SSL Certificate: NET::ERR_CERT_AUTHORITY_INVALID

Question

I have a Laravel application hosted on AWS. I use EC2, S3, RDS and Route53 for the whole application.

When I needed an SSL certificate for my application, I chose to use the Certificate Manager service offered by Amazon. I need my application to point to a subdomain of the main domain. Ex: dashboard.mydomain.com, so I requested the SSL for this subdomain. Everything worked fine.

After a while, some users can't access the application from some devices getting the following error:

NET::ERR_CERT_AUTHORITY_INVALID (Server's certificate is not trusted).

How could I fix this error to confirm that the application is secure and can be accessed from any device and internet connection?

Answer 1

Given the additional information you provided in the comments, the domain is app.okeymenu.com.

I'm not seeing any obvious issue with your SSL setup that would cause certificate trust issues.

Another possibility is that you had a misconfigured DNS at some point, and the clients in question are using a cached DNS entry, and therefore connecting to the wrong server. If that's the case, the problem should resolve itself after the TTL for the incorrect entries expires on those devices.

Another possibility is that your server-side SSL termination was temporarily mishandled or misdirected.

To validate your SSL setup and check for vulnerabilities, you may use various online SSL check tools My favorite is the Qualsys SSL Labs test: https://www.ssllabs.com/ssltest/, but Googling will find you others as well.

You can also use CLI tools from your own box, like openssl s_client to inspect the server's certificates, and https://testssl.sh/ which is a script that will produce a lot of useful output detailing the SSL setup of your server, including whether the settings are valid for various sets of clients (currently, your setup is showing as compatible for all tested clients) and showing your server's stance against various known vulnerabilities (you have a few issues here, most of which will be mitigated by disabling TLS < 1.2 if you don't need to support very old clients).