Senthil Rajendran's Blog: NET:ERR_CERT_AUTHORITY_INVALID how to troubleshoot with browser and utilities

When accessing Oracle EBS Login URL got the below page. In this post we will see what tools are available that can help to troubleshoot this NET:ERR_CERT_AUTHORITY_INVALID issue and identify the root cause.

Add caption

The first tool is the browser itself. Click the lock icon on the browser bar and view the certificate. Go to the certificate path to verify the authority.

Here you are seeing the missing root/intermediate certificate. The fix is to load the root/intermediate cert and in this case it is Oracle Cloud LBaaS Instance.

But then I got a reply from the LBaaS admin that the root/intermediate certs are loaded. 😏

The browser did not help much so then there are other tools which can help.

curl -- all looks fine with curl. 😐

[oracle@testserver ~]$ curl -vvv https://ebstest.oracleebs122.com

* About to connect() to ebstest.oracleebs122.com port 443 (#0)

* Trying xxx.xx.xx.xxx...

* Connected to ebstest.oracleebs122.com (xxx.xx.xx.xxx) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

* subject: CN=ebstest.oracleebs122.com,O="Test Inc.",L=Test,ST=Test,C=XX

* start date: May 04 19:35:17 2020 GMT

* expire date: May 05 19:35:17 2022 GMT

* common name: ebstest.oracleebs122.com

* issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE

> GET / HTTP/1.1

> User-Agent: curl/7.29.0

> Host: ebstest.oracleebs122.com

> Accept: */*

< HTTP/1.1 200 OK

< Date: Tue, 16 Jun 2020 05:42:53 GMT

< Content-Type: text/html

< Content-Length: 1253

< Connection: keep-alive

< Last-Modified: Fri, 12 Jun 2020 18:27:42 GMT

< ETag: "4e5-5a7e73b8e0380"

< Accept-Ranges: bytes

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Content-Language: en

openssl -- unable to verify the first certificate is reported in openssl. The problem here is CA is GlobalSign but root/intermediate are from DigiCert bundle. This breaks the chain. 😀 we found the probem.

[oracle@testserver ~]$ echo | openssl s_client -servername ebstest.oracleebs122.com -connect ebstest.oracleebs122.com:443 2>/dev/null

CONNECTED(00000003)

---

Certificate chain

0 s:/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com

i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018

1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxx

pswKJkc4L3JRHyajP6zJw

-----END CERTIFICATE-----

subject=/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com

issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 4560 bytes and written 458 bytes

---

New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxx

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : xxxxxxxxxxxxxxxxxxxx

Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxx

Session-ID-ctx:

Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket lifetime hint: 600 (seconds)

TLS session ticket:

0000 - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Start Time: 1592288126

Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

[oracle@testserver ~]$

to fix it , Oracle Cloud LBaaS Instance was loaded with the correct root/intermediate certificate.