Bit baffled: ERR_CERT_AUTHORITY_INVALID

Dear Folks,

My domain is: lyra.foundation

I ran this command: letsencrypt --nginx -d www.lyra.foundation -d lyra.foundation
It produced this output: Produced a fullchain.pem all fine.
My web server is (include version): nginx
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: It's a 128 GB RAM 12 Core Scaleway Bare Metal
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

I'm a bit baffled, because SSLLabs looks fine (besides a DNS warning) and both URLs https://lyra.foundation and https://www.lyra.foundation work fine on all of my devices.

But I'm receiving reports about a NET::ERR_CERT_AUTHORITY_INVALID warning in Chrome.

After some Google'ing, that seems to be sometimes caused by a missing Intermediate Certificate.

So I repeated the bash line:
echo | openssl s_client -connect lyra.foundation:443 -servername lyra.foundation 2>/dev/null | awk 'Certificate chain/,/---/'

But it yields seemingly good output:

Certificate chain
0 s:CN = www.lyra.foundation
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 18 09:06:22 2023 GMT; NotAfter: Sep 16 09:06:21 2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT


Could somebody check what might be the problem? Thanks a bunch.

If everything checks out (looks like you did a thorough job), you probably need to ask for more detailled reports.

4 Likes

Thanks. Does it work in your browser?

The critical report indicates that https://chat.openai.com works, while our sites do not.

Even if it is an old device, disregarding Chrome's auto-update, I would desire the same compatability as ChatGPT achieved.

(Simply the newest HTTPS site off the top of my head)

It works perfectly fine in my Chrome browser on a recent Android.

You could try an Incognito window which might eliminate caching issue

Also, does a site like https://letsencrypt.org work on that chrome? It uses the same cert chain as you are

3 Likes

Thx. Let's Encrypt works.

Out of ideas for now.

Did you try that for your domain name? I see 40 tabs open maybe you have some old faulty cert info cached for your domain.

Do you have multiple devices using chrome that fail or just this one?

3 Likes

Works just fine.

Please check the certificate information and chain in the browser when this error is shown.

3 Likes

I asked.

https://lyralang.org works (In Icognito)
https://lyra.foundation does not (In Icognito)

I wouldn't dare to assume DNS for new gTLDs to be the problem, since another .org domain doesnt work either.

The only thing I can think of, is that all domains that don't work have in common that the certificate fot www. was requested before the @ domain, (www.lyra.foundation before lyra.foundation) and nginx includes /etc/letsencrypt/.../www.lyra.foundation rather than lyra.foundation

I didnt check if there is a fullcert.pem for each specific hostname, and my knowledge of HTTPS lacks the detail whether a single fullchain.pem can support www. and @

Anyways, nginx is configured to redirect even calls to https://www.lyra.foundation to https://lyra.foundation

I did that setup for all domains past lyralang.org so probably that's the problem?

Curiously it works on most devices though.

¯_(ツ)_/¯

That's why we need more information from the devices which aren't working.

4 Likes

It's an Android phone by an end user who was barely able to open Icognito. Chrome doesn't display cert details with an easy click AFAIK

Sure it does, just tap on either the lock symbol or the triangle warning symbol, whichever is present. Then you're presented with more options including one leading to the certificate and chain.

3 Likes

Maybe I'm too dumb. Triangle

Details leads to a Google Help page

What version of Chrome is that?

4 Likes

Newest. Btw, mine was older. That Google Chrome can't auto-update on Google Android is disturbing.

You should google how to view the cert info. I don't quite follow which machine and version is failing and which works for you. All my testing tools say your certs are fine.

Different chrome versions show info differently. That's why I asked.

There is nothing wrong with your certs. But, there is something odd with that one (or more?) chrome's. I'd still bet on some old cert cache but there are other possibilities.

Once you can view the failed cert we will see why it's wrong. And, that will hopefully help figure out how to fix your chrome.

2 Likes

You can simply tap on the text without hitting "Details" (title or text, doesn't matter, as long as you miss the "Details" link). Then, the text changes and a link with "Certificate information" is shown, which can be tapped/clicked.

It then shows the end leaf certificate of the site presented to the browser and at the top there's a pull-down menu for the chain.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.