ERR_CERT_AUTHORITY_INVALID is a browser SSL error indicating the website's certificate cannot be trusted. This guide covers every cause — from self-signed certificates to missing intermediate CAs — and provides step-by-step fixes for both website owners and visitors.
When a browser connects to an HTTPS site, it verifies the SSL certificate against a list of trusted Certificate Authorities (CAs) built into the operating system and browser. If verification fails for any reason, the browser blocks the connection and shows this error.
| Cause | Affects | Fix |
|---|---|---|
| Self-signed certificate | All visitors | Install a CA-signed certificate (e.g. Let's Encrypt) |
| Missing intermediate certificate | All visitors | Install full certificate chain on server |
| Certificate issued for wrong domain | All visitors | Reissue certificate for correct domain |
| Expired certificate | All visitors | Renew the certificate |
| System clock is wrong | One device | Correct system date and time |
| Antivirus HTTPS inspection | One device | Disable HTTPS scanning in antivirus |
| Outdated browser or OS | One device | Update browser and OS |
If you are a visitor seeing this error on someone else's website, these steps may resolve it on your end:
SSL certificates are valid only within a specific date range. If your system clock is wrong, the browser may think the certificate is expired or not yet valid. Ensure your system time is set to the correct date, time, and timezone — ideally via automatic time sync (NTP).
chrome://settings/security
# Then: Manage certificates → Clear SSL stateTemporarily disable your antivirus and retry. If the error disappears, your antivirus is intercepting HTTPS traffic. Look for settings labelled "HTTPS scanning," "SSL inspection," or "Web shield" and disable them, or add the site as an exception.
Older browsers and operating systems may not include newer CA root certificates. Updating ensures your trust store is current.
If visitors to your website are seeing ERR_CERT_AUTHORITY_INVALID, you need to fix the certificate configuration on your server.
Run a free scan at SSL Labs. It will show exactly what is wrong: expired cert, missing chain, wrong domain, or weak cipher.
openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text | grep -E "Issuer|Subject|Not After"# Install Certbot
sudo apt install certbot python3-certbot-nginx
# Issue certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Auto-renew (runs twice daily)
sudo systemctl enable certbot.timerA self-signed certificate is one signed by the same entity that created it, rather than by a trusted CA. Browsers do not trust self-signed certificates by default because there is no independent verification that the certificate belongs to who it claims.
Self-signed certificates are acceptable for internal development environments where you control all devices and can manually install the certificate as trusted. They are never appropriate for public-facing websites.
Most CAs do not issue certificates directly from their root CA. Instead, they use intermediate CAs. Your server must send the full chain — your certificate plus all intermediate certificates — so browsers can build a trust path to the root CA.
If the intermediate certificate is missing, some browsers (particularly on mobile) will show ERR_CERT_AUTHORITY_INVALID even though the certificate itself is valid.
# In your server block:
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# fullchain.pem includes both your cert AND the intermediate certsSSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pemAlive24x7 monitors your SSL certificates around the clock. Get alerts 30, 14, and 7 days before expiry — and instant alerts if your certificate becomes invalid or untrusted at any time.
Start Free SSL Monitoring