Error NET::ERR_CERT_AUTHORITY_INVALID
-
I have a local certificate from an unknown publisher that comes with my web development environment.
When I access the website in normal browser mode, I receive an error message:
If I try the same URL in incognito mode, I receive the same warning, but with a link that allows me to proceed:
How do I get this link to appear in normal mode or simply have the browser ignore the error and grant access?
What I have tried so far:
- Adding the certificate to trusted sources
- Removing the certificate
- Enabling the "Allow invalid certificates for resources loaded from localhost" setting on the vivaldi://flags page
- Adding the domain to the "Insecure origins treated as secure" setting
- Disabling antivirus and firewalls
- Clearing cookies
- Launching the browser with the -ignore-certificate-errors- flag
-
The source code definition for the error is:
// The server responded with a certificate that is signed by an authority // we don't trust. The could mean: // // 1. An attacker has substituted the real certificate for a cert that // contains their public key and is signed by their cousin. // // 2. The server operator has a legitimate certificate from a CA we don't // know about, but should trust. // // 3. The server is presenting a self-signed certificate, providing no // defense against active attackers (but foiling passive attackers). //The error can be displayed a lot of different reasons, from a signature verification issue, to incorrect dates, unknown issuers (which sounds like the reason in this case, you need to either install the issuer cert or change the server cert to something that will be accepted), or a cert that is blocklisted, e.g due to compromise.
I am unsure about why Private Window allows continue, but that could be because changes in that mode are not persistent.
BTW, for future reference, when posting screenshots/text in English forums like this one, please change the UI language to English.
Developer and Security Expert at Vivaldi.
-
@yngve I've never seen that first image in a Chromium browser, with the cert details and PEM encoding. In what circumstances does that one pop up?
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:
the cert details and PEM encoding.
There is a "show details" button/link in many of these blocking dialogs when there is extra certificate details.
-
@yngve Aha, just clicking the error message!
I had no idea that was even there
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@zapominai Have you really added the certificate to Windows user's Trusted Root Certificates?
That should work with such self-signed certificates. -
@DoctorG said in Error NET::ERR_CERT_AUTHORITY_INVALID:
Have you really added the certificate to Windows user's Trusted Root Certificates?
That should work with such self-signed certificates.Yes, it was displayed in the appropriate section. However, there was a small exclamation mark on its icon.
-
@Pathduck I tried accessing https://self-signed.badssl.com in normal mode and the link to proceed appeared, despite receiving the same error code... NET::ERR_CERT_AUTHORITY_INVALID. The browser does not display the link in normal mode specifically for my local certificate.
-
@yngve said in Error NET::ERR_CERT_AUTHORITY_INVALID:
I am unsure about why Private Window allows continue, but that could be because changes in that mode are not persistent.
I checked the dates, they are all okay. I also added it to the trusted roots, but the error persisted. I'll try changing the certificate. Thanks for the idea.
BTW, for future reference, when posting screenshots/text in English forums like this one, please change the UI language to English.
Sorry, I translated the message from the Russian part of the forum. The screenshots will now be in English interface.
Somehow, the link to proceed appears for the website https://self-signed.badssl.com/ even in normal mode...
-
@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:
@Pathduck I tried accessing https://self-signed.badssl.com in normal mode and the link to proceed appeared, despite receiving the same error code... NET::ERR_CERT_AUTHORITY_INVALID. The browser does not display the link in normal mode specifically for my local certificate.
Your certificate is not self-signed, it's signed by something called
ospanel. So a better BadSSL page would be this:
https://untrusted-root.badssl.comThis
ospanelis not a valid Certificate Authority, and no browser would accept such a certificate unless theospanelcertificate is added to the local OS truststore. Ideally one would export both thelocalhostand theospanelcertificate into the trust store, although it should not in theory be necessary to add thelocalhostone if it's signed byospaneland that one is trusted.I don't know why the browser will not allow you to "proceed anyway".
Have you tested in other browsers, specifically Chromium ones - Edge, Chrome, Opera?🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:
Your certificate is not self-signed, it's signed by something called
ospanel. So a better BadSSL page would be this:
https://untrusted-root.badssl.comI tried https://untrusted-root.badssl.com and there's a link to proceed in normal mode.
This
ospanelis not a valid Certificate Authority, and no browser would accept such a certificate unless theospanelcertificate is added to the local OS truststore. Ideally one would export both thelocalhostand theospanelcertificate into the trust store, although it should not in theory be necessary to add thelocalhostone if it's signed byospaneland that one is trusted.It would be enough for me to just have a link to proceed. Adding the certificate to trusted ones didn't affect the browser behavior. I can provide screenshots of the added certificate, but my system interface is in Russian.
I don't know why the browser will not allow you to "proceed anyway".
Have you tested in other browsers, specifically Chromium ones - Edge, Chrome, Opera?I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.
-
@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:
Adding the certificate to trusted ones didn't affect the browser behavior.
Did you also add the
ospanelcertificate? You need to export the Ospanel certificate from the certificate viewer. All certificates in the Certificate Hierarchy needs to be exported and added to the OS trust store, choose Export on each one.
In Windows certificate manager, this is usually under the "Trust Root Certification Authorities" folder.
I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.
Then this is a general Chromium thing.
What about Firefox?I think your best bet is probably some sort of support forum for this "Ospanel" thing. There must be other users with the same problem or some guides how to fix this.
https://ospanel.io/forum/🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:
Did you also add the
ospanelcertificate? You need to export the Ospanel certificate from the certificate viewer. All certificates in the Certificate Hierarchy needs to be exported and added to the OS trust store, choose Export on each one.In Windows certificate manager, this is usually under the "Trust Root Certification Authorities" folder.
This certificate has no hierarchy.
"Trust Root Certification Authorities"
I specifically chose this folder to add the certificate.I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.
Then this is a general Chromium thing.
What about Firefox?Firefox displays a warning and a button to continue, in normal mode
I think your best bet is probably some sort of support forum for this "Ospanel" thing. There must be other users with the same problem or some guides how to fix this.
https://ospanel.io/forum/Okay, I'll try asking there. Thank you for the answers!
-
@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:
This certificate has no hierarchy.
OK so it's a "self-signed" certificate but has an "issuer" which is special in itself.
Could you Export the certificate as .crt file, and share the content of the file? It's plain text, just open in notepad and paste here in a code block. It's no security issue, it's a Public certificate. Would be interesting to examine it.
Also try this:
- Open url
chrome://flags/#chrome-root-store-enabled - Set value to Disabled
- Restart browser
- Try again
Also, what is your Vivaldi version and OS? I believe you never said.
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 - Open url
-
@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:
@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:
This certificate has no hierarchy.
OK so it's a "self-signed" certificate but has an "issuer" which is special in itself.
Could you Export the certificate as .crt file, and share the content of the file? It's plain text, just open in notepad and paste here in a code block. It's no security issue, it's a Public certificate. Would be interesting to examine it.
-----BEGIN CERTIFICATE----- MIICojCCAYoCCQCvkGc2EdjdmzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdv c3BhbmVsMB4XDTE2MTIyMzEwNTQzNFoXDTMxMTIyMDEwNTQzNFowFDESMBAGA1UE AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA29lJ I2AppkzcnS9Y7FrmwPLGqHNARc4ClYECMAq+Nd/ectLRHTL4QVFbuFbWHsTgeSFV 5U1JG5v8LR0cJIARQsCSrhNhRcfwsLrGv4igQXtLmE37dlYeGs43QAV+/GAyRemN 3QhEknegGaNyMUSVHfEsIh+laNBKRfGdPp5UWd3ls0WJUIIoOPm+mqRscq31eDw5 H4kGi1EU28BM7losKpsiEdWq7bjOTF99oiWGxszn0OMNI2Dy61CfGzgoyg9dxS7e 15iZFL/vOFqjgQl+3ybVyVM4okbcjEnNCH4vyImdC4I8ALqX+2wxjKirJvjMQSSK XfCv+7ah/3deE6Ij3QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCxPljez/1fn32L CLKq2O2EmqnxOMPw/J4pzCqzYOHvt2GeFjv7dxlzGD6KGTerat9LoA65dZV+Fbe4 9EuXf/lx6Tm9gCnM1v9N97ZBMtJ/PMtKzhh8P+pPOvf8GE9CsEsjakBGofRd0zf9 qryU7d9+q8kzLe5Pc9wVQcZFiQF+0gMmqFDMkhUoD03DMv5oMaph1L/GxSu9T/N5 PxMKLHYV9p4G+CG8UJ4oHYDLM7ByRAGECapaEuKb0fseFDA8qVFlqI8IcrGp/apW 6PiwkGaUAtWSbJs6xnU9NAeHv/0i2flqeRvP5j2PNSLu4VljxSLZxq1m5pPKzyGw 63pNCwGG -----END CERTIFICATE-----Also try this:
- Open url
chrome://flags/#chrome-root-store-enabled - Set value to Disabled
- Restart browser
- Try again
I did it. Everything remained the same.Also, what is your Vivaldi version and OS? I believe you never said.
Vivaldi: 6.0.2979.18 (Stable channel) (64-bit)
OS: Windows 10 Pro 22H2 - Open url
-
I suspect that the reason the certificate is refuses is that it is too simple.
It is essentially coded like certificates were around 1996, (before I originally started in Opera), missing all the extensions, such as KeyUsage, that are required in certificates today, even in certs used on localhost.
That is probably also the reason the certificate error page does not allow you to proceed past the error page for a normal profile because that would permanently allow the certificate (private windows do not store such information, so less dangerous).
The vendor of the tool will have to update its certificate generator (and probably should look closely at the CAB-forum Certificate Baseline Requirements before they do anything).
BTW, in case this worked before: Chromium is now doing all certificate verification in its own code, no longer using external processing in the OS, and its verification now tends to be much stricter than before, which means that certificates that worked before might no longer work.
Developer and Security Expert at Vivaldi.
-
@zapominai The self-signed certificate your software had created is not correct to current standards.
Create a correct one:
⇒ https://www.baeldung.com/openssl-self-signed-cert
⇒ https://stackoverflow.com/questions/19441155/how-to-create-a-self-signed-certificate-for-a-domain-name-for-development-on-win_bug hunter · Volunteer helper · Sopranos tester · Language DE,EN · ♀👵
Known old dragon lady: Gwen aka Dr. Gwen Agon aka GwenDragon aka DoctorGTesting
Linux Debian 12 KDE X11 / Windows 11 Pro
Intel i5-7400 / NVidia GT 710 -
@yngve said in Error NET::ERR_CERT_AUTHORITY_INVALID:
I suspect that the reason the certificate is refuses is that it is too simple.
It is essentially coded like certificates were around 1996, (before I originally started in Opera), missing all the extensions, such as KeyUsage, that are required in certificates today, even in certs used on localhost.
That is probably also the reason the certificate error page does not allow you to proceed past the error page for a normal profile because that would permanently allow the certificate (private windows do not store such information, so less dangerous).
The vendor of the tool will have to update its certificate generator (and probably should look closely at the CAB-forum Certificate Baseline Requirements before they do anything).
BTW, in case this worked before: Chromium is now doing all certificate verification in its own code, no longer using external processing in the OS, and its verification now tends to be much stricter than before, which means that certificates that worked before might no longer work.
Thank you for the answers, I will try to update my local development kit
-
@DoctorG said in Error NET::ERR_CERT_AUTHORITY_INVALID:
@zapominai The self-signed certificate your software had created is not correct to current standards.
Create a correct one:
⇒ https://www.baeldung.com/openssl-self-signed-cert
⇒ https://stackoverflow.com/questions/19441155/how-to-create-a-self-signed-certificate-for-a-domain-name-for-development-on-winThank you for the links, if updating the development kit does not help, I will try to create the certificate myself.
-
To create certs i use on Windows the free, good and easy tool XCA or openssl on a Linux VM.
