Add NET::ERR_CERT_AUTHORITY_INVALID and solutions

RebeccaTamachiro · RebeccaTamachiro · commit 47163e55a76b · 2025-01-22T09:56:35.000Z
diff --git a/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx
@@ -134,4 +134,4 @@ To automate processes involving Origin CA certificates, use the following API ca
 
 ## Troubleshooting
 
-Refer to [Troubleshooting Cloudflare origin CA](/ssl/origin-configuration/origin-ca/troubleshooting/).
+If you find `NET::ERR_CERT_AUTHORITY_INVALID` or other issues after setting up Cloudflare origin CA, refer to [troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/).
diff --git a/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx
@@ -1,11 +1,24 @@
 ---
 title: Troubleshooting Cloudflare origin CA
 pcx_content_type: troubleshooting
+description: Troubleshoot issues like NET::ERR_CERT_AUTHORITY_INVALID when using Cloudflare origin CA
 sidebar:
   order: 2
   label: Troubleshooting
 ---
 
 import { GlossaryTooltip, Render } from "~/components";
 
-<Render file="origin-ca-pause-error" />
+Consider the following common issues and troubleshooting steps when using [Cloudflare origin CA](/ssl/origin-configuration/origin-ca/).
+
+## NET::ERR_CERT_AUTHORITY_INVALID
+
+### Cause
+<Render file="origin-ca-pause-error" />
+
+This also means that SSL Labs or any other SSL validator are also expected to flag the certificate as invalid.
+
+### Solutions
+
+- Make sure the [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/) of your DNS records and any [page rules](/rules/page-rules/) (if existing) are set up correctly. If so, you can try turning proxy off and then on again and wait a few minutes.
+- If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a <GlossaryTooltip term="Certificate Authority (CA)">certificate authority (CA)</GlossaryTooltip> of your choice. You can still use Full (strict) [encryption mode](/ssl/origin-configuration/ssl-modes/), as long as the CA is listed on the [Cloudflare trust store](https://github.com/cloudflare/cfssl_trust).
diff --git a/src/content/partials/ssl/origin-ca-pause-error.mdx b/src/content/partials/ssl/origin-ca-pause-error.mdx
@@ -3,4 +3,6 @@
 
 ---
 
-Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
+import { GlossaryTooltip } from "~/components";
+
+Site visitors may see untrusted certificate errors if you [pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) or <GlossaryTooltip term="proxy status">disable proxying</GlossaryTooltip> on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.

Original file line number	Diff line number	Diff line change
`@@ -134,4 +134,4 @@ To automate processes involving Origin CA certificates, use the following API ca`
`134`	`134`
`135`	`135`	`## Troubleshooting`
`136`	`136`
`137`		`-Refer to [Troubleshooting Cloudflare origin CA](/ssl/origin-configuration/origin-ca/troubleshooting/).`
	`137`	+If you find `NET::ERR_CERT_AUTHORITY_INVALID` or other issues after setting up Cloudflare origin CA, refer to [troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/).