NET::ERR_CERT_AUTHORITY_INVALID error

Hi,

I have NET::ERR_CERT_AUTHORITY_INVALID error on my domain pornok7.com. What I must to solve this problem?
At Cloudfare I have set Full encryption, certification is implement at my origin hosting. If Iam at mobile, I dont have this problem

Thank for help

You have configured an origin certificate, right?
In this case you should set your encryption to “Full strict” instead of just “Full”.

Also, as for your issue, thats simply a DNS propagation problem and you are currently still hitting your origin. Wait a couple of hours until that has settled in on your side and you shouldnt get that error any more.

Yes, I have Full strict. How long I must wait? I wait 10 hours now

Ten hours since what? It can take several hours, but it all depends on your local resolver.

10 hourse since set certification on origin server and set Full scrict on Cloudfare.DNS is change about 15 hours, I change hosting.

Whats the output of these commands?

ping pornok7.com
nslookup pornok7.com
ping www.pornok7.com
nslookup www.pornok7.com
Pinging pornok7.com [89.221.213.66] with 32 bytes of data:
Reply from 89.221.213.66: bytes=32 time=7ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53

Ping statistics for 89.221.213.66:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

nslookup pornok7.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    pornok7.com
Addresses:  2606:4700:30::681b:8c67
          2606:4700:30::681b:8d67
          89.221.213.66

ping www.pornok7.com

Pinging www.pornok7.com [89.221.213.66] with 32 bytes of data:
Reply from 89.221.213.66: bytes=32 time=7ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53
Reply from 89.221.213.66: bytes=32 time=6ms TTL=53

Ping statistics for 89.221.213.66:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

nslookup www.pornok7.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.pornok7.com
Addresses:  2606:4700:30::681b:8d67
          2606:4700:30::681b:8c67
      89.221.213.66

Yes, that is a DNS propagation issue. What is interesting is that you are using Google’s resolver, which actually returns the previous address. In my case it works, but it might be that the Google data centre you are hitting still has the old value cached. However your previous nameservers do specify a relatively short caching time, so that should have expired by now.

I can only suggest to wait a bit more or change to Cloudflare’s DNS resolvers for example.

I think address is correct. It give me address of new hosting. I change dns to my local provider and after it I try dns 1.1.1.1 and still same problem.

That is the address of your server, not Cloudflare’s proxies.

Can you also run these commands?

nslookup pornok7.com 1.1.1.1
nslookup www.pornok7.com 1.1.1.1
lookup pornok7.com 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    pornok7.com
Addresses:  2606:4700:30::681b:8c67
          2606:4700:30::681b:8d67
          89.221.213.66

nslookup www.pornok7.com 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    www.pornok7.com
Addresses:  2606:4700:30::681b:8c67
          2606:4700:30::681b:8d67
          89.221.213.66

What do you see if you open a page? Do you see same error?

Something is genuinely off here.

Both resolutions (against Google and Cloudflare) return your origin IP address, as well as Cloudflare’s IPv6 addresses. That should not be possible. It is either or.

For me, both return only the Cloudflare proxies and that is what your domain’s nameservers return as well.

I am afraid I dont have an explanation for that, unless someone is hijacking your DNS requests, but I wouldnt want to go that far for the moment :smile:

You can try to purge the cache for Google’s DNS servers at https://developers.google.com/speed/public-dns/cache

Assuming you are running Windows 10, could you run this command in a PowerShell window and post the output here?

(Invoke-WebRequest -Uri 'https://1.1.1.1/dns-query?ct=application/dns-json&name=pornok7.com').RawContent

There is output:

(Invoke-WebRequest -Uri 'https://1.1.1.1/dns-query?ct=application/dns-json&name=pornok7.com').RawContent
HTTP/1.1 200 OK
Connection: keep-alive
Access-Control-Allow-Origin: *
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
CF-RAY: 529a11500a7d3dd6-PRG
Content-Length: 281
Cache-Control: max-age=300
Content-Type: application/dns-json
Date: Tue, 22 Oct 2019 08:23:10 GMT
Server: cloudflare

{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "pornok7.com.", "type": 1}],"Answer":[{"name": "pornok7.com.", "type": 1, "TTL": 300, "data": "104.27.140.103"},{"name": "pornok7.com.", "type": 1, "TTL": 300, "data": "104.27.141.103"}]}

I am connected to internet via my university network. I try connect my computer via mobile data and page work well. I don´t know, what technologies university use, but somewhere is maybe problem. If you open my page, it´s all right?

Via DoH the correct address is returned. Unfortunately this would really suggest someone is hijacking your DNS requests. You’d have to contact the university.

Thank for help. I try flush dns cahe at my pc and at google via link you send me. After it i connect my PC via mobile data and open page - all is right. After it I reconnect to my university network and page work well. I dont know where was problem, but thank you for your help and patience :slight_smile: