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Errors](https://rocketeersapp.com/knowledge/errors) - [Error in the HTTP2 framing layer](https://rocketeersapp.com/knowledge/error-in-the-http2-framing-layer) - [413 Request Entity Too Large in nginx](https://rocketeersapp.com/knowledge/413-request-entity-too-large) - [403 Forbidden in nginx](https://rocketeersapp.com/knowledge/403-forbidden-nginx) - [ERR\_TOO\_MANY\_REDIRECTS (redirect loop)](https://rocketeersapp.com/knowledge/err-too-many-redirects) - [CORS error: No Access-Control-Allow-Origin header](https://rocketeersapp.com/knowledge/cors-error-no-access-control-allow-origin) - [curl (60) SSL certificate problem: unable to get local issuer certificate](https://rocketeersapp.com/knowledge/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate) [View all 11 articles →](https://rocketeersapp.com/knowledge/errors)