Net:err_cert_authority_invalid

christyler · October 13, 2021, 5:38pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cris.solutions

I ran this command: https://cris.solutions/test.php

It produced this output: NET:ERR_CERT_AUTHORITY_INVALID

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Hosting 24

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a problem with some older ASUS tablets which are getting "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found" error messages. I have a simple "Hello World" php script "https://cris.solutions/test.php" which returns "NET:ERR_CERT_AUTHORITY_INVALID" on one of these ASUS tablets.

I have checked the certificates and the ASUS tablet has DST Root CA X3 but not ISRG Root X1 whereas my modern smartphone (which works fine) has both certificates. Is this the root of my problem (excuse the pun)?

griffin · October 13, 2021, 8:14pm

Welcome to the Let's Encrypt Community, Chris

The problem is that cris.solutions is serving the short/alternate chain rather than the long/default chain.

christyler · October 14, 2021, 7:41am

Thanks, Griffin. Excellent explanation. I only have a small number of identified users with these older tablets so I thought it would be sensible to download the ISRG Root X1 certificate to the devices rather that get the hosting service to change from short to long chain. This fixes the 'hello world' example so I know the certificate is loaded. However my Android app still reports "Trus anchor for certification path not found" any thoughts?

griffin · October 14, 2021, 1:07pm

Did you restart the device after installing the self-signed ISRG Root X1 root certificate?

christyler · October 14, 2021, 3:36pm

Yes, and I tried both the self-signed and the cross-signed version. Still didn't work so I took the easy way out and swapped the Let's Encrypt certificate for a Comodo certificate and everything started working.

griffin · October 14, 2021, 3:43pm

I have a feeling there was an aspect missing/astray with the LE cert installation then. Possibly the wrong trust store?

system · November 13, 2021, 3:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.