Knowledge
NET::ERR_CERT_AUTHORITY_INVALID
#Errors
This browser error means the SSL certificate was not issued by a trusted authority, or the chain is incomplete. Usually a self-signed certificate, a missing intermediate, or an untrusted CA.
Published by Mark van Eijk on June 23, 2026
Updated on June 30, 2026 · 2 minute read
- About the error
- Why do I see this error
- Solution
- Serve the full certificate chain
- Verify the chain
- Use a real certificate (not self-signed) in production
- Local development
- If only one device sees the error
About the error
Chrome shows NET::ERR_CERT_AUTHORITY_INVALID behind a "Your connection is not private" warning. The browser received a certificate it can't trace back to a Certificate Authority it trusts, so it refuses to proceed.
Why do I see this error
- A self-signed certificate (common in local dev and on staging).
- A missing intermediate certificate, the leaf is valid but the browser can't build the chain to a trusted root.
- A certificate from an untrusted or unknown CA.
- A certificate that doesn't match the domain, or has expired (often a slightly different error, but related).
Solution
Serve the full certificate chain
This is the most common production cause. nginx does not fetch intermediates for you, so ssl_certificate must point at the full chain (leaf + intermediates), not just your domain's certificate:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Using fullchain.pem (not cert.pem) is what fixes the "authority invalid" error for an otherwise valid Let's Encrypt certificate. Reload after changing it:
nginx -t && systemctl reload nginx
Verify the chain
Check what the server actually sends. A complete chain shows the intermediate; a broken one stops at your leaf:
openssl s_client -connect example.com:443 -servername example.com -showcerts
Use a real certificate (not self-signed) in production
If this is a public site, issue a free, trusted certificate with Certbot instead of a self-signed one:
sudo certbot --nginx -d example.com -d www.example.com
Local development
For a local self-signed certificate the warning is expected. Use a tool that installs a locally-trusted CA (such as Laravel Valet's TLS, or mkcert) rather than clicking through the warning every time.
If only one device sees the error
When the site loads fine for everyone else, the problem is local to that machine, not the server:
- Wrong date and time. Certificate validation depends on the system clock. Correct the date, time and timezone, then reload the page.
- Antivirus or firewall HTTPS scanning. Security software that inspects encrypted traffic substitutes its own certificate. Turn off HTTPS/SSL scanning in the tool, or let it install its trusted CA.
- A corporate proxy performing TLS interception. Your network administrator needs to deploy the proxy's root certificate to the device's trust store.
This is the browser-facing cousin of two server-side TLS errors: SSL handshake failed in nginx and curl (60) SSL certificate problem.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!
Frequently asked questions
- Is it safe to bypass NET::ERR_CERT_AUTHORITY_INVALID?
- Only on a machine you control and a site you trust, such as your own local development server. On a public website the warning means the certificate can't be verified, so clicking through sends your data over a connection that isn't proven secure. Fix the certificate instead of bypassing the warning.
- How do I fix NET::ERR_CERT_AUTHORITY_INVALID on Android?
- If it's your own server using a self-signed certificate, install that CA on the device under Settings → Security → Encryption & credentials → Install a certificate. For a public site the real fix is server-side: serve the full chain and use a trusted certificate. If only that one phone is affected, also check its date, time and timezone.
- Why do I get the error in Chrome but not in another browser?
- Browsers and operating systems keep separate trust stores and cache intermediate certificates differently. A browser that already cached the intermediate can still build the chain, while a fresh one fails. The reliable fix is to make the server send the full chain so no browser has to fill in the gap itself.
- Does this error mean my certificate has expired?
- No. Expiry produces a different error, NET::ERR_CERT_DATE_INVALID. "Authority invalid" means the browser can't trace the certificate back to a trusted Certificate Authority, usually because of a missing intermediate or a self-signed or untrusted certificate.
- The site works for everyone except me. Why?
- When a single device sees the error, the cause is local to that machine rather than the server: a wrong system clock, antivirus or firewall software that inspects HTTPS traffic, or a corporate proxy performing TLS interception. Check the date and time first, then any security software.