SSL cert "err_cert_authority_invalid" on mobile chrome only

S. J. picture S. J. · Jan 11, 2015 · Viewed 110.5k times · Source

Domain: https://www.amz2btc.com

Analysis from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=amz2btc.com

All my desktop browsers open this fine. Mobile Firefox opens this fine. Only when I tried with mobile Chrome did I get the error: err_cert_authority_invalid

I know very little about SSL, so I can't really make sense of the SSL report or why this error is coming up. If someone could ELI5, that would be ideal. :)

Answer

Mike A picture Mike A · Feb 2, 2015

I just spent the morning dealing with this. The problem wasn't that I had a certificate missing. It was that I had an extra.

I started out with my ssl.conf containing my server key and three files provided by my SSL certificate authority:

#   Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer

#   Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key

#   Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem

#   Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem

It worked fine on desktops, but Chrome on Android gave me err_cert_authority_invalid

A lot of headaches, searching and poor documentation later, I figured out that it was the Server Certificate Chain:

SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem

That was creating a second certificate chain which was incomplete. I commented out that line, leaving me with

#   Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer

#   Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key

#   Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem

and now it's working on Android again. This was on Linux running Apache 2.2.