Chrome says NET::ERR_CERT_AUTHORITY_INVALID after install SSL CloudFlare

Hi threre!

I got the domain name:
Installed on it CF self-signed, and shows NET::ERR_CERT_AUTHORITY_INVALID.
I am domain manager, sub-domain is signed to be Proxy, and changed SSL mode to be Full Strict.

Edit: Changed DNS record to none-proxied, so my NodeJS application can actually run.
My application runs on a port which is not supported by Cloudflare proxy. Is it related?

Is there anything else should be done?
Anything else I’m missing?

Thank you

The Cloudflare Origin Certificate you installed, is provided for you to use on your server, when you are dealing with Proxied (:orange:) records, it will error out like this, when you are using Unproxied (:grey:) records.

If your actual intentions are to Proxy (:orange:) the record, then you would need to switch it over to one of the ports that are supported.

If you intend to keep it Unproxied (:grey:), which will also disable Cloudflare’s possibility to protect you against attacks, then you cannot use the Cloudflare Origin Certificate, and will be required to e.g. obtain another certificate, such as for example through Let’s Encrypt, that you install on your application.


Thank you, just the answer I was looking for.

Does it matter which SSL mode am I on? Full, or Full Strict?
Currently it is Full, would it be enough, or should I chanhe to Strict?

I’d say go with the Full (strict) option, it’s the only one that can be considered properly secure.

1 Like


We did it, but the certificate is still registered with our old certificate from Lets Encrypt.
Does it take time to change from one certificate to another?
If it does, how long does it usually take?

What exactly are you referring to, with “our old certificate from Lets Encrypt.”?

Cloudflare uses multiple certificate authorities to issue certificates for websites. Let’s Encrypt is one of them.

The time required for a certificate change on your application to take effect, depends very much on what your application does, for that, you should head over to the documentation of your application and/or the frameworks it may be built on. But generally, most applications tend to reload certificates when you restart them.

As for the web address you mentioned in the initial post, and that you have now proxied, Cloudflare is currently presenting a Let’s Encrypt certificate, which runs from Fri, 23 Dec 2022 21:08:06 GMT towards Thu, 23 Mar 2023 21:08:05 GMT, that certificate is one that Cloudflare obtained on your behalf.

Since that certificate is still valid for the next 7 weeks, there would be no reasons to replace it, yet.

Cloudflare will however renew and replace that certificate for you, once it gets closer to it’s expiration date.

1 Like

You misunderstood me. I’ll explain better

What you see is our old certificate that I used from Lets Encrypt auto-bot- and it refuses to renew because it conflicts with some app on our server.
It has an issue, that on the domain is the one you mentioned.

If I approach the IP address of the server, it does show the new certificate details- which show validation until 2038.
Starts on 27Th January 2023, expires at 23 January 2038.

we switched certifications, so the new one should be until 2038 with long validation.
On I do not see CF self-signed certificate (maybe it should not be there?) .

Any leads so the new certificate will be showned?

If it relevant, the app that uses this SSL self-signed certificate is NodeJS app over Windows server.
Thank you

Those long validation “Cloudflare Origin Certificates” are only valid internally between Cloudflare and your application, and NOT intended for public use.

Client ← Let’s Encrypt → Cloudflare ← Cloudflare Origin Certificate → Application

Your clients are never supposed to see that Origin Certificate.


Thank you, so, How can I know that the implementation of the new certificate is success, that we are not leaning on the old certificate by mistake?
Any identification like I gave with Cloudflare origin one when I reach the IP to make sure we use the right certificate ?

I afraid that the implementation went wrong, and in such case- I need to ask my programmer to change something.
Is that a proper result for this implementation, or should it done otherwise?
If the client see a Lets Encrypt certificate, is it OK for CF certificate?

Thank you

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.