Certificate Chain problem ERR_CERT_AUTHORITY_INVALID

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.fish4flies.com

I ran this command:

It produced this output:

My web server is (include version): IIS7

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Windows Server 2016

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme v2.1.18.1119.x64

I have just recovered from a server failure, which I ended up having to rebuild the OS; and am struggling with a Chain issue. I`m not sure if I need to install an intermediate certificate on the server to support this?

I have tested this domain (it effects all domains on the server) here, and it shows that the chain is missing:

I have followed the installation instructions of win-acme, which is basically save to a folder and run. From here I have reissued all certificates on the IIS server.

The certificates show fine on desktop, but when I check on my mobile this morning (andriod/chrome), it comes up with ERR_CERT_AUTHORITY_INVALID.

The LetsEncrypt site doesnt suggest that I need to install any intermediary certificates installed, but it doesnt look like I have a Lets Encrypt in the TrustedAuthority on the server; I attempted to install the Let’s Encrypt R3, but it doesn`t seem to have appeared in the list after it said it was successful.

Any guidance on how to fix the chain issue would be appreciated.

1 Like

Your Webserver is configured to serve only the Intermediate Certificate that is signed by Let's Encrypts own Root "ISRG Root X1".
So if your Android device runs on Android 7 or older it will not trust this Root Certificate yet.

But I'm not really shure what the Error from sslchecker.com means, it looks like they are not trusting "ISRG Root X1" as well.
(When I test a domain of mine with a self issued certificate (private CA) I get the same error.)

This website reports good results:

You could try to modify your webserver config to use an alternate Chain:
www.fish4flies.com --> R3 --> ISRG Root X1 --> DST Root CA X3

Currently you are using this chain:
www.fish4flies.com --> R3 --> ISRG Root X1 (self signed)


Welcome to the Let's Encrypt Community, David :slightly_smiling_face:

Firstly, I'd like to thank @maxi322 for assisting here. The analysis and advice given is generally right on target. I'll add a few clarifications that may help.

That is an excellent tool for seeing the chain. I find sslchecker.com to be difficult to interpret. As we can see, the chain stops at R3. It should stop at ISRG Root X1 signed by DST Root CA X3.

The current default chain being served by Boulder (the Let's Encrypt CA software) is the "alternate Chain" that @maxi322 has mentioned above. The chain you are currently serving is in fact the current alternate chain. So, right idea, just clarification needed.

Here is your correct fullchain.pem file containing your leaf certificate and both intermediate certificates. All three need to be served, as @maxi322 mentioned.

fullchain.pem (5.8 KB)


You need to disable TLS 1.0 and TLS 1.1.


1 Like

Brilliant, thank @maxi322 and @griffin I`ve managed to get it to server the ISRG Root X1 and DST Root CA X3 certs now.

Also I have disabled TLS 1.0/1 so score an A grade on SSL labs :slight_smile:

SSLChecker is also showing the chain, but missing the root. I`m assuming this is ok?

Thanks again for your invaluable advice, Radderz




That's correct. You don't want to serve the (self-signed) root.

You are quite welcome. :blush:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.