Error NET::ERR_CERT_AUTHORITY_INVALID

Pathduck

@yngve Aha, just clicking the error message!
I had no idea that was even there

https://self-signed.badssl.com

DoctorG

@zapominai Have you really added the certificate to Windows user's Trusted Root Certificates?
That should work with such self-signed certificates.

zapominai

@DoctorG said in Error NET::ERR_CERT_AUTHORITY_INVALID:

Have you really added the certificate to Windows user's Trusted Root Certificates?
That should work with such self-signed certificates.

Yes, it was displayed in the appropriate section. However, there was a small exclamation mark on its icon.

zapominai

@Pathduck I tried accessing https://self-signed.badssl.com in normal mode and the link to proceed appeared, despite receiving the same error code... NET::ERR_CERT_AUTHORITY_INVALID. The browser does not display the link in normal mode specifically for my local certificate.

zapominai

@yngve said in Error NET::ERR_CERT_AUTHORITY_INVALID:

I am unsure about why Private Window allows continue, but that could be because changes in that mode are not persistent.

I checked the dates, they are all okay. I also added it to the trusted roots, but the error persisted. I'll try changing the certificate. Thanks for the idea.

BTW, for future reference, when posting screenshots/text in English forums like this one, please change the UI language to English.

Sorry, I translated the message from the Russian part of the forum. The screenshots will now be in English interface.

Somehow, the link to proceed appears for the website https://self-signed.badssl.com/ even in normal mode...

Pathduck

@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:

@Pathduck I tried accessing https://self-signed.badssl.com in normal mode and the link to proceed appeared, despite receiving the same error code... NET::ERR_CERT_AUTHORITY_INVALID. The browser does not display the link in normal mode specifically for my local certificate.

Your certificate is not self-signed, it's signed by something called ospanel. So a better BadSSL page would be this:
https://untrusted-root.badssl.com

This ospanel is not a valid Certificate Authority, and no browser would accept such a certificate unless the ospanel certificate is added to the local OS truststore. Ideally one would export both the localhost and the ospanel certificate into the trust store, although it should not in theory be necessary to add the localhost one if it's signed by ospanel and that one is trusted.

I don't know why the browser will not allow you to "proceed anyway".
Have you tested in other browsers, specifically Chromium ones - Edge, Chrome, Opera?

zapominai

@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:

Your certificate is not self-signed, it's signed by something called ospanel. So a better BadSSL page would be this:
https://untrusted-root.badssl.com

I tried https://untrusted-root.badssl.com and there's a link to proceed in normal mode.

This ospanel is not a valid Certificate Authority, and no browser would accept such a certificate unless the ospanel certificate is added to the local OS truststore. Ideally one would export both the localhost and the ospanel certificate into the trust store, although it should not in theory be necessary to add the localhost one if it's signed by ospanel and that one is trusted.

It would be enough for me to just have a link to proceed. Adding the certificate to trusted ones didn't affect the browser behavior. I can provide screenshots of the added certificate, but my system interface is in Russian.

I don't know why the browser will not allow you to "proceed anyway".
Have you tested in other browsers, specifically Chromium ones - Edge, Chrome, Opera?

I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.

Pathduck

@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:

Adding the certificate to trusted ones didn't affect the browser behavior.

Did you also add the ospanel certificate? You need to export the Ospanel certificate from the certificate viewer. All certificates in the Certificate Hierarchy needs to be exported and added to the OS trust store, choose Export on each one.

In Windows certificate manager, this is usually under the "Trust Root Certification Authorities" folder.

I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.

Then this is a general Chromium thing.
What about Firefox?

I think your best bet is probably some sort of support forum for this "Ospanel" thing. There must be other users with the same problem or some guides how to fix this.
https://ospanel.io/forum/

zapominai

@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:

Did you also add the ospanel certificate? You need to export the Ospanel certificate from the certificate viewer. All certificates in the Certificate Hierarchy needs to be exported and added to the OS trust store, choose Export on each one.

In Windows certificate manager, this is usually under the "Trust Root Certification Authorities" folder.

This certificate has no hierarchy.

"Trust Root Certification Authorities"
I specifically chose this folder to add the certificate.

I tried in Edge, the same behavior - there is no link to proceed in normal mode, but it's there in incognito mode.

Then this is a general Chromium thing.
What about Firefox?

Firefox displays a warning and a button to continue, in normal mode

I think your best bet is probably some sort of support forum for this "Ospanel" thing. There must be other users with the same problem or some guides how to fix this.
https://ospanel.io/forum/

Okay, I'll try asking there. Thank you for the answers!

Pathduck

@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:

This certificate has no hierarchy.

OK so it's a "self-signed" certificate but has an "issuer" which is special in itself.

Could you Export the certificate as .crt file, and share the content of the file? It's plain text, just open in notepad and paste here in a code block. It's no security issue, it's a Public certificate. Would be interesting to examine it.

Also try this:

• Open url chrome://flags/#chrome-root-store-enabled
• Set value to Disabled
• Restart browser
• Try again

Also, what is your Vivaldi version and OS? I believe you never said.

zapominai

@Pathduck said in Error NET::ERR_CERT_AUTHORITY_INVALID:

@zapominai said in Error NET::ERR_CERT_AUTHORITY_INVALID:

This certificate has no hierarchy.

OK so it's a "self-signed" certificate but has an "issuer" which is special in itself.

Could you Export the certificate as .crt file, and share the content of the file? It's plain text, just open in notepad and paste here in a code block. It's no security issue, it's a Public certificate. Would be interesting to examine it.

-----BEGIN CERTIFICATE-----
MIICojCCAYoCCQCvkGc2EdjdmzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdv
c3BhbmVsMB4XDTE2MTIyMzEwNTQzNFoXDTMxMTIyMDEwNTQzNFowFDESMBAGA1UE
AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA29lJ
I2AppkzcnS9Y7FrmwPLGqHNARc4ClYECMAq+Nd/ectLRHTL4QVFbuFbWHsTgeSFV
5U1JG5v8LR0cJIARQsCSrhNhRcfwsLrGv4igQXtLmE37dlYeGs43QAV+/GAyRemN
3QhEknegGaNyMUSVHfEsIh+laNBKRfGdPp5UWd3ls0WJUIIoOPm+mqRscq31eDw5
H4kGi1EU28BM7losKpsiEdWq7bjOTF99oiWGxszn0OMNI2Dy61CfGzgoyg9dxS7e
15iZFL/vOFqjgQl+3ybVyVM4okbcjEnNCH4vyImdC4I8ALqX+2wxjKirJvjMQSSK
XfCv+7ah/3deE6Ij3QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCxPljez/1fn32L
CLKq2O2EmqnxOMPw/J4pzCqzYOHvt2GeFjv7dxlzGD6KGTerat9LoA65dZV+Fbe4
9EuXf/lx6Tm9gCnM1v9N97ZBMtJ/PMtKzhh8P+pPOvf8GE9CsEsjakBGofRd0zf9
qryU7d9+q8kzLe5Pc9wVQcZFiQF+0gMmqFDMkhUoD03DMv5oMaph1L/GxSu9T/N5
PxMKLHYV9p4G+CG8UJ4oHYDLM7ByRAGECapaEuKb0fseFDA8qVFlqI8IcrGp/apW
6PiwkGaUAtWSbJs6xnU9NAeHv/0i2flqeRvP5j2PNSLu4VljxSLZxq1m5pPKzyGw
63pNCwGG
-----END CERTIFICATE-----

Also try this:

• Open url chrome://flags/#chrome-root-store-enabled
• Set value to Disabled
• Restart browser
• Try again

I did it. Everything remained the same.

Also, what is your Vivaldi version and OS? I believe you never said.

Vivaldi: 6.0.2979.18 (Stable channel) (64-bit)
OS: Windows 10 Pro 22H2

yngve

I suspect that the reason the certificate is refuses is that it is too simple.

It is essentially coded like certificates were around 1996, (before I originally started in Opera), missing all the extensions, such as KeyUsage, that are required in certificates today, even in certs used on localhost.

That is probably also the reason the certificate error page does not allow you to proceed past the error page for a normal profile because that would permanently allow the certificate (private windows do not store such information, so less dangerous).

The vendor of the tool will have to update its certificate generator (and probably should look closely at the CAB-forum Certificate Baseline Requirements before they do anything).

BTW, in case this worked before: Chromium is now doing all certificate verification in its own code, no longer using external processing in the OS, and its verification now tends to be much stricter than before, which means that certificates that worked before might no longer work.

DoctorG

@zapominai The self-signed certificate your software had created is not correct to current standards.

Create a correct one:
⇒ https://www.baeldung.com/openssl-self-signed-cert
⇒ https://stackoverflow.com/questions/19441155/how-to-create-a-self-signed-certificate-for-a-domain-name-for-development-on-win

zapominai

@yngve said in Error NET::ERR_CERT_AUTHORITY_INVALID:

I suspect that the reason the certificate is refuses is that it is too simple.

It is essentially coded like certificates were around 1996, (before I originally started in Opera), missing all the extensions, such as KeyUsage, that are required in certificates today, even in certs used on localhost.

That is probably also the reason the certificate error page does not allow you to proceed past the error page for a normal profile because that would permanently allow the certificate (private windows do not store such information, so less dangerous).

The vendor of the tool will have to update its certificate generator (and probably should look closely at the CAB-forum Certificate Baseline Requirements before they do anything).

BTW, in case this worked before: Chromium is now doing all certificate verification in its own code, no longer using external processing in the OS, and its verification now tends to be much stricter than before, which means that certificates that worked before might no longer work.

Thank you for the answers, I will try to update my local development kit

zapominai

@DoctorG said in Error NET::ERR_CERT_AUTHORITY_INVALID:

@zapominai The self-signed certificate your software had created is not correct to current standards.

Create a correct one:
⇒ https://www.baeldung.com/openssl-self-signed-cert
⇒ https://stackoverflow.com/questions/19441155/how-to-create-a-self-signed-certificate-for-a-domain-name-for-development-on-win

Thank you for the links, if updating the development kit does not help, I will try to create the certificate myself.

DoctorG

To create certs i use on Windows the free, good and easy tool XCA or openssl on a Linux VM.

leocardo

I was facing the same problem, and tried a lot of "solutions" in order to solve it.

Finally I found a procedure that works for my particular case, check that DNS servers are the DNS provided by the Internet Service Provider, reconfigure it, reconnect PC in order to refresh DNS and try it, should works... after that reconfigure with DNS that you prefer...

DoctorG

A domain should resolve to a IP.
And a certificate needs valid X509v3 Subject Alternative Name (SAN).
If not, that certificate will not work.
And this was defined 5 years ago!

It is the job of a web developer/IT pro to know this. Not in your knowledge box!?, keep on learning

• https://bugs.chromium.org/p/chromium/issues/detail?id=308330
• https://groups.google.com/a/chromium.org/g/security-dev/c/IGT2fLJrAeo
• https://chromestatus.com/feature/4981025180483584

DoctorG

I f you are testing software on a local webserver, set a IP from your LAN, add IP and domain to your router or local DNS server, that could resolve the cert issue.

Rahulrokkz666

This post is deleted!