NET::ERR_CERT_AUTHORITY_INVALID in Chrome not incognito and Firefox locally with valid certs on nginx

2020-02-05 google-chrome ssl nginx

A couple of weeks ago we implemented the SameSite cookie policy to our cookies. If I want to develop locally, I needed a certificate to get the cookies.

We're running a Node express server and that is reversed proxied to an nginx configuration where we add the cert.

# Server configuration
#
server {
    listen 443;
    server_name test-local.ad.ourdomain.com;
    ssl_certificate           /home/myname/.certs/ourcert.crt;
    ssl_certificate_key       /home/myname/.certs/ourkey.rsa;
    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_pass          http://localhost:9090;
        proxy_read_timeout  90;
        proxy_redirect      http://localhost:9090 https://test-local.ad.ourdomain.com;
    }
}

Now to the wierd part. We updated to Chrome 80 today, and all of a sudden I got an HSTS issue. I was unable to access site even if I wanted to (no opt in possibility). I tried to clear that inside chrome://internals/#hsts, and that worked. However, I still get NET::ERR_CERT_AUTHORITY_INVALID but I now have the opt in alternative.

Accessing it from Chrome Incognito mode works like a charm, no issues there. Same with Firefox, no issues there either. It says Certificate is Valid, green and pretty. Checked here as well: https://www.sslshopper.com/certificate-decoder.html and its 100% green.

I'm running Ubuntu 19.10 using Regolith.

My colleagues are using same cert, also Chrome 80, but they're running Mac, no issues there in Chrome.

Any idea? I tried to clear Browser settings, no change.

Answers

I have some great news!

We're using the same cert on our cloud dev environments (however, they are in pfx form). Locally I run Linux as mentioned, and I had to convert the pfx to a RSA file and a CRT file.

I entered our dev domain on this site: https://whatsmychaincert.com/ and it downloaded a *.chain.crt file. Together with my old crt file, and this command:

cat example.com.crt example.com.chain.crt > example.com.chained.crt

In Nginx I then referenced the .chained.crt file.

Now Chrome accepts my local, secure webpage.

We had the same issue and fixed it following petur 's solution.

Related