SSL net::err_cert_authority_invalid

Hi all,

I have generated a shared SSL from Cloudflare, and have installed it in my Apache server. I have already enabled HTTP+CDN for the A record on my domain and Apache is configured correctly to accept SSL connections. However, when I browse to the domain it gives me the ERR_CERT_AUTHORITY_INVALID error. I have also enabled tried the HTTPS methods to FULL, FLEXIBLE and FULL (strict) on the Admin console to no effect. Can anybody please guide me as to what I can try next? I have already attempted all the above by reading the forum posts on the same topic.

Also, the SSL checker resolves to a CloudFlare IP, and I have everything in green except for the last category that says “The certificate is not trusted in all web browsers”. As said before, the domain is configured to use the orange cloud (Proxy+CDN).

Your requests seem to go directly to your server instead of to Cloudflare’s proxies. Origin certificates work well, however are only trusted by Cloudflare and not browsers. You might simply have a propagation issue and still resolve to your server IP instead of Cloudflare’s proxies. In that case simply wait a couple of hours.

Whats the domain?

2 Likes

Hi sandro,

It is

Except for the fact you didnt configure a www record (which is fine though, if you dont want it), your naked domain properly points to Cloudflare and hence the certificate should be fine. Most likely a propagation issue.

Not only, but particularly, because you have a proper setup, switch that to “Full strict” and keep it there :slight_smile:

Thanks, I will revert in a couple of hours. I have had it on FULL (strict) for a while now, so I will update you if it works.

Sorry about the late updates, but it worked.

For people who need a shortcut step-by-step to using Cloudflare’s SSL Cert:

  1. Log in to Cloudflare, and go to Crypto.

  2. Under Origin Certificate, click Create Certificate, and then ensure the checkmark is on Let Cloudflare create generate a private key and a CSR, and leave the Private key type to RSA (unless you need to change, which in my case, I didn’t).

  3. The “List hostnames…” will be pre-populated, but make sure you have a wildcard (*.<your_domain>.).

  4. Save your private key (as soon as you see it, since it is not displayed again for security reasons) and your certificate in the relevant format (KEY and PEM) - just copy paste the contentand transfer them via SFTP to your server and place them at appropriate locations (refer guides for installing certificates for your web server).

  5. Install the certificate and place the private key appropriately on your webserver and point your vhost/web application to use it (you should already know how to configure the webserver to listen for SSL traffic on port 443 - for details, search online on how to do it).

  6. If you want your users to default to HTTPS, set up a forwarder on your webserver to the HTTPS vhost/binding.

  7. Head back to Cloudflare’s console and click on DNS. Go to the A/AAAA records that point to your website and ensure you select DNS+HTTP proxy (CDN) - the cloud will turn orange, with the arrow going through it.

  8. Head back into the Crypto section. Now, ensure the following:

  • SSL: Full (Strict)
  • Universal SSL Status is enabled (green in colour)
  • Always use HTTPS: ON
  • Automatic HTTPS Rewrites: ON
  • Wait for a couple of hours for changes to propagate

Check again to verify it is working correctly.

This topic was automatically closed after 30 days. New replies are no longer allowed.