Skip to main content

ERR_CERT_AUTHORITY_INVALID behind corporate firewall or proxy

Updated by Tim Rabbetts on
cyberspace, data, wire

I got this message while working on a virtual box VM for a large corporation.

Your connection is not private
Attackers might be trying to steal your information from www.google.com (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy Policy

www.google.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.google.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.google.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit www.google.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

This happened because the certificate on my work proxy was updated every 3 months.  Windows host was fine as that was managed by the company but my linux VM was not so happy.  I needed to get the valid certificate for the certficate authority off my windows host and into my linux vm, here is how I did it.

  1. Load a webpage in chrome on the windows host, right click the lock icon next to url bar and inspect the valid certificate, should be able to see which certficate authority is being used.
  2. Run the Certmgr.msc in the root certificate authority section find the server, right clikc and export the certificate.  Export base 64 and save as bla.crt.
  3. Using viretual box shared folderes get this file into your VM.
  4. Copy bla.crt to /usr/local/share/ca-certificates/bla.crt.
  5. Run this: sudo update-ca-certificates
  6. That should sort it from command line, then you need to go into chrome in VM settings, find the manage certificates section, import that certificate in the authority tab, then chrome will work again.

Took me ages to figure this lot out, hope it helps someone!

Add new comment