Hi guys,

I bought a cheap RapidSSL certificate for my domain and I hooked it up in Nodebalancer. All seems to work just fine on my desktop until I brought up the site in Chrome on mobile. I was presented with an "Your connection is not private" message. At the bottom it says "NET::ERR_CERT_AUTHORITY_INVALID". The same thing happens in Firefox as well. After a bit of digging it turns out that mobile browsers seem to handle certificates a bit differently (but I don't fully understand the details of it though).

I've been trying to figure out how I can fix this but I can't seem to find the right information. Could some please point me in the right direction?

Thanks!

Did you also install all the intermediate certificates that came with your RapidSSL cert? The error message seems to indicate that you are missing one or more of the intermediate certificates that are required to link your SSL cert with an authority that your browser trusts.

I'm not sure I was supposed to. Maybe I misunderstood the docs. There are two boxes for certificates, one for the service certificate and the other for the private key. In the Nodebalancer reference [1] there is talk about "Chained certificates" but I'm not sure if this applies to me.

The certificate is for a single domain which I guess is the most standard set up. I'm not sure about multiple certificates...

Any help is much appreciated.

The box for certificates will accept multiple certificates, concatenated ("chained") one after another, like this:

-----BEGIN CERTIFICATE-----
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH
-----END CERTIFICATE-----

All cheap certificates nowadays are chained certificates. The browser does not directly trust the certificate for your domain. It is trusted only because it can be chained with another certificate that the browser trusts. Sometimes, the chained certificate itself needs to be chained to yet another certificate, all the way to the "root certificate" that is guaranteed to be trusted by all browsers. The long chain makes it easier for SSL vendors to manage subsidiaries and minimizes damage in case a part of the chain is compromised.

The chain certificates for RapidSSL are available here. (Don't take my word for it, verify it yourself. You should have received the same "certificate bundle" in the confirmation email when you purchased your certificate.)