Get Help with HTTPS problems

Sometimes, when you try to load a HTTPS address in Chrome, instead of the expected page, you get a scary warning, like this one:

image

Chrome has found a problem with the security of the connection and has blocked loading the page to protect your information.

In a lot of cases, if you’re just surfing around, the easiest thing to do is just find a different page to visit. But what happens if this happens on an important site that you really need to see? You shouldn’t just “click through” the error, because this could put your device or information at risk.

In some cases, clicking the ADVANCED link might explain more about the problem. For instance, in this example, the error message says that the site is sending the wrong certificate; you might try finding a different link to the site using your favorite search engine.

image

Or, in this case, Chrome explains that the certificate has expired, and asks you to verify that your computer clock’s Date and Time are set correctly:

image

You can see the specific error code in the middle of the text:

image

Some types of errors are a bit more confusing. For instance, NET::ERR_CERT_AUTHORITY_INVALID means that the site’s certificate didn’t come from a company that your computer is configured to trust.

image

Errors Everywhere?

What happens if you start encountering errors like this on every HTTPS page that you visit, even major sites like https://google.com?

In such cases, this often means that you have some software on your device or network that is interfering with your secure connections. Sometimes this software is well-meaning (e.g. anti-virus software, ad-blockers, parental control filters), and sometimes it’s malicious (adware, malware, etc). But even buggy well-meaning software can break your secure connections.

If you know what software is intercepting your traffic (e.g. your antivirus) consider updating it or contacting the vendor.

Getting Help

If you don’t know what to do, you may be able to get help in the Chrome Help Forum. When you ask for help, please include the following information:

  • The error code (e.g. NET::ERR_CERT_AUTHORITY_INVALID).
    • To help the right people find your issue, consider adding this to the title of your posting.
  • What version of Chrome you’re using. Visit chrome://version in your browser to see the version number
  • The type of device and network (e.g. “I’m using a laptop on wifi on my school’s network.”)
  • The error diagnostic information.

You can get diagnostic information by clicking or tapping directly on the text of the error code: image. When you do so, a bunch of new text will appear in the page:

image

You should select all of the text:

image

…then hit CTRL+C (or Command ⌘+C on Mac) to copy the text to your clipboard. You can then paste the text into your post. The “PEM encoded chain” information will allow engineers to see exactly what certificate the server sent to your computer, which might shed light on what specifically is interfering with your secure connections.

With any luck, we’ll be able to help you figure out how to surf securely again in no time!

 

-Eric

Get Help with HTTPS problems

63 thoughts on “Get Help with HTTPS problems

  1. H.Raseed says:

    NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
    Subject: *.google.com.sa
    Issuer: MS-NMSecurity
    Expires on: Jul 26, 2017
    Current date: May 17, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIICgTCCAeqgAwIBAgIJAN/VkBC2ibcEMA0GCSqGSIb3DQEBBQUAMG0xFjAUBgNV
    BAoTDU1TLU5NU2VjdXJpdHkxEDAOBgNVBAcTB015IFRvd24xHDAaBgNVBAgTE1N0
    YXRlIG9yIFByb3ZpZGVuY2UxCzAJBgNVBAYTAlVTMRYwFAYDVQQDEw1NUy1OTVNl
    Y3VyaXR5MB4XDTE3MDUwMzA4NTg0M1oXDTE3MDcyNjA4NDIwMFowaTELMAkGA1UE
    BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZp
    ZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGDAWBgNVBAMUDyouZ29vZ2xlLmNvbS5z
    YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2gQy8K+HCeMA/+NM2V+PBIzw
    CqU14ZHxFZ/MNjhtfTkyFuK06pt4v+RtcmHS85gAj32UjNKN/ULLmmhyQQ8JmGQq
    xa5l+7Q6lC583Lw/Wwwt/kGignNbi+FPafxvg817bYE7T8sX9rougYRn5KZG7+EI
    uoHQMb8O3w1WHvTV82kCAwEAAaMtMCswKQYDVR0RBCIwIIIPKi5nb29nbGUuY29t
    LnNhgg1nb29nbGUuY29tLnNhMA0GCSqGSIb3DQEBBQUAA4GBAJpm4xBYnjbuvckc
    d/BYRtFcMdP38zxntyihootwxAJV7eHRiwD01dUqDy4qZvsj8Wip5eLUk5eKkvDt
    KiAPjhIhsHMBPYCnPMmX4k5X6Xkwst+1ATV65tW1EiIHGRhLH81WwRInqqnMwmCQ
    qLPTyEMC2F5oCUikekjzn0TMpUxi
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIDKzCCApSgAwIBAgIJAIWeqUgVaj9xMA0GCSqGSIb3DQEBBQUAMG0xFjAUBgNV
    BAoTDU1TLU5NU2VjdXJpdHkxEDAOBgNVBAcTB015IFRvd24xHDAaBgNVBAgTE1N0
    YXRlIG9yIFByb3ZpZGVuY2UxCzAJBgNVBAYTAlVTMRYwFAYDVQQDEw1NUy1OTVNl
    Y3VyaXR5MB4XDTE0MDIyNjE0MzQ0OVoXDTM0MDIyMTE0MzQ0OVowbTEWMBQGA1UE
    ChMNTVMtTk1TZWN1cml0eTEQMA4GA1UEBxMHTXkgVG93bjEcMBoGA1UECBMTU3Rh
    dGUgb3IgUHJvdmlkZW5jZTELMAkGA1UEBhMCVVMxFjAUBgNVBAMTDU1TLU5NU2Vj
    dXJpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKE31vM1/RfDSIvFfs/Q
    FUSFx33suY04CEb7lJzSVXw+SaVe0gNqr39UPY83EPWjETqiKdchmDpN+aXbdWQP
    Y5C3UQxyy2mRRR3SqWpDFqLhrs9Igrm/i02liJHkBm0EQUf0ybAI6+Q889bibluw
    OZV8bqEoubA5GCoJFD6wUBhNAgMBAAGjgdIwgc8wDAYDVR0TBAUwAwEB/zAdBgNV
    HQ4EFgQUBut04LCsUqaWjCR7sLjtCQWVg2gwgZ8GA1UdIwSBlzCBlIAUBut04LCs
    UqaWjCR7sLjtCQWVg2ihcaRvMG0xFjAUBgNVBAoTDU1TLU5NU2VjdXJpdHkxEDAO
    BgNVBAcTB015IFRvd24xHDAaBgNVBAgTE1N0YXRlIG9yIFByb3ZpZGVuY2UxCzAJ
    BgNVBAYTAlVTMRYwFAYDVQQDEw1NUy1OTVNlY3VyaXR5ggkAhZ6pSBVqP3EwDQYJ
    KoZIhvcNAQEFBQADgYEAJeqOcPiKzeS1Lu5XnPB2PqDS5D3V2Kx9OjXog5uG2krh
    bdJbGL0cPLVj+cUN5uGcTKY0T3Zk+6GoH1/pXs4TCbsopRoWYcIk0wW1dG3dMyhv
    KXGSS1dVXDW92NXTx/t/0U+Afphwz7LBy4tQOF+ZYaStdjVANrLk5bLaX5h0c/g=
    —–END CERTIFICATE—–

    Like

    1. This error message indicates that you have some software on your PC (using the name “MS-NMSecurity”) that is intercepting your HTTPS traffic. This is not known or common security software, and other users who have hit this have indicated the problem was removed after running an antivirus scanner that found malware.

      Like

  2. Sladja says:

    This is my “problem”, please help. :)
    NET::ERR_CERT_COMMON_NAME_INVALID
    Subject: http://www.google.com
    Issuer: GeoTrust_Global_CA
    Expires on: 31.10.2026.
    Current date: 29.05.2017.
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIDBzCCAnCgAwIBAgIQ7QkSHjufwodGzre/niKGmDANBgkqhkiG9w0BAQsFADBp
    MSUwIwYDVQQLExxJc3N1ZWQgYnkgR2VvVHJ1c3QgR2xvYmFsIENBMREwDwYDVQQK
    EwhHZW9UcnVzdDEtMCsGA1UEAx4kAEcAZQBvAFQAcgB1AHMAdABfAEcAbABvAGIA
    YQBsAF8AQwBBMB4XDTE1MTAzMTIzMDAwMFoXDTI2MTAzMTIyNTk1OVowUzElMCMG
    A1UECxMcSXNzdWVkIGJ5IEdlb1RydXN0IEdsb2JhbCBDQTERMA8GA1UEChMIR2Vv
    VHJ1c3QxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
    A4GNADCBiQKBgQCJprRorCAyfffNTTyM1FIUE0ahJWnVRlf8WZ1mHrhfcrVf48yk
    QoEY1diJqs23/ZE5CRy+L23GL9hNajOYeUbt6V8mXYmbb+GqP5pEuIHfuIbysMt2
    eUmdEMbY7snsT8sGImvHSjErCOK1Kue6Au4zfeuRS0vws8uube+ZS0eKHQIDAQAB
    o4HFMIHCMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgZwGA1Ud
    AQSBlDCBkYAQLFpmW4EFPFlKDnBcEFbgO6FrMGkxJTAjBgNVBAsTHElzc3VlZCBi
    eSBHZW9UcnVzdCBHbG9iYWwgQ0ExETAPBgNVBAoTCEdlb1RydXN0MS0wKwYDVQQD
    HiQARwBlAG8AVAByAHUAcwB0AF8ARwBsAG8AYgBhAGwAXwBDAEGCEPl/IlwlI1qv
    TRlzsH9cKgAwDQYJKoZIhvcNAQELBQADgYEAbfreCLfP8VGoTRRFMMPmTzTYt0fj
    0AVT88YXz9AfJQC5SYuYgKNLlX9vlQRYYTfP99XMkxk+dn5Vtmghh7IZWv22cYH0
    9wEPmVw0CzX42BygQ1YmuoxPqkl3Cgk0wQb4EpeBniEVf+nquCcN/0AxvOguCk2U
    6lGVqLS9ttrdtJk=
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIDIzCCAoygAwIBAgIQ+X8iXCUjWq9NGXOwf1wqADANBgkqhkiG9w0BAQsFADBp
    MSUwIwYDVQQLExxJc3N1ZWQgYnkgR2VvVHJ1c3QgR2xvYmFsIENBMREwDwYDVQQK
    EwhHZW9UcnVzdDEtMCsGA1UEAx4kAEcAZQBvAFQAcgB1AHMAdABfAEcAbABvAGIA
    YQBsAF8AQwBBMB4XDTE1MTAzMTIzMDAwMFoXDTI2MTAzMTIyNTk1OVowaTElMCMG
    A1UECxMcSXNzdWVkIGJ5IEdlb1RydXN0IEdsb2JhbCBDQTERMA8GA1UEChMIR2Vv
    VHJ1c3QxLTArBgNVBAMeJABHAGUAbwBUAHIAdQBzAHQAXwBHAGwAbwBiAGEAbABf
    AEMAQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAowmQcIPBYFHxI/iNhZ5x
    tjK1fIOqVNXTBLFyJS8AS34fKQ3aslP3iJmXMgDa7eagD9MPtlELqCkq6YNnqfcD
    S0zh+B0T+kfx8gFHO54DfCI4PwsO8yle5sas3NfRvVOGrMZsZyX1Bkzf9/3Fg2CV
    tsTG5GvPVscQ0/y45HSJUgcCAwEAAaOByzCByDASBgNVHRMBAf8ECDAGAQH/AgEB
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMIGcBgNVHQEEgZQwgZGAECxaZluBBTxZSg5w
    XBBW4DuhazBpMSUwIwYDVQQLExxJc3N1ZWQgYnkgR2VvVHJ1c3QgR2xvYmFsIENB
    MREwDwYDVQQKEwhHZW9UcnVzdDEtMCsGA1UEAx4kAEcAZQBvAFQAcgB1AHMAdABf
    AEcAbABvAGIAYQBsAF8AQwBBghD5fyJcJSNar00Zc7B/XCoAMA0GCSqGSIb3DQEB
    CwUAA4GBAB6zg7v86ESBcpQaDsbrnXEmO/Lw4AUbyIXV/ajDM8KOegbj+dcLjtno
    ea76BkKCxz0Ls/fkHwYn0Cvwxv7ndQDpLD3y7c8V/AjYm+ZLT3sZ4Mh7nyoY1pP2
    mZeMAxzuJXAooao7AVFfwjSOV10cCH/ErV7DMV0SS76NcmtVBHAr
    —–END CERTIFICATE—–

    Like

    1. SLADJA– This looks like an attack to me. The certificate you’ve shared is valid for 11 years, meaning that it’s clearly fake. “GeoTrust Global CA” is a legitimate certificate authority, but your certificate comes from “GeoTrust_Global_CA” (note the underscores instead of spaces) which implies to me that this is a fake root certificate that is trying to evade your detection. No legitimate software would do this. Because you’re getting NET::ERR_CERT_COMMON_NAME_INVALID instead of an error about the root certificate not being trusted, this implies to me that malware has altered the certificate store of your computer to trust this fake root certificate. If that’s the case, bad guys can see all of your network traffic, even that which takes place over HTTPS.

      You should scan your computer for malware and if you’re not confident that it has been removed, I would probably reinstall the operating system to be sure it was clean.

      Like

    1. You should only see this if you are running a very outdated version of Chrome. Please try updating and of that doesn’t help, share the version number from the chrome://version page.

      Like

  3. Larry LaCaT says:

    Eric: Where can I find tools for inspecting the PEM encoded certs? I’ve been hand copying them into .cer files and viewing them from Windows. This works but is cumbersome. Can you (or someone you know) e-me or post some better tools? SSL Labs?

    Like

  4. Mary Beth Wimberley says:

    Using Chrome version 59.0.3071.109. I’m using a desktop at work, operating on windows 10, using wi-fi. Happens on virtually every single web page I try and has been going on for a month.

    NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
    Subject: *.clinton-county.org
    Issuer: Lavasoft Limited
    Expires on: Apr 1, 2018

    Like

    1. LavaSoft is a company that makes software that interferes with HTTPS traffic (see https://www.kb.cert.org/vuls/id/BLUU-9TWT2Y). To resolve the problems you are having reaching HTTPS sites, you should remove the software that uses LavaSoft certificates. This software likely goes by a number of names (e.g. “Ad-Aware Web Companion”) and should be listed in the Add/Remove Programs application of your system’s control panel.

      Like

  5. purushotam kumar says:

    this is my problem please help……………

    Attackers might be trying to steal your information from http://www.google.co.in (for example, passwords, messages or credit cards). NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
    Subject: *.google.com
    Issuer: Google Internet Authority G2
    Expires on: 13 Sep 2017
    Current date: 28 Jun 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIHijCCBnKgAwIBAgIII/5O0SkE+dEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjIxMTM1MjAwWhcNMTcwOTEzMTM1MjAw
    WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
    b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAfmAbmGJ/B5sfpnE
    6Jk3wIQ+tqLjKs0nz8NidhFicNRzy37DZzpIZo9W+yRfNfhUKkF2V0YBJDtCVlDo
    1A3sA6OCBSIwggUeMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNV
    HQ8EBAMCB4AwggPhBgNVHREEggPYMIID1IIMKi5nb29nbGUuY29tgg0qLmFuZHJv
    aWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5j
    b22CFCouZGI4MzM5NTMuZ29vZ2xlLmNuggYqLmcuY2+CDiouZ2NwLmd2dDIuY29t
    ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
    Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
    dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
    b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
    ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
    LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
    b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
    cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
    Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
    Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
    Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
    b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CByoueXQu
    YmWCCyoueXRpbWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5k
    cm9pZC5jb22CG2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVy
    cy5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
    aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghhzb3VyY2Uu
    YW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yCCHlvdXR1
    LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb22CBXl0LmJlMGgG
    CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
    L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
    b20vb2NzcDAdBgNVHQ4EFgQU0zPQmWIDc0P8/bjZ/9XxsZO3yBwwDAYDVR0TAQH/
    BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
    MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
    Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBADHI
    I/SBZRgV+8AZQapirQX2JIGcvkwgl7+cNabXk8O53eaQVfX+dXNKbTC4pgozG2/Q
    3XdHeSbdcEnvhMB9A+EMcC94WQ/v0PoYUd2kFgV7sKAjVcAhNXXjcpZh/UpQBiql
    ekrxrOr0ulIxibjxagodhyUGcCalGe7gNrQZ2LFVr6eeJsUXeis2MhExaPemmYan
    PtBsGog4EcSYq+3iLf1rpmJZ48ENoCAEn7TSn89Zi5shHYROWTPhuqaI1aWxEZ92
    86c4FgQQRR8RKheNfLX5nkJ/AznN+S43TnyfMGmB6cp1mCac2L/UT0u1yx/6lDn7
    vARZGK6oEDGXvgbU0Wc=
    —–END CERTIFICATE—–

    Like

    1. This shows that the server is sending the correct certificate (see https://crt.sh/?id=158683073), but your operating system is building up a trust chain back to a weak root instead of the proper root. This is most commonly seen on Linux systems where the system software is not up-to-date. Please install the Linux updates to resolve this issue.

      Like

      1. purushotam kumar says:

        Thanks a lot its working after updating all install software/lib in my linux system

        Like

  6. purushotam kumar says:

    One more question….
    How to update chrome stable version in linux, i have tried so many command but not working .currently in my system chrome Version 48.0.2564.116.
    how to update to new version?????

    Like

  7. purushotam kumar says:

    yes, i tried with chrome download page but it unsuccessful with error “incompatible with this linux system”.

    Like

    1. Larry LaCaT says:

      Kumar: FYI: 48.0.2564.116 was released 2/18/16. This predates the UI rework known as Material Design. You’re going to see quite a change at the user level. There have been some significant security additions too. You might want a backup incase the big leap forward doesn’t go smoothly at first.

      Like

    1. Larry LaCaT says:

      Gogita solved the Chrome Connection not private – Issuer: DO_NOT_TRUST_FiddlerRoot, bu doing a Win7 Internet Explorer reset and machine restart. Voila.. She posted the PEM blocks for Fiddler, prior to the reset. It’s the usual bogus 2 cert chain that dead ends at Fiddler. She also mentions the problem only affects google.com and gmail.com; facebook.com is OK.

      Do you have any insight as to how the Internet Explorer reset made Chrome healthy? The reset disables the IE add-ons, but we don’t know that there were any. It’s just as likely the Chrome failure was caused by a bad Win7 reload, that finally got healed as a side-effect of the IE reset.

      Like

      1. Most likely, when Internet Explorer was reset, it cleared the proxy settings that were pointing the browsers to the malicious proxy on the local PC that was using the FiddlerCore certificates.

        Like

  8. Workingman says:

    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIENzCCAx+gAwIBAgIQSjWBeRZ0jdJ4inGLNZFzWzANBgkqhkiG9w0BAQsFADAY
    MRYwFAYDVQQDEw0xNzIuMTYuMTEwLjI5MB4XDTE3MDUxNjAwMDAwMFoXDTE4MDYy
    MjEyMDAwMFowaTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
    BgNVBAcTCk1lbmxvIFBhcmsxFzAVBgNVBAoTDkZhY2Vib29rLCBJbmMuMRcwFQYD
    VQQDDA4qLmZhY2Vib29rLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBAMn/e/EDXVmmZgtj5RZ8jX1Z0psbBc6BO0JPVbCAY9vmN5OBEgmBbWGQude0
    Oz/oABplSM8CHZ86N63y4EzhX+95C7VCpqdhW6mJ2FZGI+FTYd5+mnoUJC5L0wag
    WuBE5niS3z89kAxkHUba8+Uf267uO934KqBTUDni9n5wqX5X/li0S5owwc0Ar25g
    IuNXL4Ag2m9vD1KFmeLR/yF371IOQEBuYIM8WKQ4mFKHup3peE83hq0ug9XJxjAL
    eJf0wdvKhJ6Sm313lW8G692ZO8Rd9dPq10GQevm/bM1LqZsq2SVYhVAxo9afrPSM
    S8FUV+hjBnVA/SQpByUW30uIQr8CAwEAAaOCASowggEmMB0GA1UdDgQWBBS4e9hh
    Wi5v4Mh9Zb0eQeIdA84lijCBxwYDVR0RBIG/MIG8gg4qLmZhY2Vib29rLmNvbYIO
    Ki54eC5mYmNkbi5uZXSCDioueHouZmJjZG4ubmV0ggxmYWNlYm9vay5jb22CCyou
    ZmJzYnguY29tgg4qLnh5LmZiY2RuLm5ldIIOKi5mYWNlYm9vay5uZXSCDyoubWVz
    c2VuZ2VyLmNvbYIIKi5mYi5jb22CBmZiLmNvbYILKi5mYmNkbi5uZXSCECoubS5m
    YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
    DQEBCwUAA4IBAQCc+NOpWR3ZWqenZ49ql1FHlsNe9j2/1bKA3BbuFliWj4bfrPKC
    pS/T5U6aG1Ul4j8aNjiFePObCYfPXon7zpC0hbXIMw7SJ2zNLtoyGBjWpbdOrNMu
    MhP7ejEkmKgyggWQgxnyiOD4LFZbzUgziYUl+3uDeUOJgiwqBvV4BguxznwEb3ZB
    W1/WxkglBST5YvdlJWFAJAlf3LA7HxNY9qfKWYrFywcYcZlCsNa2UcNoPpGs41Mv
    pGpxglWVcEcI2LUUqLgRfHLXvXauHTbR5jWZ353DPiZ86aNh5/hxZfnumvhXBOD8
    C88K+sjI1Dvv16a0kP5eCFqIMXzmlYFlhJwb
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIC0DCCAbigAwIBAgIJAKOG3Pf+UDCaMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
    BAMTDTE3Mi4xNi4xMTAuMjkwHhcNMTYwNzI1MjA1OTQ2WhcNMTcwNzI1MjA1OTQ2
    WjAYMRYwFAYDVQQDEw0xNzIuMTYuMTEwLjI5MIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAzglKK33cfOvqwe+B6czYLRxxvVHS4z/xrsFyyl037tZiYrGC
    fCi5D2rGzJPCmIe4eCTZPR4FItdltVVo6LxEmgA1zULCDoCRRYj3IOtsbgwchQmU
    FMScqjklY00rC6/dg9avvt/YkQxAj7QWbbHjbX7+OJLffyOX9YNW48vR/aQonMAX
    812bzCw+DINh+PtzGRrcDzRPHwhVaQgOteCMo1cus6KLpR1thTaKDhl6hTjpCoTD
    CLchh6dBk7aDPxDDP7hu6yH1uNdnUFa0pakf7JiGSJqs3c7Sdbu+qbGEdV/wgQ2U
    PLSso1i04RXDLbHWY6pp7QZvZKiw7K0HhgKqOwIDAQABox0wGzAMBgNVHRMEBTAD
    AQH/MAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEAVtj2bBJ75m/yV70y
    9kmiM/4aU0C98smi7DyEBBcmMK8tbM2brbhfWVxV8vuFIeCaI1M0uCUkWQTLS6IN
    N/z8EfU6OKQib8RI1Xjw3TLD66iHFuHJHFIwWaYHSE3Tmt4Reey04Y6xHbkWhdt6
    KGu0wRzI64Wya3tCQoTErAnu10ELmE6Ad//SQ72fZzeubGIoABVuH6gGQ/YqnQr1
    NBq8SJY0rvvAU8szPwwVmmyjJi2XT+SXkb+PwvJwn0GmRIMe/lY9kz5YpY0yosRm
    BNnbfgmO0x0C1+Xnq6kHgneCCGOhub+U2mS+wbJfpe0P2m0deTrd1zJZRIVX1JKF
    2rbZnQ==
    —–END CERTIFICATE—–

    Like

    1. Workingman: This invalid certificate doesn’t even pretend to be from a valid certificate authority; it claims to be from “172.16.110.29”, which is a private IP address. This suggests that the network is either under (broken) administrative control or hostile (under attack). Based on your email address, I wonder whether this is a school PC running on a network where HTTPS interception software is deliberately installed for content-filtering purposes? If so, you’ll need to talk to the network administrator about installing the proper certificate.

      Like

      1. Workingman says:

        That Ip address is not even in my subnet or vlan. I ended up reloading the machine ( not due to that issue) and still have the same issue, There does not appear anyone else having this issue. I checked DHCP records and there is not a machine with that address in the last 2 weeks. My machine has a static assigned IP. Here is a log from the new reload. Here we love behind Palo Alto firewall /webfilter.

        PEM encoded chain:
        —–BEGIN CERTIFICATE—–
        MIIENzCCAx+gAwIBAgIQRUwrit6J5zB4inGLNZFzWzANBgkqhkiG9w0BAQsFADAY
        MRYwFAYDVQQDEw0xNzIuMTYuMTEwLjI5MB4XDTE3MDUxNjAwMDAwMFoXDTE4MDYy
        MjEyMDAwMFowaTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
        BgNVBAcTCk1lbmxvIFBhcmsxFzAVBgNVBAoTDkZhY2Vib29rLCBJbmMuMRcwFQYD
        VQQDDA4qLmZhY2Vib29rLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
        ggEBAOspqgab9QMG+j5mYxU8Bhfus0ipAg6AgrdRVADvhDMLyCF03jyTcVxUbMzI
        Tc66bVM25VhJj7uNPHcBo1pKpXsD6JfU/nG8/9bnQ7o1EdCuz5w3RH1K4l4fXTOg
        ViG4qJ5dDDRwhc+yF1Q4/GXfeVt9R4bMzhv7xxAfWHGQuIrZgu/Yehwvbo3Jy5U/
        QxMjpvhQ+X5jPr+KCa6b2Jbr5XviY1ZKKtHqaXKKtiOrKw54hOAY5uabyMYgI+/O
        qbWb2Fy9eqQbY+hTPHfmjsJr6dbyTR+puSBbvJaa9hNxqZJINxA0yUWWUQUClilI
        BqMcFieGOgjH9E2AHkWO5akl9+sCAwEAAaOCASowggEmMB0GA1UdDgQWBBS4e9hh
        Wi5v4Mh9Zb0eQeIdA84lijCBxwYDVR0RBIG/MIG8gg4qLmZhY2Vib29rLmNvbYIO
        Ki54eC5mYmNkbi5uZXSCDioueHouZmJjZG4ubmV0ggxmYWNlYm9vay5jb22CCyou
        ZmJzYnguY29tgg4qLnh5LmZiY2RuLm5ldIIOKi5mYWNlYm9vay5uZXSCDyoubWVz
        c2VuZ2VyLmNvbYIIKi5mYi5jb22CBmZiLmNvbYILKi5mYmNkbi5uZXSCECoubS5m
        YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
        JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
        DQEBCwUAA4IBAQCUzd8qHD2YIN7wWCLe4SFzC7s6pBeBoQBC6BnQUUNX981MscAd
        8neOVba+XqFHgdFeCc+muWahCry+eU9O+Wbjd56BSZXYIItHLIpjp5+TfOZSEPNr
        zquT0YSFTqHuUt/4XM+3tS5Drb6syWBVPoT2GVtgiuDLEhwnFBvcYKVKZzvDNaWo
        LFP1c4b/4IjGttKyTnGd6yYs/6oPIUhQDGnPWt2LE9FnLTkol8YJbomoUpfMxbrO
        Zs1hN2PlsuviSkWJOWmPSaOwEjKQ8PiA1/gatrhQT9csWoNzIaioHLpXNTavVPmI
        yQplghkZzRopbKcS5TI3+mwPlYpfvuQSqrHT
        —–END CERTIFICATE—–
        —–BEGIN CERTIFICATE—–
        MIIC0DCCAbigAwIBAgIJAKOG3Pf+UDCaMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
        BAMTDTE3Mi4xNi4xMTAuMjkwHhcNMTYwNzI1MjA1OTQ2WhcNMTcwNzI1MjA1OTQ2
        WjAYMRYwFAYDVQQDEw0xNzIuMTYuMTEwLjI5MIIBIjANBgkqhkiG9w0BAQEFAAOC
        AQ8AMIIBCgKCAQEAzglKK33cfOvqwe+B6czYLRxxvVHS4z/xrsFyyl037tZiYrGC
        fCi5D2rGzJPCmIe4eCTZPR4FItdltVVo6LxEmgA1zULCDoCRRYj3IOtsbgwchQmU
        FMScqjklY00rC6/dg9avvt/YkQxAj7QWbbHjbX7+OJLffyOX9YNW48vR/aQonMAX
        812bzCw+DINh+PtzGRrcDzRPHwhVaQgOteCMo1cus6KLpR1thTaKDhl6hTjpCoTD
        CLchh6dBk7aDPxDDP7hu6yH1uNdnUFa0pakf7JiGSJqs3c7Sdbu+qbGEdV/wgQ2U
        PLSso1i04RXDLbHWY6pp7QZvZKiw7K0HhgKqOwIDAQABox0wGzAMBgNVHRMEBTAD
        AQH/MAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEAVtj2bBJ75m/yV70y
        9kmiM/4aU0C98smi7DyEBBcmMK8tbM2brbhfWVxV8vuFIeCaI1M0uCUkWQTLS6IN
        N/z8EfU6OKQib8RI1Xjw3TLD66iHFuHJHFIwWaYHSE3Tmt4Reey04Y6xHbkWhdt6
        KGu0wRzI64Wya3tCQoTErAnu10ELmE6Ad//SQ72fZzeubGIoABVuH6gGQ/YqnQr1
        NBq8SJY0rvvAU8szPwwVmmyjJi2XT+SXkb+PwvJwn0GmRIMe/lY9kz5YpY0yosRm
        BNnbfgmO0x0C1+Xnq6kHgneCCGOhub+U2mS+wbJfpe0P2m0deTrd1zJZRIVX1JKF
        2rbZnQ==
        —–END CERTIFICATE—–

        Like

      2. The “172.16.110.29” string isn’t bound to anything, they could make it say anything they want. I’m not sure exactly what “love behind Palo Alto firewall” means, but yes, firewalls are a common source of interception certificates. If other users on the network aren’t having problems, it suggests that their PCs have been configured to trust the interception certificate, or their computers’ traffic is not being intercepted. You should speak to the network administrator.

        Like

      3. Larry LaCaT says:

        And ‘behind Palo Alto firewall /webfilter’ – could be the source of the authentication problem.

        Just caught this at the bottom of your last post.

        Re: 172.16.*.* : is a reserved address block, used by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.

        Like

  9. Thomas says:

    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: chrome.google.com
    Issuer: Sophos SSL CA_C230764K629H441
    Expires on: 30 sept. 2020
    Current date: 17 août 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIEUTCCAzmgAwIBAgIPAW5sLQtGzP498ITIdCxbMA0GCSqGSIb3DQEBCwUAMIGN
    MQswCQYDVQQGEwJHQjEUMBIGA1UECAwLT3hmb3Jkc2hpcmUxDzANBgNVBAoMBlNv
    cGhvczEMMAoGA1UECwwDTlNHMSYwJAYDVQQDDB1Tb3Bob3MgU1NMIENBX0MyMzA3
    NjRLNjI5SDQ0MTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBzb3Bob3MuY29tMB4X
    DTE3MDgxMDEyMzUxMVoXDTIwMDkzMDEyMzUxMVowHDEaMBgGA1UEAwwRY2hyb21l
    Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa+hpm
    fHYNdVfwa5bqLpShlwkELHgLYPlzVmH4NyaG3pE+x7FaGetVar3QBejO9TCh3l9W
    LxEU398mWzRyuspVY1s+zab6/OtRV+cnhoduMafEZM7RHRUy7Jlv0hTMsnYyJEUC
    55YwlV4xraBI68RHvOgqc8whDHbiW9MZG6a0uvyXvkmEv0ZxV+0i+b9BVojuj1tt
    v9niGYFIqsB0Yxw4o4n0EE2hBUdDjVm2zQOZ9W9CQJXad0WVj4rAUk7/2ztW6RJg
    EmK2fIw35Wk6nsqBHGoC5IVhGuTkwJMHhFSq+rC54i8ZQr4Ge87nTe3t5UVO+M6Y
    MVGCaDRuHBbE1y8nAgMBAAGjggEcMIIBGDAMBgNVHRMBAf8EAjAAMIG6BgNVHSME
    gbIwga+AFOZtO1r7aJZ6pAbQyNMetVBE5nisoYGTpIGQMIGNMQswCQYDVQQGEwJH
    QjEUMBIGA1UECAwLT3hmb3Jkc2hpcmUxDzANBgNVBAoMBlNvcGhvczEMMAoGA1UE
    CwwDTlNHMSYwJAYDVQQDDB1Tb3Bob3MgU1NMIENBX0MyMzA3NjRLNjI5SDQ0MTEh
    MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBzb3Bob3MuY29tggEBMC0GCWCGSAGG+EIB
    DQQgFh5HZW5lcmF0ZWQgYnkgU29waG9zIEhUVFAgUHJveHkwHAYDVR0RBBUwE4IR
    Y2hyb21lLmdvb2dsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAJznXOGPfBvwsZOj
    w8pVee81DPGJhqiKDF7wk/HJmcd/NoP8CVjvZZknw4EY0poNYcxp+WcQ33ElnxcM
    mLrMimgRAwIYC5fG3CI3f7J9+VDItoLGgWxScbT7F4WLHFaCwddKXT1A4Meefdau
    Kakkxq3AV3UQRMvWO5FETBXaYuWO1auPNXPTi2MsWCj+SMu32dTwRJrzkCVpLbt+
    UlfpHndIYYc3Gjyj5f1o0lTG132GwydUtQbinl7US13Tq64lFFZO3ZGk7d8RebAf
    nKyMd6/GF3R9VEUy63fiEqsTZTGOiXWu1STiLZa3/HRmPu6yQy6zBrok/yDDA2fl
    VbnSmWs=
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIEiTCCA3GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCR0Ix
    FDASBgNVBAgMC094Zm9yZHNoaXJlMQ8wDQYDVQQKDAZTb3Bob3MxDDAKBgNVBAsM
    A05TRzEmMCQGA1UEAwwdU29waG9zIFNTTCBDQV9DMjMwNzY0SzYyOUg0NDExITAf
    BgkqhkiG9w0BCQEWEnN1cHBvcnRAc29waG9zLmNvbTAiGA8yMDE1MDgwMTAwMDAw
    MFoYDzIwMzYxMjMxMjM1OTU5WjCBjTELMAkGA1UEBhMCR0IxFDASBgNVBAgMC094
    Zm9yZHNoaXJlMQ8wDQYDVQQKDAZTb3Bob3MxDDAKBgNVBAsMA05TRzEmMCQGA1UE
    AwwdU29waG9zIFNTTCBDQV9DMjMwNzY0SzYyOUg0NDExITAfBgkqhkiG9w0BCQEW
    EnN1cHBvcnRAc29waG9zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBANr6GmZ8dg11V/BrluoulKGXCQQseAtg+XNWYfg3JobekT7HsVoZ61VqvdAF
    6M71MKHeX1YvERTf3yZbNHK6ylVjWz7Npvr861FX5yeGh24xp8RkztEdFTLsmW/S
    FMyydjIkRQLnljCVXjGtoEjrxEe86CpzzCEMduJb0xkbprS6/Je+SYS/RnFX7SL5
    v0FWiO6PW22/2eIZgUiqwHRjHDijifQQTaEFR0ONWbbNA5n1b0JAldp3RZWPisBS
    Tv/bO1bpEmASYrZ8jDflaTqeyoEcagLkhWEa5OTAkweEVKr6sLniLxlCvgZ7zudN
    7e3lRU74zpgxUYJoNG4cFsTXLycCAwEAAaOB7TCB6jAdBgNVHQ4EFgQU5m07Wvto
    lnqkBtDI0x61UETmeKwwgboGA1UdIwSBsjCBr4AU5m07WvtolnqkBtDI0x61UETm
    eKyhgZOkgZAwgY0xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtPeGZvcmRzaGlyZTEP
    MA0GA1UECgwGU29waG9zMQwwCgYDVQQLDANOU0cxJjAkBgNVBAMMHVNvcGhvcyBT
    U0wgQ0FfQzIzMDc2NEs2MjlINDQxMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QHNv
    cGhvcy5jb22CAQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAC2QH
    hRBSGqq8RSdy7i/ad0Fwt1iec+hFqQaYp7Tt52j8dqd4qQVa2UCfxffLRrIHbw6F
    gTa5/kRG1k3/WIx2QM957whbTZHcRnyVFZrdFH69s4ji3oV/PXQAJG1m3kGckI3/
    gXP55QN6fYup5uxDWoEQuIvpORxbDIAmL7ezq5c44nyxSHGzTvoCtUUBakip28nx
    zXj4UbhWEmrzmatuKcFnjw0zlX5w1XVrsooeUez0OoR+vWy4EhXLa1PFeXPHBt7G
    fPfqpkfvcFsmnr6QWgYawjiN1PmpkV2Zjf/Ts+xHo3xQglDtkwxdsf2TKLN1Qmzv
    lRz7LIrI0z5mJ2B36w==
    —–END CERTIFICATE—–

    Like

    1. This issue is caused by a Sophos security product, either a local security product installed on your PC or a network-based device running Sophos content-filtering. If you have Sophos installed, you’ll either need to uninstall it or reinstall it. If you are on a managed network with a Sophos security product filtering at the network level, you’ll need to talk to the network administrator about installing the necessary certificate on your PC.

      Like

  10. Ragha Chaitanya says:

    Iam getting the below error and not able to access any websites on my browser.

    Attackers might be trying to steal your information from http://www.bing.com (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: Daniel
    Issuer: Daniel
    Expires on: Sep 7, 2006
    Current date: Aug 26, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCVUEx
    EjAQBgNVBAgTCUNhbGlmb25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhC
    cm9hZGNvbTESMBAGA1UECxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAg
    BgkqhkiG9w0BCQEWE2tpZGluZ0Bicm9hZGNvbS5jb20wHhcNMDYwODA3MjMzMTIx
    WhcNMDYwOTA2MjMzMTIxWjCBjjELMAkGA1UEBhMCVUExEjAQBgNVBAgTCUNhbGlm
    b25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhCcm9hZGNvbTESMBAGA1UE
    CxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAgBgkqhkiG9w0BCQEWE2tp
    ZGluZ0Bicm9hZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOoE
    anmsp8b0bUKiI7KeSEK0r6jUvKmP/DoPw2bMH8ufU3NrMrUxiqTWYw1hf21T9oZ/
    75V1N4KPHE8XXuMLgAaIhBS1ynj2hrzqrK7+uVp+tV7Txwg8w/XoMRacMRLVk94W
    eCHwC574sIq54EX0Ah6GmO4D045J4xiT595wB7ztAgMBAAGjge4wgeswHQYDVR0O
    BBYEFDTJsJlw8ckQu3dWh5SGlXAQ03ECMIG7BgNVHSMEgbMwgbCAFDTJsJlw8ckQ
    u3dWh5SGlXAQ03ECoYGUpIGRMIGOMQswCQYDVQQGEwJVQTESMBAGA1UECBMJQ2Fs
    aWZvbmlhMQ8wDQYDVQQHEwZJcnZpbmUxETAPBgNVBAoTCEJyb2FkY29tMRIwEAYD
    VQQLEwlCcm9hZGJhbmQxDzANBgNVBAMTBkRhbmllbDEiMCAGCSqGSIb3DQEJARYT
    a2lkaW5nQGJyb2FkY29tLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
    BAUAA4GBALLOjmpWnkYw6YZb6pdJroI5kqe91hGF5ggThizb7yWJiOA2rcu1V7Nh
    3P+P5T0tfhtkK836/BxTNoKwrqReTA0foDiwePVZoZGShQJSjACLORlephI5bOoN
    a3niYZzczetzE886qH55f2puX4Ghflrm3YGvP8qBq/QDdyCpzlTp
    —–END CERTIFICATE—–

    Like

  11. Jeff says:

    NET::ERR_CERT_AUTHORITY_INVALID

    This started yesterday and now I can’t access Google or my Gmail. Any help in fixing this issue would be greatly appreciated.

    Thanks…

    Attackers might be trying to steal your information from http://www.google.com (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: http://www.google.com
    Issuer: Google Internet Authority G3
    Expires on: Nov 24, 2017
    Current date: Sep 8, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIEjDCCA3SgAwIBAgIILmsD4AVXNOswDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
    BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xNzA5MDExMTA4NTVaFw0x
    NzExMjQwOTQyMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMRcw
    FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAJv7/JwGtdDrjO3dxeDUh+uogbcgIXEde86Kz7kgTepUJMnd7m6ttQj0
    OTCK120SqKmDuSLpqjytpWgKbl+aiLtqV8Y0hEkp++Qj3tcBJZ15CceT6ezEGlWh
    xo/LB3ISZbyvkIl50l/aVa3F/wVIS/7STYQHJWakjXmqP5UVCxWbNWr5RvXGlZis
    EVbmofHBoVcjb4NdUxGtPCurfe5KjL/ipfQVaqPYGf5SV8+nOAhEmjYVOvSK6ihj
    Z461aOxDCuP6+nhl90w9aKcjfu6d1JKiuqEYfBUfHzHNc08u7e2uyHxE852sQJo7
    m0h5IUJR8TNvoAZgP2Ch5KvZFnJsEBsCAwEAAaOCAUwwggFIMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTBo
    BggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9nc3Iy
    L0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtpLmdvb2cv
    R1RTR0lBRzMwHQYDVR0OBBYEFGmFXEf+fETC9vNzokyb+62H5VgoMAwGA1UdEwEB
    /wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYDVR0gBBow
    GDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAihiBodHRw
    Oi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
    VHk095Iic+lF83SkS2fiwTdSG7N7PAnB8QBu+Ao0XFIfNXBqchKq9bJb9vGd/inA
    sgN50lEdjmuFNlcBGE+fJs+4Zw/r0ENI7oHoRCQux5X0okWXI/Q0ieCXSJbhXHOV
    3pTL3qDLYyr1dAo4wtDxHH3sNYoZo+puuIk3DA5yZ7w9Ld8ddrnytgZKgkQhxj0P
    /dlTyBTdpCSEh3P/jsZEtdxw1yKrefJqMlwP8ZK3lPF/d6JJ+NXeCa2aKEFIr9F+
    KneaoZK9idUSpv0pYRXKQKaTMUMgHFtWVMiBqN0BU9y8loMx+fzMDUftgSE8+dR9
    xyEKQTai3n161CUxkwfhTQ==
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
    HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
    U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
    MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
    U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
    XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
    71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
    RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
    ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
    kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
    AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
    AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
    Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
    MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
    b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
    cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
    aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
    HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
    ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
    wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
    FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
    7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
    c7o835DLAFshEWfC7TIe3g==
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
    A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
    Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
    MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
    A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
    v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
    eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
    tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
    C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
    zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
    mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
    V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
    bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
    3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
    J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
    291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
    ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
    AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
    TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
    —–END CERTIFICATE—–

    Like

    1. Jeff– Which version of which Operating System are you using? Do you have any third party security software installed, especially anything like “Comodo Internet Security Essentials”?

      Like

      1. Hrm. This is a bit surprising. Do you have any pending updates from WindowsUpdate? Are you on a home machine, or one managed by a corporate network administrator?

        Like

  12. Chrome Version 61.0.3163.100 (Official Build) (64-bit) on Ubuntu 16.04 trying to open facebook.com, http://www.facebook.com, http//facebook.com & https//facebook.com

    —–BEGIN CERTIFICATE—–
    MIIH5DCCBsygAwIBAgIQDACZt9eJyfZmJjF+vOp8HDANBgkqhkiG9w0BAQsFADBw
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
    dXJhbmNlIFNlcnZlciBDQTAeFw0xNjEyMDkwMDAwMDBaFw0xODAxMjUxMjAwMDBa
    MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN
    ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m
    YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASg8YyvpzmIaFsT
    Vg4VFbSnRe8bx+WFPCsE1GWKMTEi6qOS7WSdumWB47YSdtizC0Xx/wooFJxP3HOp
    s0ktoHbTo4IFSjCCBUYwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw
    HQYDVR0OBBYEFMuYKIyhcufiMqmaPfINoYFWoRqLMIHHBgNVHREEgb8wgbyCDiou
    ZmFjZWJvb2suY29tgg4qLmZhY2Vib29rLm5ldIIIKi5mYi5jb22CCyouZmJjZG4u
    bmV0ggsqLmZic2J4LmNvbYIQKi5tLmZhY2Vib29rLmNvbYIPKi5tZXNzZW5nZXIu
    Y29tgg4qLnh4LmZiY2RuLm5ldIIOKi54eS5mYmNkbi5uZXSCDioueHouZmJjZG4u
    bmV0ggxmYWNlYm9vay5jb22CBmZiLmNvbYINbWVzc2VuZ2VyLmNvbTAOBgNVHQ8B
    Af8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRu
    MGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZl
    ci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhh
    LXNlcnZlci1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEF
    BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMG
    CCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
    Y29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
    aUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
    MIICsAYKKwYBBAHWeQIEAgSCAqAEggKcApoAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
    BPkb37jjd80OyA3cEAAAAVjl02IEAAAEAwBHMEUCIQDvWFsUeqWE/xwIYcXPvbb5
    ExzfHBZTNwfnUf4RPO/lBgIgdOGmr0j7+u8/S+7tfFw71ZEjqpwJELl/sEFuQdPn
    pwQBLwCsO5rtf6lnR1cVnm19V1Zy+dmBAJQem97/7KExO3V4LQAAAVjl02IoAAAE
    AQEAYvnMV+BfP3Wrk4yFQE/Zx5WsjSabYOpLj1Tj5xFaoVoHdGqLCf/Hi+Vv0IRy
    ePKFBCSW0+3eA589+WnCDMwcJlBYeZV8MlvHFZg3a66Uhx/OAvoetb0mCtUpnmIE
    UwLX/eMNEvjg2qTH3/33ysCo2l25+/EcR8upF+2KIcmnk5WwaJzfq7cFPQc4Cvcz
    mTHasJi/jmVaIaJ9HC50g3dx584TQX26lDLddF/Li4uEbJ7TSopnTzjQdWBtWbMF
    h3bcfhFCKaqK2kIJV3bgup5HibEnZ2LPm6lekY072ZFCGM4QYc4ukqzou2JWCRmG
    o0dMHJhnvQXpnIQGwATqCD4Q1AB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+U
    mFXWidDdAAABWOXTYrkAAAQDAEcwRQIgGhXXbwUO5bD4Ts/Q0gqZwUS2vl/A4Hem
    k7ovxl82v9oCIQCbtkflDXbcunY4MAQCbKlnesPGc/nftA84xDhJpxFHWQB3AO5L
    vbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABWOXTZBEAAAQDAEgwRgIh
    AKubngQoa5Iak8eCOrffH7Xx3AP1NMb5pFw35nt2VSeRAiEA47Kq1UQcDXIEsV+W
    nuPd9LM5kpdeu0+TiHKtTLRQr0swDQYJKoZIhvcNAQELBQADggEBADrNSsoonbj1
    YGjwy9t9wP9+kZBwrNMO2n5N5fQNhGawkEAX+lXlzgm3TqYlTNi6sCFbPBAErim3
    aMVlWuOlctgnjtAdmdWZ4qEONrBLHPGgukDJ3Uen/EC/gwK6KdBCb4Ttp6MMPY1c
    hb/ciTLi3QUUU4h4OJWqUjvccBCDs/LydNjKWZZTxLJmxRSmfpyCU3uU2XHHMNlo
    8UTIlqZsOtdqhg7/Q/cvMDHDkcI/tqelmg0MD2H9KpcmAvVkwgjn+BVpv5HELl+0
    EP0UhYknI1B6LBecJuj7jI26eXZdX35CYkpI/SZA9KK+OYKHh6vCxKqnRZ9ZQUOj
    XnIWKQeV5Hg=
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
    ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
    MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
    LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
    YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
    4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
    Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
    itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
    4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
    sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
    bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
    MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
    NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
    dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
    L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
    BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
    UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
    aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
    aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
    E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
    /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
    xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
    0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
    cPUeybQ=
    —–END CERTIFICATE—–

    Like

    1. This is Facebook’s certificate. You need to include the error code text from above the certificate info for me to provide more guidance on what you should try next.

      Like

      1. I hope this is what you’re after . . .
        NET::ERR_CERT_AUTHORITY_INVALID
        Subject: *.facebook.com
        Issuer: DigiCert SHA2 High Assurance Server CA
        Expires on: 25 Jan 2018
        Current date: 29 Sep 2017

        Like

    1. Alas, that didn’t do it. All the updates have been run. I ran “sudo update-ca-certificates” and got . . .
      Updating certificates in /etc/ssl/certs…
      0 added, 0 removed; done.
      Running hooks in /etc/ca-certificates/update.d…

      Still “Privacy error”. Do I assume that I have to follow this up with Mr & Mrs Ubuntu? If so, why does Firefox work?

      Like

      1. Firefox uses its own trusted certificate stores (it does not delegate to the operating system).

        If you open chrome://settings/certificates and click the Authorities tab, then scroll down to “org-DigiCert Inc” is there an entry for “DigiCert High Assurance EV Root CA” present? If so, click the dot-dot-dot on the right and choose “Edit”. Are all three checkboxes ticked?

        Like

      2. Aha! “Trust this certificate for identifying websites” was not ticked.

        It would be wonderful if this advice were attached to the original error message. Were it so, you might not have so much work to do, Eric.

        This is a great service. Thank you very much.

        Like

  13. Larry LaCaT says:

    Pete: In your orig 9/28 post, you included only 2 cert blocks. There are usually 3. The two you attached are for facebook and it’s issuer DigiCert SHA2 High Assurance Server CA. Both are good. The missing 3rd one is for the issuer to the Server CA cert and is the one referenced by Eric’s last post: “DigiCert High Assurance EV Root CA” The problem may be with the Root CA.

    These are my somewhat date and unverified notes on updating libnss in Ubuntu. I don’t think this applies because your problem is only with this one FB cert (at least as reported so far).. Sorry if this is just spam..

    Add a line to the sources.list file
    sudo vim /etc/apt/sources.list, add:
    deb http://security.ubuntu.com/ubuntu trusty-security main
    Then run
    sudo apt-get update
    sudo apt-get upgrade libnss3 (some use: apt-get install libnss3-1d)
    Check what you have
    sudo spkg-query –list | grep libnss (which may update many packages)
    Restart chrome

    Like

    1. There were only two certificates. I also had the same problem with corporate Citrix logon page.
      Both were fixed by Eric’s fix.

      You may be able to shed some light on this: Was the problem with Chrome’s or Ubuntu’s?

      Thank you for your advice.

      Like

      1. This is very unusual; I’ve never heard of anyone ever having the trust bit unset for a root unexpectedly. I don’t know whether there’s something somewhere in the Ubuntu configuration that can control this, or if it’s only editable through the chrome://settings UI.

        Like

      2. Larry LaCaT says:

        Eric: I hope Snoopy’s smiling today. Our two replies of similar content (mine’s just below) have the same timestamp, down to the minute.

        Like

  14. Larry LaCaT says:

    Pete: Nice learning exercise. If you had posted the 3rd (Root CA) PEM block with your original post, we might have gotten here quicker too. Was the 3rd block not displayed when you clicked the NET::ERR tag? I often forget to scroll down and grab all the text..

    Like

      1. Larry LaCaT says:

        Pete: Re: Only 2 certs and Chrome vs Ubuntu

        Chrome uses OS services (Windows, Linux, Mac) for some things. In this case, chrome’s using the OS network stack for transport and the OS certificate management services for authentication. The authentication cert path typically has 3 layers: site cert->Server CA cert->Root CA cert. The problem was the DigiCert Root CA (CertAuthority) cert, with a missing the ‘OK for web site auth’ flag in the OS cert DB. When you go through chrome://settings/certificates, you’re using the chrome GUI to update the underlying OS cert store (? /var/db/crls/ ?).

        I can only speculate why the web-site auth flag was not set. Linux/Ubuntu chrome is a well used configuration. It works well for nearly everyone. There must have been something unique in your config history, possibly related to other browsers, security or a setup glitch, that disabled or never set this flag.

        Re: Only 2 certs – displayed with the NET::ERR label: When you went to facebook, the cert path authentication flowed from the facebook cert to it’s issuer: DigiCert….Server CA, but was shortstopped from completing the path to a Root CA by the missing ‘OK for use as web-site ID’ flag. At this point, the chrome authentication failed, displayed the NET::ERR_CERT_AUTHORITY_INVALID error, but only had 2 certs (PEM blocks) to present. The undisplayed root cert was another clue about the underlying failure.

        Sorry for my responses being out-of-order. I see a question on my email, do some research, compose a reply and often miss the most recent traffic before I hit send..

        Like

  15. GyaxyBoy says:

    Hi!

    Pls help!

    —–BEGIN CERTIFICATE—–
    MIIFsTCCBJmgAwIBAgIDBv3gMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
    NTYgQ0EgLSBHMzAeFw0xNTA5MTYwMDMzMDJaFw0xNzA5MTgwNDAzNDVaMIGbMRMw
    EQYDVQQLEwpHVDU4MDczMzAyMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
    bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
    YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEgMB4GA1UEAxMXc2VhcmNoLmRuc2FkdmFu
    dGFnZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwktbK5LPl
    uxgTMNXpsrnP/FeT474yEim1KqdD/jsQFYIAZKVSbxU2oMqRqWqTSWVGbrOfNGcO
    Wm8wt8ZsW74RBDPnmta7TSCmXqMKWYSUOrBSCz9+WKZhubLjLKmfm89sxeoH793b
    OABGhdc/DK+fbZC2wnINx7oSV3WrVrq6QlcenOlqlLOiO/ec5CKWy7SEk0ahm0Xj
    xwrj2iY/Z3hhcMe7M0g0i7Vy+y6tEak+sMmfCZaq0VYlmQbbCaMjltgXLkJvNYPI
    rt/K8ttC5EZuTeVWTeWnY02LIUZT4qsvZQmgwnCQzlumY3gXabH5qgEUGy6NuB2/
    lDD9wm+OAO8FH72DwNggfiJWtPnqd8R4oqNrXhoHzl7RPpr6s4siQv7ql4PbCSbY
    N/iraMPqJksl+Zi6gjnk1u2MGa6c93lhiea8tTeZgDZV3vpw+IuQC5YW+/ZYlz8V
    Np1kkUIl4kp/HptDUTsrA83xNXQ6WuYEzJ/fSHwTg33i559tMIVVwJx5OBRkXC9k
    +kvUiWzyEuhUXO6l9tECebrV5YT2wPMc1RZvcxbyWlxqal7KKIzsxKtKYF0FqZ/c
    IF2amCHTbS3k+8Rdwl0SOGfFeSdSO4N7MoyGlBAg5GSjC9F96pxkLNZR1BYJauZD
    pm/OsouqSYOez1BlMwF//dzyDI/gu3+JXwIDAQABo4IBTzCCAUswHwYDVR0jBBgw
    FoAUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUF
    BzABhhNodHRwOi8vZ3Yuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yu
    c3ltY2IuY29tL2d2LmNydDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
    BQUHAwEGCCsGAQUFBwMCMCIGA1UdEQQbMBmCF3NlYXJjaC5kbnNhZHZhbnRhZ2Uu
    Y29tMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3Js
    MAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZngQwBAgEwLDAqBggrBgEFBQcC
    ARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0GCSqGSIb3DQEBCwUA
    A4IBAQCsluwg3oAwyL6opH9Hjopmc1Ufb12ByI+DG+TglevvvDn/UNa5oxjTo87V
    EWqCKrYvzB9AUT62KVtlu8B+J01eo4vLunhZLGxxQW25VMrwmWPF03rAwDNPsP0L
    /S5+VmxeCvvXUu/2Hy/K36/xjsezALgKZgigPeyb2gTciXl7PlybDIpM2vDtklBr
    nW4JB8j9jb+L8S6sK9JHPv6V++wFvWCR/b82wdaBakgqXmu4Pw/NzolckM9Zkd2f
    vD2XalV31iAWQ3hLtBHv/b9zI4C/Y1N3zvp6E1FGCBG2DTWqbS+7iyrlipQ7Ly6U
    bER4APY1wPEt+CQcRF/AMyCN/bmS
    —–END CERTIFICATE—–

    Thanks

    Like

    1. This is a certificate for the domain search.dnsadvantage.com which expired on September 17th, 2017. That site does not appear to be available over HTTPS, but “search.dnsadvantage.com” appears to be the name of a virus/malware/adware package that you’ll need to remove from your PC.

      Like

  16. vijay says:

    i am also similar kind of issue can you please help me on this

    NET::ERR_CERT_COMMON_NAME_INVALID
    Subject: *.tailorman.com
    Issuer: Amazon
    Expires on: Oct 1, 2018
    Current date: Oct 16, 2017
    PEM encoded chain:
    —–BEGIN CERTIFICATE—–
    MIIEUjCCAzqgAwIBAgIQBB8c9xS17e1YEIUTdXYA0jANBgkqhkiG9w0BAQsFADBG
    MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
    Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xNzA5MDEwMDAwMDBaFw0xODEwMDEx
    MjAwMDBaMBoxGDAWBgNVBAMMDyoudGFpbG9ybWFuLmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAMNkRK3e15OzAwW7LqB65X2a8FQI5C8RdoxuoZ/z
    3fbhtam//TykZcVx6cTyZsmzopKdWVzDDYDT24yogpKtZ6F/dfj17lWXmVIg5h23
    6NNjHPHJJ2JVODyNOH0JGnkfLa1aPRHB7qI29WScB/WwP8N6sJkT4KIFEKaHl86I
    hCOo6nO+WK9dFXAWxZ0VQZsNcC7vbPI+CLWDPmQB6YQc2txHiXW0dFtTFMRSm82N
    8j4IoZ0mNJL8RFtHKHPlOudJD91wUC6V3xa1KN6BpbHfbOTA1hzPN7wXracwg4Hd
    qxyE9/2UT+rTPWNfY9yDtMGsqQ5davCR/APlYLE7+B5O2pkCAwEAAaOCAWYwggFi
    MB8GA1UdIwQYMBaAFFmkZgZSoHuVkjyjlAcnlnRb+T3QMB0GA1UdDgQWBBT/H3e2
    c71VwwluLvNyowwNq3etrzAaBgNVHREEEzARgg8qLnRhaWxvcm1hbi5jb20wDgYD
    VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNV
    HR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnNjYTFiLmFtYXpvbnRydXN0LmNvbS9z
    Y2ExYi5jcmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0G
    CCsGAQUFBzABhiFodHRwOi8vb2NzcC5zY2ExYi5hbWF6b250cnVzdC5jb20wNgYI
    KwYBBQUHMAKGKmh0dHA6Ly9jcnQuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFi
    LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQArSJh6Qv6Hsx4s
    4j6qn/B4BlVysry6yxF2a/0oIKP6KUbeO+ogvDQgL4qoTPk4REcBtCdEuUmU3uVg
    OmVDazwzScCXmn0f+uCQHO/uA8eK8WnpMDNPb+jwmaJXguEkRO7694wh4AWYs9in
    xX6e3JMux5BW/H/6gxsXXqFpdUHc3eQLGJKnxM8FhgsRtt2Cul4Ne1CMPVMy1NTm
    5M11UO4jnQiFYnVPJPEEGRxvqeFclZpvtrlMveoLjlwbHz6CxJrPbtFjYVS6SnAh
    2KSSsfsPorSIrE7Hf5exB97gaKElP+fxFxHq3XbaVAyHYtRKSkqz1KjMqhEOwes6
    ZczNMOhR
    —–END CERTIFICATE—–

    Like

  17. vijay says:

    this one i have using
    tailorman.com

    but the thing is, when i am typing the url on browser it is working fine, like tailorman.com or http://www.tailorman.com working fine.
    but when redirecting happen i am facing this issue,
    like in hangouts , skype or mail when i am click this url this issue is happens.
    can you please help me on this

    Like

  18. ali margal says:

    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: mail.google.com
    Issuer: Bitdefender Personal CA.Net-Defender
    Expires on: 29 déc. 2017
    Current date: 18 oct. 2017

    Like

    1. @alimargal: The problem is that your “Bitdefender Personal Defender” antivirus program is misconfigured. You will either need to disable its HTTPS inspection feature, reinstall that software, or remove that software.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s