Net:err_cert_authority_invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cris.solutions

I ran this command: https://cris.solutions/test.php

It produced this output: NET:ERR_CERT_AUTHORITY_INVALID

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Hosting 24

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a problem with some older ASUS tablets which are getting "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found" error messages. I have a simple "Hello World" php script "https://cris.solutions/test.php" which returns "NET:ERR_CERT_AUTHORITY_INVALID" on one of these ASUS tablets.

I have checked the certificates and the ASUS tablet has DST Root CA X3 but not ISRG Root X1 whereas my modern smartphone (which works fine) has both certificates. Is this the root of my problem (excuse the pun)?

1 Like

Welcome to the Let's Encrypt Community, Chris :slightly_smiling_face:

The problem is that cris.solutions is serving the short/alternate chain rather than the long/default chain.

https://decoder.link/sslchecker/cris.solutions/443

1 Like

Thanks, Griffin. Excellent explanation. I only have a small number of identified users with these older tablets so I thought it would be sensible to download the ISRG Root X1 certificate to the devices rather that get the hosting service to change from short to long chain. This fixes the 'hello world' example so I know the certificate is loaded. However my Android app still reports "Trus anchor for certification path not found" any thoughts?

2 Likes

Did you restart the device after installing the self-signed ISRG Root X1 root certificate?

1 Like

Yes, and I tried both the self-signed and the cross-signed version. Still didn't work so I took the easy way out and swapped the Let's Encrypt certificate for a Comodo certificate and everything started working.

1 Like

I have a feeling there was an aspect missing/astray with the LE cert installation then. Possibly the wrong trust store?

1 Like