SSL Certificate Errors Explained¶
A guide to understanding and fixing common SSL/HTTPS certificate errors.
Common Browser Warnings¶
"Your connection is not private" (Chrome)¶
![NET::ERR_CERT_AUTHORITY_INVALID or similar]
Possible causes: - Certificate is self-signed - Certificate is from an untrusted CA - Certificate chain is incomplete
"This Connection Is Not Private" (Safari)¶
Possible causes: - Certificate expired - Certificate doesn't match domain - Untrusted certificate authority
"Warning: Potential Security Risk Ahead" (Firefox)¶
Error codes:
- SEC_ERROR_EXPIRED_CERTIFICATE - Certificate expired
- SEC_ERROR_UNKNOWN_ISSUER - Untrusted CA
- SSL_ERROR_BAD_CERT_DOMAIN - Wrong domain
Error Types and Solutions¶
1. Certificate Expired¶
Error: NET::ERR_CERT_DATE_INVALID
What it means: The certificate's validity period has passed.
Solution: 1. Renew the certificate with your CA 2. For Let's Encrypt:
3. Set up auto-renewal to prevent future expiryCheck expiry date:
2. Certificate Name Mismatch¶
Error: NET::ERR_CERT_COMMON_NAME_INVALID
What it means: The certificate was issued for a different domain.
Common scenarios:
- Certificate for example.com but accessing www.example.com
- Certificate for www.example.com but accessing example.com
- Accessing by IP address instead of domain name
Solution: 1. Access the site using the correct domain name 2. Get a certificate that includes all needed domains (SAN certificate) 3. For Let's Encrypt:
3. Self-Signed Certificate¶
Error: NET::ERR_CERT_AUTHORITY_INVALID
What it means: The certificate wasn't issued by a trusted Certificate Authority.
Solution: 1. Get a certificate from a trusted CA 2. Free option: Let's Encrypt
3. If intentional (internal use), add the CA to trusted roots on client machines4. Incomplete Certificate Chain¶
Error: NET::ERR_CERT_AUTHORITY_INVALID (but certificate is valid)
What it means: Intermediate certificates are missing.
Solution: 1. Install the full certificate chain 2. Your CA provides intermediate certificates - concatenate them:
3. Update your web server config to use the full chainCheck certificate chain:
5. Mixed Content Warning¶
Warning: Padlock icon shows warning, not secure
What it means: HTTPS page is loading some resources over HTTP.
Solution:
1. Find mixed content (browser dev tools → Console)
2. Update resource URLs to HTTPS or use protocol-relative URLs (//example.com/image.jpg)
3. Add Content-Security-Policy header to upgrade insecure requests:
6. Certificate Revoked¶
Error: NET::ERR_CERT_REVOKED
What it means: The certificate has been revoked by the CA.
Solution: 1. Contact your CA to understand why 2. Get a new certificate 3. If compromised, also check for security breaches
7. SSL Protocol Error¶
Error: ERR_SSL_PROTOCOL_ERROR
What it means: SSL/TLS handshake failed.
Possible causes: - Server only supports outdated protocols (SSLv3, TLS 1.0) - Misconfigured SSL settings - Firewall interfering
Solution: 1. Update server to support TLS 1.2/1.3 2. Check SSL configuration:
3. Use SSL Labs test to identify issuesTesting SSL Configuration¶
SSL Labs Test¶
Go to ssllabs.com/ssltest and enter your domain.
What to look for: - Grade A or higher - No protocol issues - Valid certificate chain - No vulnerabilities
Command Line Testing¶
Check certificate details:
Check certificate dates:
Check certificate subject:
Let's Encrypt Quick Reference¶
Install Certbot¶
Ubuntu/Debian:
Get a Certificate¶
Nginx:
Apache:
Renew Certificates¶
Auto-Renewal¶
Certbot sets up auto-renewal automatically. Verify with:
Web Server Configuration¶
Nginx SSL Configuration¶
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
}
Apache SSL Configuration¶
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# Modern SSL configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
# HSTS
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
Troubleshooting Flowchart¶
Certificate Error
│
▼
Is the certificate expired?
│
Yes ─┼─ No
│ │
Renew ▼
Does the domain match?
│
Yes ─┼─ No
│ │
│ Get new cert for correct domain
▼
Is the chain complete?
│
Yes ─┼─ No
│ │
│ Install intermediate certificates
▼
Is the CA trusted?
│
Yes ─┼─ No
│ │
│ Get cert from trusted CA
▼
Check server SSL configuration
Prevention¶
- Set calendar reminders for certificate renewal
- Use auto-renewing certificates (Let's Encrypt)
- Monitor certificate expiry with tools like UptimeRobot
- Test SSL configuration after any server changes
- Keep web server software updated