How to Fix ERR_CERT_AUTHORITY_INVALID on GrapheneOS Device

[isaacthekind]

Yes, so this I did try actually. But it gave me a strange behaviour of appending the port number to any URL I tried to access on my phone. I had set default TCP to 8443, and so if I tried to access google.com it would instead try to access google.com:8443.

I also discovered another thing, which is that if I set the name servers explicitly then I get the same certification error network wide, as i get on my phone.

Not sure if either of those things tell you anything. Currently I'm out of ideas for really specific debugging strategies, and I think i may just need more general knowledge, so I'm reading through OPNsense From Beginner to Professional, and hoping that at some point, maybe after reading the sections on certifications, the answer pops out at me. :p

[meyergru]

That sounds like a browser redirection to me. Like if you try to access certain websites without SSL, there is a redirect to https://. OpnSense does this redirect too, if you do not disable it under

    System: Settings: Administration -> "HTTP Redirect"

While you are at it, you could also change the "Listen Interfaces" to LAN only.

I still think that your OpnSense intercepts web traffic via some strange firewall or NAT rules, regardless if it is HTTP or HTTPS.

[isaacthekind]

Hey there,

Sorry to disappear for a few days, was just busy with school. So I managed to fix it, but in a somewhat unsatisfying way. I moved my whole network to IPV6. I'm not sure why this fixed it, but it did. I figured since you sort of zeroed in on the NAT rules as a potential cause, maybe a switch to IPV6 would allow me to remove all those rules. I moved to IPV6 deleted all the NAT stuff that I used to need for my Nextcloud web GUI on IPV4, and it magically fixed my GrapheneOS trouble. I would love to know what exactly was going on there, but it may just always be a mystery.

Thank you for pointing me in the right direction, really appreciate all the help.