ERR_CERT_AUTHORITY_INVALID on Chrome 53.0.2875 MacOS Sierra, Safari accepts the certificate


#1

My domain is: https://peta-file.com

My operating system is (include version): MacOS Sierra

My web server is (include version): NGINX

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I have a Let’s Encrypt certificate on my site https://peta-file.com (it’s a file hosting site… I just have a terrible sense of humour), previously it has been recognized as valid both on my work machine (Windows 10, Chrome 53.something and MS Edge) and on my home machine (OSX El Capitan, Chrome 53.something and Safari). Today I upgraded to Sierra and noticed after the upgrade that Chrome (version 53.0.2875) is giving me an ERR_CERT_AUTHORITY_INVALID on the certificate on my site. Testing with Safari (Version 10.0 (12602.1.50.0.10)) it shows as valid.

I thought at this point all modern browsers were okay with the LE certificates. I don’t believe I screwed up issuing the certificate as it showed as valid yesterday, is nowhere near it’s expiry date, and it shows as valid under Safari. Is anybody else encountering this problem?


#2

Your certificate is for peta-file.com but sometimes you’ve linked www.peta-file.com which is a different name. You should ensure all the names used for a site are included in the certificate.

It also looks as though you’re replacing that certificate really often (daily?), please try not to do that unnecessarily.


#3

First, thanks for responding!

As for the url - that was a typo in my haste to post here. I have been linking it on other sites without the “www.” prefix, and, for example, using this exact url:
https://peta-file.com/scores/2016/2016_06_04__scores.txt

I receive a certificate error still on my home machine. Do you have any further suggestions?

I have a second computer at home, a macbook pro running El Capitan with Chrome 52.0.2743.116 it shows the certificate at the above posted URL to be valid. And, while I was posting I updated it to Chrome 53.0.2785.116 and it still shows the certificate to be valid.

Related to your second point, is it not a good idea to renew daily? I hate things ever getting close to their expiry but I suppose this is a bit excessive. I’ll change the cron job to run every 30 days, is that a better choice?


#4

Gross incompetence wins out… Not sure why this is the only configuration not to trust it but I was listing “cert.pem” instead of “fullchain.pem” as the certificate file in my nginx config. For some reason every single browser / OS configuration let that slide except for Chome 53 on macOS Sierra. I seem to have everything working properly now. Live and learn!

Thanks for helping!


#5

Thanks for figuring this out! I created my cert quite a while ago, followed the instructions, and have let it be except for renewals. Up until now it was no issue. I’m guessing the original instructions didn’t say to include “fullchain.pem”, since I don’t think I used the nginx installer.

FYI, Safari & Firefox showed the full cert chain anyway (at least to my eyes) with just cert.pem, it was only chrome that was having an issue.


#6

Browsers may cache certificates, so if you visit site A (which is configured correctly for a particular CA Issuer) then site B (which isn’t configured correctly but has the same Issuer) things may appear to work, whereas if you’d visited site B first you’d see an error.

Some browsers also use the AIA metadata inside the certificate to spontaneously download certificates that might help prove trust. On the other hand that’s a privacy issue, because you’ll implicitly reveal which sites you visited by trying to fetch any certificates they mention…

So the server must be configured to just send the whole chain if you actually want things to work reliably.


#7

Interesting. Thanks for the quick and clear explanation that someone with minimal knowledge can understand. The privacy angle makes sense now, and I’ve no clue but maybe thats what chrome stopped doing, and for just that reason.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.