"NET::ERR_CERT_AUTHORITY_INVALID" in Chrome on macOS

[kenny-evitt]

My computer is running macOS version "10.14.5 (18F132)". I'm testing in Chrome version "75.0.3770.142 (Official Build) (64-bit)". Chrome was updated recently, i.e. yesterday, from an unknown earlier version (tho fairly recent I think).

Several days ago mkcert seemed to be working as expected. Today I get the error mentioned in the title.

I was able to get it working again by manually adding the certificate to my "login" "Certificates" in the Keychain Access app by following the steps in this answer to the following Super User question:

• ssl - How do I deal with NET:ERR_CERT_AUTHORITY_INVALID in Chrome? - Super User

This might be related to this recently opened issue:

• "Certificate is not standards compliant" on macOS Catalina · Issue #174

[ngdot]

sane problem here!

[robo360]

Same problem

[daquinoaldo]

In my case works on MacOS (Mojave) but not on Ubuntu 19.04.

NET::ERR_CERT_AUTHORITY_INVALID
Subject: mkcert development certificate
Issuer: mkcert daquinoaldo@ideapad330S
Expires on: Aug 21, 2029
Current date: Aug 21, 2019

[rfay]

Please say more about how you're doing your testing @daquinoaldo - and this is mkcert v1.4.0 true?

BTW, I'm quite sure this is a dup of #174 and this one should be closed.

[rfay]

My experience testing on Ubuntu 19.04 is that both Chromium and Firefox accept the not-before-June-1 certs generated by mkcert v1.4.0. @daquinoaldo if you look at the "Not-valid-before" in your browser's presentation of the cert and it was generated by v1.4.0, you should see May 31, 2019 or June 1, 2019, depending on your timezone.

[daquinoaldo]

@rfay sorry, my fault: I changed laptop and I forgot to install libnss3-tools.

[kenny-evitt]

@rfay I'm less sure this a duplicate of #174 – for one the error is different. The error I observed seems more 'severe'.

[rfay]

I use the Chrome official build on macOS quite successfully with mkcert on macOS. Daily. And wasn't having any trouble with v1.3.0. I wonder what this is.

[FiloSottile]

I don't have any idea what this would be due to. It looks like it hasn't been happening much recently though? If anyone is still experiencing this, please post exact Chrome, macOS, and mkcert versions, as well as the error screenshot.

[rushi]

@FiloSottile This is happening for me using mkcert v1.4.0, Chrome Version 78.0.3904.87 (Official Build) (64-bit), on MacOS Catalina v10.15.

[osadchiynikita]

@rushi If you still need to proceed, try to Enable this flag

chrome://flags/#allow-insecure-localhost

[joldor]

@FiloSottile Unfortunately I'm having the same issue with mkcert v1.4.0, Chrome 78.0.3904.97 (Official Build) (64-bit), on MacOS Mojave 10.14.6

@osadchiynikita Your tip sounded promising but unfortunately didn't do the trick for me. Thanks though.

[sup2007]

same here

• mkcert 1.4.1 (brew)
• mac os catalina 10.15.1
• Chrome 78.0.3904.108 (64bit) (+Firefox, Firefox Dev, Chrome Canary, ...)

by manually adding the site certificate and set trust in keychain - works ok.

[FlorentTorregrosa]

Hello,

I tried to follow tutorials to have traefik using certificates generated by mkcert, but I think I have the same issue has described here.

• mkcert 1.4.1 (downloaded from github)
• Chromium Version 79.0.3945.79 (Build officiel) Built on Ubuntu , running on LinuxMint 19.1 (64 bits)

Here are the scripts I was making in WIP to test, and this is the order of execution:

• https://github.com/FlorentTorregrosa/docker-drupal-project/blob/traefik_https/conf/traefik/install-mkcert.sh
• https://github.com/FlorentTorregrosa/docker-drupal-project/blob/traefik_https/conf/traefik/generate-local-certificate.sh
• docker-compose for traefik: https://github.com/FlorentTorregrosa/docker-drupal-project/blob/traefik_https/conf/traefik/docker-compose.yml
• traefik config: https://github.com/FlorentTorregrosa/docker-drupal-project/blob/traefik_https/conf/traefik/traefik.yml
• docker-compose for the app (I was testing the mailcatcher before extending to the whole app): https://github.com/FlorentTorregrosa/docker-drupal-project/blob/traefik_https/docker-compose.yml

I have the HTTP -> HTTPS redirection ok, but still NET::ERR_CERT_AUTHORITY_INVALID if I go to https://mail-ddp8.docker.localhost/

Thanks for any help.

[FlorentTorregrosa]

Hello,

I found my problem. It was not related to mkcert but to Traefik. The generated certificates were not loaded into Traefik configuration.

I smelled the problem when seing that the invalid certificate name was "TREAFIK DEFAULT CERTIFICATE".

[rushi]

@FiloSottile This is happening for me using mkcert v1.4.0, Chrome Version 78.0.3904.87 (Official Build) (64-bit), on MacOS Catalina v10.15.

My problem was resolved and it was user error. Bad configuration in Apache

[FiloSottile]

I still haven't been able to ever reproduce this.

Here's some more info that might help if anyone who's encountering this wants to report it:

• output of security dump-trust-settings and security dump-trust-settings -d
• screenshot of the certificate viewer (click on the lock > click on "Certificate")
• output of cat "$(mkcert -CAROOT)/rootCA.pem"
• output of mkcert -install

[jaykobi]

I had the same error, then tried all over again and it worked. It turned out the first time I created the certs (mkcert mydomain.com xxx) with sudo (Which obviously did not find the CA)

[FiloSottile]

Closing as this has not occurred in a while. I suspect these were various forms of operational issues where the root did not end up installed, or the certificate did not end up loaded in the web server.

If anyone were to encounter this error again, please open a new issue and provide the details listed here: #180 (comment)

[jartaud]

I had the same error, then tried all over again and it worked. It turned out the first time I created the certs (mkcert mydomain.com xxx) with sudo (Which obviously did not find the CA)

Yep, I was having 2 issues:

1. I was using sudo

2. I was creating the certs in /home/me/code/ssl while the local CA is sitting at /home/me/.local/share/mkcert

Generating the certs in /home/me without sudo and then copy them to /home/me/code/ssl works great.

[erosenberg]

@FiloSottile - I am also having this issue on Ubuntu 16.04. I've tried doing the above, but maybe I'm doing something wrong since I might not be using it for its intended purpose. Essentially, I have a NUC that I use as a server, and I have my laptop.
I am not exposing any of this to the internet. It is entirely on my local network, so I don't see a reason to use an actual CA unless necessary.
Do I need to configure something on my laptop for it to work as well? I figured it would be up to the nuc/traefik to handle that.

Edit: Yes I did need to manually copy the store over to my laptop in order to "trust" it. This was the piece that was missing for me. This use case wasn't clear from the documentation.

[CodyEddings]

@FiloSottile I'm also having an untrusted certificate error (NET::ERR_CERT_AUTHORITY_INVALID) trying to use https in my localhost Vue CLI app, following Chad Carter's answer here .

vue.config.js

const fs = require('fs')

module.exports = {
    devServer: {
        https: {
          key: fs.readFileSync('./certs/example.com+5-key.pem'),
          cert: fs.readFileSync('./certs/example.com+5.pem'),
        },
        public: 'https://localhost:8084/'
    }
}

[CodyEddings]

Fixed the issue! the problem was I had never run mkcert -install locally on my windows terminal before creating the cert files

[stratus21-liam]

@CodyEddings I am having the same issue, where did you run mkcert -install ? inside command prompt? I am using Ubuntu 20.04 as a local apache server

[ltroya-as]

@CodyEddings that command solves my problem on Windows, thanks.

@wkdcode-liam run it on the command prompt. If you are using docker, don't generate the certs on the container, generate on your local OS and use a volume to mount the certificates on the container

[Valikkun]

i use nginx in wsl2 localy. Got same error. It is fixed when:

• install mkcert on windows (powershell)
• mkcert -install (powershell)
• mkcert example.com (powershell)
• copy certs from windows in wsl and use them in nginx

[luizxsoto]

tks @Valikkun, you solved my problem!

[PyPiSan]

I had also faced the same issue, however, I had not run the mkcert -install command before creating the certificate.