Connection not private / SSL errors
retroep.com serves a valid public TLS certificate (Let's Encrypt, RSA 2048). The live chain cross-signs to ISRG Root X1 (the widely trusted anchor in Windows, macOS, Firefox, and Chrome). Hostnames: retroep.com, www.retroep.com.
Why Chrome shows NET::ERR_CERT_AUTHORITY_INVALID
On managed corporate PCs this error is usually not a server misconfiguration. Common causes:
- HTTPS inspection (SSL/TLS proxy) — Zscaler, Netskope, Fortinet, Palo Alto, Infoblox, Blue Coat, etc. replace the site certificate with a corporate one. If the corporate root CA is not installed on the device, Chrome rejects the connection.
- Firewall chain limits — some appliances mishandle Let's Encrypt's 3-certificate chain (leaf → YR1 → Root YR → ISRG Root X1). Ask IT to update firmware or bypass inspection for this host.
- Outdated trust store — rare on patched Windows 10/11; more common on locked-down Linux images without current CA bundles.
Quick test (takes 2 minutes)
- Open https://retroep.com/ on mobile data (not office Wi‑Fi).
- If it loads on mobile but fails on office network → corporate proxy/inspection is the cause.
- Also try Let's Encrypt ISRG Root X1 test site. If that fails too, the device trust store or proxy is blocking Let's Encrypt generally.
What to send your IT / security team
- Whitelist (no SSL inspection):
retroep.com,www.retroep.com - Protocol: HTTPS only, TCP 443 outbound
- App type: static SPA + same-origin JSON API at
/api/room.php(no third-party trackers) - Security headers: HSTS preload, CSP
default-src 'self',frame-ancestors 'none', COOP/CORP same-origin - Certificate issuer: Let's Encrypt (CN=YR1) → ISRG Root X1 cross-sign
- Policy page: /.well-known/security.txt
- IT allowlist (domains, ports, CSP): /network-help/it-allowlist/
What you can do locally
- Install your organization's root CA certificate (common on domain-joined PCs).
- Ask IT for an SSL inspection bypass for retroep.com.
- Use a browser profile without the corporate proxy extension, if policy allows.
Verify our certificate (openssl)
openssl s_client -connect retroep.com:443 -servername retroep.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Expected: subject=CN=retroep.com, issuer contains Let's Encrypt.
Still blocked?
Share this page URL with IT. RetroEP is a client-side retrospective board; no special ports beyond HTTPS (443). If inspection cannot be disabled, installing the corporate root CA on the workstation is the standard fix.