ERR_CERT_AUTHORITY_INVALID for local connections

I am using plex and plexpy. I have had plexpy (it hosts an https page) setup with a lets encrypt certificate valid for www.example.domain example.domain and local.example.domain (a google domain)

Example.domain is updated via ddns
And local.example.domain has an A record with the local ip.
And my cert is valid for both names.

For the past two months or so I have been using this setup with no problems (accessing a simple https page locally and externally), no ssl errors either side.

A couple days ago I started getting NET::ERR_CERT_AUTHORITY_INVALID on clients connecting locally. WAN still works just fine…

If you compare the cert the server is producing and the actual cert file, they match perfectly.

I tried replacing the cert with a new one with no change. I went to work and came home and it was working just fine… I then got up this morning to get the same error again…
Im kind of at a loss :confused:

Browsers should let you save a copy of the certificate in this case; could you do that and post it here?

Oddly, it has stopped happening again… I’ll post here again if it returns. Thank you though :slight_smile:

I found my tablet is still getting the error where my phone is not. The only difference between the two in the cert viewer is that my phone is receiving my cert, the LE authority x3, and the DST Root CA x3. My tablet however is only receiving my cert. This is happening with all the https web pages hosted by that server (with different software).

The rest of the information in the cert is consistent across my phone, tablet, and the raw cert file.

That’s strange! I’d say you should tell us your domain name so that we can test it for ourselves, and double-check your configuration to be sure that there isn’t a different configuration for certain kinds of clients.

You could also try capturing the TLS handshake with a packet sniffer to see exactly what the differences are at a protocol level.

Aaannnddd its gone again… This is really starting to bother me… Ill capture what I can if it come back again :confused:

Are you quite sure that your server is providing the Let’s Encrypt intermediate certificate? Some browsers might be able to download it independently, or have it cached after visiting another site that used the same intermediate.

Are you using plexpy itself to terminate the TLS connection, or do you have a web server acting as a proxy in front of it? If the former, perhaps you could check your plexpy configuration to make sure it’s configured to serve the intermediate certificate. Looking at the source I think it’s called “HTTPS Certificate Chain”?

Im not using anything between plexpy and the end client.
Plexpy allows you to specify cert and key, but no other configuration.
Im not sure it’s a problem with the software hosting the page because it is happening with plexpy, plexs web client, and qBittorrents remote manager (all https pages using the same cert)

Each service is on its own single port that is being used for LAN and WAN connections. (not port 80/443 because telus is a pain in the ass with residential connections :/)

I would rather not disclose my domain name unless absolutely necessary

Hmm, seems you're right, and this may be fixed in the beta version.

If you're uncomfortable using that (I obviously have no clue how stable it is) you might consider sticking apache or nginx in front.

Did you configure the other software to serve the intermediate certificate?

No, the rest is configured the same way, cert/key (pfx for plex)

The intermediate cert my browser is receiving matches the one first one found here:

Well, if none of your servers is configured to provide the intermediate certificate, that would explain why they all have problems :wink:

Your server needs to provide the intermediate cert or you will have exactly this kind of intermittent problem. If your software does not accept an intermediate certificate directly, it may accept a combined cert and intermediate (such as the fullchain.pem file provided by certbot).

If it doesn’t accept either (as seems to be the case with plexpy) you can always stick an ordinary web server in front as a proxy.

Ahhh I see why its intermittent: the server doesn’t provide the chain, just the domain cert. The reason it works sometimes and not others is I have visited other LE pages serving a whole LE chain. My browser has saved it from this forum in perticular…

Ill see if i can combine the chain into a single pem with out issue.

How can I go about clearing the LE chain my phone has saved from here so it doesn’t have it when connecting to plexpy? (to test if my chain is working)

1 Like

Strangely, most browsers don't seem to prove a convenient way to remove cached certs (since they tend to think that this caching is only a benefit to the user). But you could test your configuration with SSL Server Test (Powered by Qualys SSL Labs), which among other things provides a diagnosis of chain misconfiguration issues.

If your server isn’t listening on port 443, the ssllabs test won’t work, but there are a number of offline tools that can perform similar tests - I’m quite fond of testssl.sh myself.

1 Like

I ended up using https://www.digicert.com/help/ to do my ssl testing. The problem now is that both plexpy and qBittorrent don’t have a way to include the intermediate/root certs. I think im going to take the easy route and just install the intermediate certs on the devices that are local.

Thanks for all your help guys :slight_smile: especially with the quick responses

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.