Bojan Dolenc
asked on
NET::ERR_CERT_AUTHORITY_INVALID
For the past few weeks I am getting NET::ERR_CERT_AUTHORITY_IN
- Synchronizing time and date
- Downloaded and installed https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
- Remove all certs from "Intermediate Certification Authorities" and import certs from another computer which doesn't have this problems
- Checked that no proxy is active in Internet options
- Disable antivirus/security (COMODO internet security Premium 10)
- Restart computer and router/modem
- Using computer at another location (in another city)
None of those worked, so I am now stuck since I can't find any other solution.
The most strange thing is that yesterday when I haven't made any changes https sites on chrome started working for a few hours, today when I started computer again it doesn't work, so I really don't know what is the problem (I am suspecting COMODO to maybe block something, so maybe I will uninstall it, but it's strange since I disabled it and it didn't help).
Here are some images of the problem:
https://ibb.co/eBmDXF
https://ibb.co/gTHgKv
https://ibb.co/e4zHsF
https://ibb.co/nBxsRa
https://ibb.co/dhGVCF
https://ibb.co/cgK6ma
- Synchronizing time and date
- Downloaded and installed https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
- Remove all certs from "Intermediate Certification Authorities" and import certs from another computer which doesn't have this problems
- Checked that no proxy is active in Internet options
- Disable antivirus/security (COMODO internet security Premium 10)
- Restart computer and router/modem
- Using computer at another location (in another city)
None of those worked, so I am now stuck since I can't find any other solution.
The most strange thing is that yesterday when I haven't made any changes https sites on chrome started working for a few hours, today when I started computer again it doesn't work, so I really don't know what is the problem (I am suspecting COMODO to maybe block something, so maybe I will uninstall it, but it's strange since I disabled it and it didn't help).
Here are some images of the problem:
https://ibb.co/eBmDXF
https://ibb.co/gTHgKv
https://ibb.co/e4zHsF
https://ibb.co/nBxsRa
https://ibb.co/dhGVCF
https://ibb.co/cgK6ma
This can happen if someone chooses to enable the following GPO:
Computer configuration - System/Internet Communication Management/Internet Communication settings - Turn off Automatic Root Certificates Update
Please verify that it is not enabled.
Computer configuration - System/Internet Communication Management/Internet Communication settings - Turn off Automatic Root Certificates Update
Please verify that it is not enabled.
ASKER
Usman Afzal; I cleared the cache ans it's the same.
McKnife; I can't open GPO, I am using Windows 10 Home.
McKnife; I can't open GPO, I am using Windows 10 Home.
1-Remove unnecessary Chrome extensions
2-Clear SSL Certificate Cache
3-Open CMD and run these commands
ipconfig /release
ipconfig /renew
ipconfig /flushdns
2-Clear SSL Certificate Cache
3-Open CMD and run these commands
ipconfig /release
ipconfig /renew
ipconfig /flushdns
ASKER
Usman Afzal; done that and none of this works.
I write again, https works in firefox, just not on Chrome and Internet Explorer (so those commands are probably useless in any case and removing extensions is pointless because IE has nothing to do with Chromes extensions).
I write again, https works in firefox, just not on Chrome and Internet Explorer (so those commands are probably useless in any case and removing extensions is pointless because IE has nothing to do with Chromes extensions).
"McKnife; I can't open GPO, I am using Windows 10 Home." - then check the corresponding registry key
HKLM\Software\Policies\Mic
HKLM\Software\Policies\Mic
ASKER
McKnife; I didn't have DisableRootAutoUpdate at HKLM\Software\Policies\Mic
ASKER
I have now uninstalled COMODO internet security Premium 10 and disabled Windows Firewall and Antivirus and restarted computer but I still get ERR_CERT_AUTHORITY_INVALID
I wrote "DisableRootAutoUpdate should not have the value 1"
You did set it to 1. That's bad. Just delete the value, please.
You did set it to 1. That's bad. Just delete the value, please.
ASKER
Oh OK. I have also set to 0, but it's the same so I just deleted those values.
chrome and IE share the windows credential store, firefox and opera use their own credential stores.
you might want to update your root certificate store https://support.microsoft.com/en-us/help/3004394/support-for-urgent-trusted-root-updates-for-windows-root-certificate-p
you might want to update your root certificate store https://support.microsoft.com/en-us/help/3004394/support-for-urgent-trusted-root-updates-for-windows-root-certificate-p
ASKER
David; is there any tutorial how to update root certificate store in Windows 10 Home?
download and run the item that I gave the link to
ASKER
There is no download for Windows 10, latest is for Windows 8.1
Dude,
Short Solution, Just reinstall it :)
Short Solution, Just reinstall it :)
ASKER
Usman, I don't know how to reinstall it on Win 10 Home.
ASKER
This is your solution to cert problem? Reinstall Windows? I won't even comment further to such "expert"...
I am Human and might be wrong, so Please wait for some "Expert" to answer :)
Cheers,
Cheers,
ASKER
A bit more information - I still haven't fixed this problem, but I have created new account and on that account all works normal, so I exported all certicifates (from mmc) and then on my main account I deleted all and used those but still have the same error. Also if I delete all Windows reinstalls them but still it doesn't work. Looks like there's no solution, so before I move to another account I will try to contact MS support since no one here knows what to do and hopefully they will know a bit more.
ASKER
I contacted Microsoft support and we came to conclusion that there is no solution and best thing to do is to create new user account and just copy C:\Users\Account1 to C:\Users\Account2. I will try this now and I hope all my settings stay the same and that cert problem will not appear again...
Wow!! This is their solution to cert problem? They are Experts ? right ? :)
ASKER
Technical support never had real experts :) They are just operators using FAQ on their system. I was hoping they have something more there to try, but looks like they don't. So for now I will try with new profile since it will take less time to adjust everything (or if I won't even have to adjust anything after copying user files), as if I would spend on getting some expert who would find out solution and reason why this happened.
ASKER
Well I now copied all my user files to new user and just like I thought, problem appears again in new account. Which is logical, if user files are corrupt then why would I copy them... Now I can play and delete files one by one and maybe I will find cause of this problem.
You must not copy all files. If you copy ntuser.dat, all settings will be copied, including the corrupt ones. Leave that out, as well as the certificate stores for the user.
ASKER
Well... that doesn't help either... :( When I create new user Chrome works again - but only until I open Internet explorer, then no more. So making new user doesn't help, will have to find cause of this...
After opening IE, things change? That is strange.
ASKER
Yes. If I only use Chrome when creating new account it works, it opens all https sites. But when I open IE, there I immediately get "This site is not secure" and when I open Chrome after that I no longer can open any https site. So I guess when IE is launched certificates or something is copied to Chrome, I don't know how that works. oO
ASKER
I now had someone from Microsoft support on my remote desktop and he was trying lots of stuff (including disabling all 3rd party services so that there's no other app which could block anything) and the problem still remains. He then suggested doing system restore which we did (to about 3 weeks ago), but it did not help. I guess I really will have to reinstall Windows because of this problem. oO
much appreciated if you accept my comment as answer :)
Usman, we had this even on clean systems (just installed). As soon as joined to the domain, they had it: not a single https site worked. Reason: we had a GPO block root certificate updates. But in this case, it does not seem to be the reason.
However, you should perform a windows update and enable optional updates and see whether certificate updates had been among the installed updates.
However, you should perform a windows update and enable optional updates and see whether certificate updates had been among the installed updates.
Sir,
We can Tweak windows once it's connected to Domain Server. Windows update will work only on Patches or security update.
Windows update might work.
Dear,
Give me favor and just install Firefox Mozilla
Then go to Preferences >> Advanced >> and Certifcates
Uncheck
"Query OCSP responder server to confirm the current validity of certifcate"
Then check and replay back
We can Tweak windows once it's connected to Domain Server. Windows update will work only on Patches or security update.
Windows update might work.
Dear,
Give me favor and just install Firefox Mozilla
Then go to Preferences >> Advanced >> and Certifcates
Uncheck
"Query OCSP responder server to confirm the current validity of certifcate"
Then check and replay back
As David told in https:#a42244926, IE and Chrome share the same certifcate and credential store. IE seems to modify the root CAs, trustworthness etc., and that then changes what Chrome can use. I assume the change has to do with the corresponding settings in Internet Options » Advanced » Security .
ASKER
Usman, if I do that on Firefox, firefox still works normaly.
Qlemo, but how do I modify those CAs? If we are talking about RUN -> mmc -> Certificates -> Trusted Root Ceftification Authorities, then as I already wrote, I removed all there and waited for Windows to automatically make new ones and it didn't help. I also deleted those and imported new ones from another computer and as well it didn't work.
Qlemo, but how do I modify those CAs? If we are talking about RUN -> mmc -> Certificates -> Trusted Root Ceftification Authorities, then as I already wrote, I removed all there and waited for Windows to automatically make new ones and it didn't help. I also deleted those and imported new ones from another computer and as well it didn't work.
You would have to look at what is there as CA setup with a new profile, and what is changed after starting IE. If certifcates are the issue, that is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the only solution unless if I would want to waist even more time and destroy even more things while trying to get this fixed.
https://support.google.com/chrome/answer/6098869?hl=en