Error reference Browser & network

How to fix ERR_CERT_AUTHORITY_INVALID

ERR_CERT_AUTHORITY_INVALID means the site presented a certificate signed by an authority your device doesn't trust. Either the server's chain is broken, or — more often on proxied and corporate connections — something between you and the site is re-signing your traffic. Here's how to identify the interceptor and repair the trust chain without switching verification off.

ERR_CERT_AUTHORITY_INVALID

What ERR_CERT_AUTHORITY_INVALID means

ERR_CERT_AUTHORITY_INVALID (Chrome network error -202) means the TLS handshake reached the certificate stage and the chain the server presented doesn't end at a root your device trusts. The connection itself worked; the identity check failed. That's different from ERR_SSL_PROTOCOL_ERROR, where the handshake breaks earlier, and from ERR_CERT_DATE_INVALID, where the certificate is expired or your clock is wrong.

There are two families of cause. Server-side: a self-signed certificate, an internal-CA certificate on a public site, or a server sending only the leaf certificate without its intermediates — clients that haven't cached those intermediates can't build the chain. Path-side: something between you and the site is terminating TLS and re-signing traffic with its own CA — corporate SSL inspection, antivirus HTTPS scanning, a captive portal, or a debugging proxy such as mitmproxy.

The issuer name on the certificate you actually received is the giveaway. Click the padlock (or use openssl) and see who signed it: a public CA points to a genuine chain problem on the server; an antivirus vendor, your employer, or an unknown name means the connection is being intercepted at that layer.

ERR_CERT_AUTHORITY_INVALID

Fix ERR_CERT_AUTHORITY_INVALID step by step

First identify whose certificate you're being served, then fix the trust chain on the correct side. Don't start by disabling verification — that hides the evidence and the protection at the same time.

  1. Inspect the certificate issuer: click the padlock in the browser, or run openssl s_client -connect example.com:443 -showcerts. An issuer that isn't a public CA means something in the path is re-signing traffic.
  2. Try a different network. Captive portals on hotel, airport, and cafe Wi-Fi intercept HTTPS until you complete their login page.
  3. Check the system date and time — a badly wrong clock makes otherwise valid chains unverifiable.
  4. Temporarily disable antivirus HTTPS scanning. If the error disappears, either add the product's root CA to the affected tool or leave scanning off for that workflow.
  5. On a corporate device, install your organization's root CA into the trust store of the specific tool you're using — Python and Node ship their own CA bundles and ignore the OS store (REQUESTS_CA_BUNDLE, NODE_EXTRA_CA_CERTS).
  6. If it's your own site, serve the full chain — leaf plus intermediates, e.g. fullchain.pem — since a missing intermediate fails on fresh clients while looking fine on machines that cached it.
  7. Update the OS and browser: outdated root stores reject sites signed by newer authorities.
  8. If you're deliberately running an intercepting debug proxy, install that tool's CA into the client under test — and remove it when you're done.
ERR_CERT_AUTHORITY_INVALID

What a proxy should — and shouldn't — do to your TLS

A standard forward proxy carries HTTPS through a CONNECT tunnel: it relays encrypted bytes between you and the site without terminating TLS, so the certificate you receive comes from the origin server, unaltered. ProxyOmega works this way — enabling the proxy should not change which certificate your client sees on any site.

So when ERR_CERT_AUTHORITY_INVALID appears only with a proxy in the path, the culprit is usually a TLS-inspecting layer stacked on top of it: antivirus filtering the proxied connection, a corporate inspection appliance, or a debugging tool left in intercept mode. A proxy service whose own certificate shows up on arbitrary websites is decrypting your traffic — that's a reason to stop using it, not to click through the warning.

Certificates should come from the origin

Through a CONNECT tunnel, the proxy moves ciphertext it can't read. Verify it yourself: browse to a known site through the proxy and confirm the certificate issuer is that site's normal public CA. If it is, the proxy is behaving correctly and the trust problem lives elsewhere in your stack.

Trust stores are per-tool, not per-machine

A CA installed for your browser doesn't cover Python's requests (which uses certifi) or Node. If your scraper throws certificate errors while the browser is happy, point the tool at the right bundle with REQUESTS_CA_BUNDLE or NODE_EXTRA_CA_CERTS instead of switching verification off. Working configs for common stacks are in our guides under /integration/.

Keep verification on in production

verify=False makes every interception invisible, and it tends to escape from quick tests into deployed code. Fix the chain or the trust store instead.

If you must make an exception during local debugging, scope it to a single host and remove it before shipping.

ERR_CERT_AUTHORITY_INVALID

Verified TLS through a proxy

A correctly tunneled request keeps certificate verification enabled and still succeeds, because the certificate arrives from the origin site untouched. If this exact pattern fails with a certificate error, inspect the issuer — something on your machine or network is intercepting the connection.

import certifi
import requests

PROXY = "http://USERNAME:[email protected]:10000"

resp = requests.get(
    "https://httpbin.org/ip",
    proxies={"http": PROXY, "https": PROXY},
    verify=certifi.where(),  # verification stays ON - TLS is end to end
    timeout=30,
)
print(resp.status_code, resp.json())
FAQ

Frequently asked questions

Why does ERR_CERT_AUTHORITY_INVALID appear only when my proxy is enabled?
A plain forwarding proxy relays TLS end to end, so it can't change the certificate you receive. When the error tracks the proxy, something is intercepting the proxied connection — antivirus HTTPS scanning, a corporate inspection device, or a debugging tool in intercept mode. Check the certificate's issuer to identify it; if a proxy service's own certificate appears on ordinary websites, stop using that service.
Is it safe to click 'Proceed anyway' or set verify=False?
For anything that matters — logins, payments, production scrapers — no. Skipping verification means you can no longer tell whether you're talking to the real site or to whatever is intercepting the connection. It's tolerable briefly against a host you control during local development; the durable fix is repairing the certificate chain or adding the correct CA to the right trust store.
How do I find out which CA signed the certificate I'm being served?
In a browser, click the padlock and open the certificate details; the Issuer field names the signer. From a terminal, openssl s_client -connect example.com:443 -showcerts prints the full chain. A public CA name means a genuine chain problem on the server; an antivirus vendor, employer, or unknown name means the connection is being intercepted.
Visitors see this error on my own website — what's wrong?
The usual cause is serving only the leaf certificate without its intermediates. Browsers that have cached the intermediate build the chain anyway, so the site looks fine on your machine while failing on fresh devices. Configure the server to send the full chain — with Let's Encrypt, use fullchain.pem rather than cert.pem — then retest with an online SSL checker.

Your certificates, untouched. Start routing today.

ProxyOmega tunnels TLS end to end — the certificate your client verifies comes straight from the origin site, with verification left on.

ProxyOmega ProxyOmega

90M+ ethically-sourced IPs across 200+ countries and 30,000+ cities. Residential, mobile, ISP and IPv6 proxies for scraping and AI agents.

GDPRCCPA
Product
Premium Unlimited Budget Unlimited Residential / ISP Mobile IPv6 Chrome Extension
Solutions
Web scraping AI agents Price monitoring SERP & SEO Integrations All use cases
Resources
Glossary Error codes Free tools Proxies by platform Locations
Company
About Blog Docs Reseller program Affiliate Contact Sign in
© 2026 ProxyOmega Ltd. All rights reserved.