Localhost ERR_CERT_AUTHORITY_INVALID: SEC_ERROR_UNKNOWN_ISSUER on any browser

Help
1

1. The problem I’m having:

I’m getting ERR_CERT_AUTHORITY_INVALID: SEC_ERROR_UNKNOWN_ISSUER on several browsers (zen browser, vivaldi, firefox - i do not tested in others). I killed the browser process and reopened it. Same error.

When running curl -L hello.localhost works fine with https.

2. Error messages and/or full log output:

On browser:

Error code: SEC_ERROR_UNKNOWN_ISSUER

image
image651×761 44.1 KB

curl -v -L hello.localhost
*   Trying ::1:80...
* Connected to hello.localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: hello.localhost
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://hello.localhost/
< Server: Caddy
< Date: Thu, 06 Feb 2025 20:15:33 GMT
< Content-Length: 0
< 
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://hello.localhost/'
*   Trying ::1:443...
* Connected to hello.localhost (::1) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Feb  6 16:21:09 2025 GMT
*  expire date: Feb  7 04:21:09 2025 GMT
*  subjectAltName: host "hello.localhost" matched cert's "hello.localhost"
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x64278784eeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: hello.localhost
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 16
< date: Thu, 06 Feb 2025 20:15:33 GMT
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #1 to host hello.localhost left intact
Caddy is working%

3. Caddy version:

caddy version
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

a. System environment:

Pop!_OS 22.04 LTS x86_64

b. Command:

sudo caddy run --config Caddyfile &
sudo caddy trust
2025/02/06 20:32:27.574	INFO	root certificate is already trusted by system	{"path": "localhost:2019/pki/ca/local"}

c. Service/unit/compose file:

d. My complete Caddy config:

{
        debug
        email carteira@example.com
}

hello.localhost {
        respond "Caddy is working"
}

app.localhost {
        reverse_proxy localhost:5001
}

5. Links to relevant resources:

2

Not all trust stores are recognized/supported. I don’t think the underlying library has been updated for a while, either. It could just be that you’ll have to manually install Caddy’s root (one-time thing – well, once every 10 years or so).

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.