mkcert: "NET::ERR_CERT_AUTHORITY_INVALID" in Chrome on macOS

My computer is running macOS version “10.14.5 (18F132)”. I’m testing in Chrome version “75.0.3770.142 (Official Build) (64-bit)”. Chrome was updated recently, i.e. yesterday, from an unknown earlier version (tho fairly recent I think).

Several days ago mkcert seemed to be working as expected. Today I get the error mentioned in the title.

I was able to get it working again by manually adding the certificate to my “login” “Certificates” in the Keychain Access app by following the steps in this answer to the following Super User question:

This might be related to this recently opened issue:

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 18
  • Comments: 29 (3 by maintainers)

Most upvoted comments

Fixed the issue! the problem was I had never run mkcert -install locally on my windows terminal before creating the cert files

+30
CodyEddings on Jan 28, 2021

I had the same error, then tried all over again and it worked. It turned out the first time I created the certs (mkcert mydomain.com xxx) with sudo (Which obviously did not find the CA)

+3
jaykobi on Sep 9, 2020

i use nginx in wsl2 localy. Got same error. It is fixed when:

  • install mkcert on windows (powershell)
  • mkcert -install (powershell)
  • mkcert example.com (powershell)
  • copy certs from windows in wsl and use them in nginx
+2
Valikkun on Aug 18, 2021

@CodyEddings that command solves my problem on Windows, thanks.

@wkdcode-liam run it on the command prompt. If you are using docker, don’t generate the certs on the container, generate on your local OS and use a volume to mount the certificates on the container

+1
ltroya-as on Jun 16, 2021

@FiloSottile - I am also having this issue on Ubuntu 16.04. I’ve tried doing the above, but maybe I’m doing something wrong since I might not be using it for its intended purpose. Essentially, I have a NUC that I use as a server, and I have my laptop. I am not exposing any of this to the internet. It is entirely on my local network, so I don’t see a reason to use an actual CA unless necessary. Do I need to configure something on my laptop for it to work as well? I figured it would be up to the nuc/traefik to handle that.

Edit: Yes I did need to manually copy the store over to my laptop in order to “trust” it. This was the piece that was missing for me. This use case wasn’t clear from the documentation.

+1
erosenberg on Feb 22, 2021

Hello,

I found my problem. It was not related to mkcert but to Traefik. The generated certificates were not loaded into Traefik configuration.

I smelled the problem when seing that the invalid certificate name was “TREAFIK DEFAULT CERTIFICATE”.

+1
FlorentTorregrosa on Jan 26, 2020

Apologies @rfay, turned out that I wasn’t mounting the newly created certificates into my container, it was using the certificates from a previous install. Once I spotted that the serial number on the certificate didn’t match I knew where the issue was.

Cheers for the prompt reply 😃

+1
mrtimp on Nov 9, 2019

@rfay sorry, my fault: I changed laptop and I forgot to install libnss3-tools.

+1
daquinoaldo on Aug 22, 2019
Read more comments on GitHub
← mkcert: IIS complains about missing intermediates
mkcert: WordPress health check error: curl: (60) SSL certificate problem: unable to get local issuer certificate →