ERR_CERT_AUTHORITY_INVALID means the certificate presented by the server was signed by a Certificate Authority that the browser does not recognize or trust. Browsers maintain a built-in list of trusted root CAs, and every certificate must chain back to one of these roots through a series of intermediate certificates. If any link in this chain is missing, untrusted, or self-signed without being explicitly trusted by the client, the browser will reject the certificate. This error frequently occurs with self-signed certificates, missing intermediate certificates, or internal corporate CAs that have not been installed on the client machine.
The server is using a certificate that was not signed by a publicly trusted CA. Self-signed certificates are common in development environments but will always trigger this error in browsers unless the user explicitly adds an exception.
The server is only sending the leaf certificate without the intermediate certificates needed to complete the chain to a trusted root. The browser cannot verify the chain of trust and rejects the connection. This is one of the most common server misconfigurations.
The root CA that signed the certificate chain has been removed from browser trust stores. This happened notably with older Symantec/GeoTrust roots that were distrusted by browsers. Certificates signed by these CAs will trigger authority invalid errors.
A network appliance (corporate firewall, antivirus software, or HTTPS proxy) is intercepting the connection and presenting its own certificate. If the proxy's CA is not installed on the client, the browser will reject it.
Inspect the certificate chain the server sends. Verify that it includes the leaf certificate, all intermediate certificates, and that the chain terminates at a trusted root CA.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts 2>/dev/null | grep -E 'subject=|issuer='
If the chain is incomplete, download the intermediate certificates from your CA's documentation and configure your web server to send the full chain. In Nginx, concatenate the leaf and intermediate certificates into one file.
cat yourdomain.crt intermediate.crt > fullchain.crt
For production servers, obtain a certificate from a trusted CA. Let's Encrypt provides free trusted certificates that are recognized by all major browsers.
sudo certbot certonly --nginx -d yourdomain.com
DNS CAA records restrict which Certificate Authorities can issue certificates for your domain. If CAA records are misconfigured, your CA may be blocked from issuing a valid certificate.
Check DNS RecordsThe server's SSL/TLS certificate has expired or is not yet valid according to the system clock.
The domain name in the URL does not match any of the names listed in the server's SSL certificate.
The certificate chain could not be validated because the root CA is not in the peer's trust store.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.