Skip to content

Fix: X509: Certificate signed by unknown authority

  • by
  • 3 min read
What is SSL (Secure Sockets Layer)? How does it protect a website?

As amazing as it is, the internet can also often be dangerous. That’s why we have security certificates in place that differentiate safe websites from unsafe ones. However, installing these SSL certificates isn’t always easy, and they have problems that can leave you scratching your head.

In this article, we’re talking about the “X509: Certificate signed by unknown authority” error, its causes and what you can do to fix the problem.

Also read: How to fix SSL_error_handshake_failure_alert?


What causes the “X509: Certificate signed by unknown authority” error?

The issue often arises when using self-signed certificates instead of trusted CA-signed certificates. The error often occurs because a self-signed certificate is installed to enable HTTPS on the website. Other causes include:

  • CA certification isn’t valid
  • The authorising body doesn’t identify your CA

How to fix the “X509: Certificate signed by unknown authority” error?

You can try the following four fixes. 

Get a reliable SSL certificate

If you’re getting your certificates from a not-so-popular issuing authority or signing it yourself, chances are your SSL certificate is at fault. We recommend using LetsEncrypt or ZeroSSL to get SSL certificates that don’t cause such problems. 

What are Cyber-Physical Systems and the technologies that enable it

Update your TLS version

If your web server uses an older version of TLS, you need to upgrade your TLS/SSL library to support the latest standard. While your hosting provider should automatically implement this, in case you see the error, updating the library manually shouldn’t be too much of a hassle.

You will need to contact your hosting provider for the exact steps. 


Use HTTPS

If you’re using HTTP to connect to the server, try switching it to HTTPS. Currently, most SSL certificates don’t allow HTTP as it’s less secure and more prone to attacks.


For self-signed applications

If you’re using a certificate for your REST applications, make sure you place the .CRT certificate file in the following directory.

/usr/share/ca-certificates

Once done, edit the /etc/ca-certificates.conf file and add your certificate’s name. Last but not least, update the file by running the following command.

sudo update-ca-certificates

Also read: How to fix SSL_Connect_Error?

nv-author-image

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].

>