Sometimes, when you try to load a HTTPS address in Chrome, instead of the expected page, you get a scary warning, like this one:
Chrome has found a problem with the security of the connection and has blocked loading the page to protect your information.
In a lot of cases, if you’re just surfing around, the easiest thing to do is just find a different page to visit. But what happens if this happens on an important site that you really need to see? You shouldn’t just “click through” the error, because this could put your device or information at risk.
In some cases, clicking the ADVANCED link might explain more about the problem. For instance, in this example, the error message says that the site is sending the wrong certificate; you might try finding a different link to the site using your favorite search engine.
Or, in this case, Chrome explains that the certificate has expired, and asks you to verify that your computer clock’s Date and Time are set correctly:
You can see the specific error code in the middle of the text:
Some types of errors are a bit more confusing. For instance, NET::ERR_CERT_AUTHORITY_INVALID means that the site’s certificate didn’t come from a company that your computer is configured to trust.
Google Internet Authority G3?
If the root certificate is from Google Internet Authority G3, see this article.
Errors Everywhere?
What happens if you start encountering errors like this on every HTTPS page that you visit, even major sites like https://google.com?
In such cases, this often means that you have some software on your device or network that is interfering with your secure connections. Sometimes this software is well-meaning (e.g. anti-virus software, ad-blockers, parental control filters), and sometimes it’s malicious (adware, malware, etc). But even buggy well-meaning software can break your secure connections.
If you know what software is intercepting your traffic (e.g. your antivirus) consider updating it or contacting the vendor.
Getting Help
If you don’t know what to do, you may be able to get help in the Chrome Help Forum. When you ask for help, please include the following information:
- The error code (e.g. NET::ERR_CERT_AUTHORITY_INVALID).
- To help the right people find your issue, consider adding this to the title of your posting.
- What version of Chrome you’re using. Visit chrome://version in your browser to see the version number
- The type of device and network (e.g. “I’m using a laptop on wifi on my school’s network.”)
- The error diagnostic information.
You can get diagnostic information by clicking or tapping directly on the text of the error code: . When you do so, a bunch of new text will appear in the page:
You should select all of the text:
…then hit CTRL+C (or Command ⌘+C on Mac) to copy the text to your clipboard. You can then paste the text into your post. The “PEM encoded chain” information will allow engineers to see exactly what certificate the server sent to your computer, which might shed light on what specifically is interfering with your secure connections.
With any luck, we’ll be able to help you figure out how to surf securely again in no time!
-Eric
NET::ERR_CERT_AUTHORITY_INVALID
Subject: *.google.com
Issuer: Google Internet Authority G3
Expires on: Ago 26, 2018
Current date: Jun 11, 2018
Please see https://textslashplain.com/2017/10/23/google-internet-authority-g3/
NET::ERR_CERT_AUTHORITY_INVALID
Subject: docs.google.com
Issuer: Cisco Umbrella Secondary SubCA jnb-SG
Expires on: Sep 25, 2018
current date: Sep 22, 2018
PEM encoded chain:
“Cisco Umbrella” here indicates that the network administrator is performing a MITM attack on your computer. If you’re at work, talk to the IT department. If you’re on a guest Wifi hotspot try visiting a http page like neverssl.com to see if the network has a login page.
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: K7WebProxyVerifyError-18-edistricts.tn.gov.in
Issuer: K7 Web Proxy
Your traffic is being intercepted by a Monster-in-the-Middle proxy, which looks to be from a school in India. If you’re on their network, you’ll need to talk to the administrator about installing their certificate.
NET::ERR_CERT_AUTHORITY_INVALID
Subject: http://www.youtube.com
Issuer: Cisco Umbrella Secondary SubCA yvr-SG
Expires on: Jun 30, 2019
Current date: Jun 27, 2019
Yup, “Cisco Umbrella Secondary SubCA” means that your network administrator is intercepting HTTPS traffic using a Cisco traffic filtering device. You’ll need to talk to them about installing the correct certificate on your device and/or unblocking this site.
Chrome, firefox or Edge I keep getting the damn NET::ERR_CERT_COMMON_NAME_INVALID error on sites like google.com, but not google.com.au . A fresh install makes it go away for a bit. I reinstall all my programs the same day and it still works, 2 days later every time it comes back though I have added no software in that time. It is driving me mad. Any help would be extremely appreciated. Details are
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: http://www.google.com.au
Issuer: DigiCert Global Root G1A
Expires on: 23 Dec 2030
Current date: 23 Dec 2020
PEM encoded chain:
—–BEGIN CERTIFICATE—–
MIIDfjCCAmagAwIBAgIQYbpR61Scfb5AvWLIabFHRjANBgkqhkiG9w0BAQsFADAj
MSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMUEwHhcNMTkxMjIzMDE0
OTQxWhcNMzAxMjIzMTI0OTQxWjAcMRowGAYDVQQDDBF3d3cuZ29vZ2xlLmNvbS5h
dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANetId+bMuGcMmZQFAjl
wZtY7tvOOwzygtxplWm/h6J7cMipl/SwiDU8DXewP98LGbnV5JOijwMdPVq2U0eY
BYlvNRodOrLYS2RoVqBGRfF9UoE3s65CX4ovWcG9xG8xglWm1ihqO57Aej3Ufui8
//fur0/U49OzDvlZR2YoKhNNDb/X0zB0eHWCvjdGgGeSIAedmaY7s1GI9xA4LLk8
uiyfPH5psMFsP5ZDusw6XjA42jbckGP4xLvfsj2L0dt13YUJlDmqVf10k1HS5OQB
3E/ul6rcdiKfmwtCa6RZvT1qQ/VMX3X8XF/InQHtIIHqD/FD9txpFGYaVKaTCkZ6
hbkCAwEAAaOBtDCBsTATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDA8BgNVHREENTAzghF3d3cuZ29vZ2xlLmNvbS5hdYIP
Ki5nb29nbGUuY29tLmF1gg1nb29nbGUuY29tLmF1MB8GA1UdIwQYMBaAFKDf8cTp
rtcL56JxFWhPhLGXmdlyMB0GA1UdDgQWBBSiLOzrTcYzG3oUWEka3WbtmeW/GTAN
BgkqhkiG9w0BAQsFAAOCAQEAlsAWjrJy5nI4Y9UOUSDdtyRtf06vNqj3//Q2oECp
qUNwUIv53YOtF6YMsQpZjC1Lg+yfuobkia80fbrKd0CoQaUlEeQWySz4il+p4fy5
JRV+gHK3My7Ox1y1KF/F/GRPDgGcf6H1DA/Sp+0oNd9dH6047pFKedzKJsnRi+1v
CRLv5fssnZ7q1N+Hr4VL1cNBi+Em0aSnQ8ufrj5fd0wKs3H3gMzhot9fNpPTIeUw
Mp4Zysv58CdaKpA0/HHp0VFOiqFsbfkKkxRBvFY/fjV+9d/OrQ9ODyw3K/mTjkQs
cQDq3DzopUGRzng9kBCCUNX2ZH1T89R7A3LuDfCPaIbuqQ==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDEjCCAfqgAwIBAgIQG4sbGVbB8pBHa8hjTM5+mTANBgkqhkiG9w0BAQsFADAj
MSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMUEwHhcNMTkxMjIzMDE0
OTM3WhcNMzAxMjIzMTI0OTM3WjAjMSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwg
Um9vdCBHMUEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIuthRYV8K
eYw2MI1BpQUBqZSDSxMiJ90RpubrNxuckeRoA7oMRKSmlCHGw9Y8ke98417e5vLk
/sDmkiBCKVNTSjK92lQlJvmAV5cvMdN/F89c/Du8uT8L71OYnAoqvMbX8bf2I+2n
4LiKwbZRHo7Jhb+9gkI4HlVjt1k+QOPYfmhW0FeGr0FfFIKWIoDLtdKzGw/ugMJM
r6V/Y9w5GMiWkTuxkDgumE8Bl3O3nH0u0Pr9kdnjqnoCrQCvMvuGvGcFG6WqHHs3
cucidQy07C6ROl62DzU3ekQAWJgn/M8eznLbZcnkbE8OBA9x887ZoDyduaJjRO51
P3EWKVqhFTM5AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
AgGGMB0GA1UdDgQWBBSg3/HE6a7XC+eicRVoT4Sxl5nZcjANBgkqhkiG9w0BAQsF
AAOCAQEAYao3xWpDuPNBZxucrIdIFLWSUWthdI1YGTlx3diapWWGAvPHwnrNLNsC
CCEq9TJGpOAhiMK/nZ2H0K2eR++t33Y0LD3SmoEvMNAS9EAJKx12UoAq6U+NIddh
nYjMo+M59IiJ0J4T5WpG7aBJC2DpdSli8JqLE9V0piv74BAAyyXbGhVmnECsO3PI
Lf8A41Jc2vb7SJOflPTsGfKLsL2TexkkkkXJUwx9/tU8cXzwx/2zzxdW4c1zOq0q
essjl9Sf1dFWETM0LXheHoz3ok6vCA7YLma1aHqfgTwJ6lupCrwQcAL4cCXB7636
S+XVXY75c6xuC5CNGHaPVWBuPGL8Xg==
—–END CERTIFICATE—–
No legitimate certificate authority issues website certificates valid for ten years, and the “Digicert” root listed here does not appear to be a legitimate certificate. It seems very likely that either your PC is infected with malware, or there’s an attacker on your network who is performing MITM attacks on the traffic that passes through it.
All of our applications using the domain (lulaloop.co.za) are not working if we’re using a certain wifi network at the office. What could be the issue? Any help would be appreciated.
NET::ERR_CERT_INVALID
Subject: dev-dashboard.lulaloop.co.za
Issuer: Cisco Umbrella Secondary SubCA jnb-SG
The Wifi Network in question is intercepting your network traffic, either for security scanning or because it’s a “Captive Portal” where you have to accept the terms to use the network before you’re allowed to use it. You can tell this because “Cisco Umbrella” is the network device that has this feature and which is doing this to your traffic.
Is it only happening for that domain, or is it happening for all domains. If it’s only that domain, then your network device is probably blocking traffic to that site because either it thinks it’s dangerous or your network admin has decided to block it for whatever reason.
If it happens on ALL HTTPS sites, it’s probably a captive portal. Simply visiting a HTTP page (try http://neverssl.com) should redirect you to the page on the device that will let you use the network.
If it’s not a captive portal and happening on ALL sites, it is decrypting your secure traffic to scan it for viruses or whatever, so you’ll need to talk to the network admin about installing the certificate from the device onto your client browser.
I wrote about Captive Portals here: https://textslashplain.com/2022/06/24/captive-portals/