Knowledge

NET::ERR_CERT_AUTHORITY_INVALID

#Errors

This browser error means the SSL certificate was not issued by a trusted authority, or the chain is incomplete. Usually a self-signed certificate, a missing intermediate, or an untrusted CA.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. About the error
  2. Why do I see this error
  3. Solution
  4. Serve the full certificate chain
  5. Verify the chain
  6. Use a real certificate (not self-signed) in production
  7. Local development

About the error

Chrome shows NET::ERR_CERT_AUTHORITY_INVALID behind a "Your connection is not private" warning. The browser received a certificate it can't trace back to a Certificate Authority it trusts, so it refuses to proceed.

Why do I see this error

  • A self-signed certificate (common in local dev and on staging).
  • A missing intermediate certificate, the leaf is valid but the browser can't build the chain to a trusted root.
  • A certificate from an untrusted or unknown CA.
  • A certificate that doesn't match the domain, or has expired (often a slightly different error, but related).

Solution

Serve the full certificate chain

This is the most common production cause. nginx does not fetch intermediates for you, so ssl_certificate must point at the full chain (leaf + intermediates), not just your domain's certificate:

ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Using fullchain.pem (not cert.pem) is what fixes the "authority invalid" error for an otherwise valid Let's Encrypt certificate. Reload after changing it:

nginx -t && systemctl reload nginx

Verify the chain

Check what the server actually sends. A complete chain shows the intermediate; a broken one stops at your leaf:

openssl s_client -connect example.com:443 -servername example.com -showcerts

Use a real certificate (not self-signed) in production

If this is a public site, issue a free, trusted certificate with Certbot instead of a self-signed one:

sudo certbot --nginx -d example.com -d www.example.com

Local development

For a local self-signed certificate the warning is expected. Use a tool that installs a locally-trusted CA (such as Laravel Valet's TLS, or mkcert) rather than clicking through the warning every time.

This is the browser-facing cousin of two server-side TLS errors: SSL handshake failed in nginx and curl (60) SSL certificate problem.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

Error in the HTTP2 framing layer

This browser error means the SSL certificate was not issued by a trusted authority, or the chain is incomplete. Usually a self-signed certificate, a missing intermediate, or an untrusted CA.

Read more →

413 Request Entity Too Large in nginx

This browser error means the SSL certificate was not issued by a trusted authority, or the chain is incomplete. Usually a self-signed certificate, a missing intermediate, or an untrusted CA.

Read more →