NET::ERR_CERT_INVALID in Chrome/Opera on Linux

Question

I have set up a self-signed CA in a development environment and have issued a server certificate to a test website.

The issue I'm having is that the certificate is being rejected by the browser with NET::ERR_CERT_INVALID

This only happens with Chrome or Opera in Linux (Opensuse Leap 15.2). I've tested the same site on Windows 10 with Chrome/FireFox/Edge/Internet Explorer/Opera - all of them are successful. In Windows the CA was imported into the Trusted Roots for the User (perhaps there is something similar on Linux?)

On Linux only Firefox works, Chrome and Opera fail with the same error. Unfortunately Linux is the desktop used most.

To debug the issue I started a Wireshark trace whilst connecting to the site, what I'm seeing is Certificate Unknown (46) error

I'm really not sure what can be causing this and so specifically with Chrome/Opera on Linux.

The server side is NGINX and the certificates are configured as follows:

ssl_certificate      /etc/nginx/pki/server.crt;
ssl_certificate_key  /etc/nginx/pki/server.key;

Where server.crt is a concatenation of the server cert and the CA cert (server first).

Any ideas what's causing this or what I can do next to debug further?

Answer 1

In Windows the CA was imported into the Trusted Roots for the User (perhaps there is something similar on Linux?)

Yes, there is. The method varies by distribution, but you'll want to add your self-signed CA to the appropriate directory and run the appropriate update script. Here's an answer which outlines both Debian-ish and RedHat methods for adding a CA.