Back to Blog
December 21, 2025
GuardSSL Team

Common SSL Certificate Errors and How to Fix Them

Common SSL Certificate Errors and How to Fix Them

Nothing kills user trust faster than an SSL error. That scary browser warning page makes visitors hit the back button immediately. Whether you're new to SSL (check out our SSL basics guide if so) or a seasoned admin, let's go through the most common SSL errors and how to fix them.

ERR_CERT_DATE_INVALID (Certificate Expired)

What you see:

"Your connection is not private - NET::ERR_CERT_DATE_INVALID"

What it means: The SSL certificate has expired. Certificates have a validity period (usually 1-2 years, or 90 days for Let's Encrypt), and this one is past its expiration date.

How to fix it:

  1. Renew your certificate - Contact your CA or hosting provider
  2. For Let's Encrypt users - Run certbot renew or check your auto-renewal setup
  3. Check your server's date/time - Incorrect system time can cause this error

Prevention tip: Set up monitoring with GuardSSL to get alerts before expiration. See our guide on how to check SSL certificate expiration for more methods.

# Check certificate expiration from command line
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

ERR_CERT_COMMON_NAME_INVALID (Domain Mismatch)

What you see:

"Your connection is not private - NET::ERR_CERT_COMMON_NAME_INVALID"

What it means: The certificate was issued for a different domain than the one you're visiting. For example, the certificate is for example.com but you're visiting www.example.com.

How to fix it:

  1. Check your certificate's SANs - Make sure all your domains are listed
  2. Get a new certificate - Include all domain variations:
    • example.com
    • www.example.com
    • Any other subdomains
  3. Use a wildcard certificate - *.example.com covers all subdomains

Common scenarios:

  • Forgot to include www variant
  • Using the certificate on a different subdomain
  • Typo in the domain when requesting the certificate

ERR_CERT_AUTHORITY_INVALID (Untrusted Certificate)

What you see:

"Your connection is not private - NET::ERR_CERT_AUTHORITY_INVALID"

What it means: The browser doesn't trust the Certificate Authority that issued your certificate. This happens with:

  • Self-signed certificates
  • Certificates from unknown CAs
  • Missing intermediate certificates

How to fix it:

If using a self-signed certificate:

Get a certificate from a trusted CA. Let's Encrypt is free and trusted by all major browsers.

If using a legitimate CA:

You're probably missing intermediate certificates. Your server needs to send the full certificate chain. Learn more about how certificate chains work.

For Apache:

SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate.crt

For Nginx:

# Combine your certificate with intermediates
cat your_domain.crt intermediate.crt > combined.crt

ssl_certificate /path/to/combined.crt;
ssl_certificate_key /path/to/your_private.key;

ERR_SSL_PROTOCOL_ERROR

What you see:

"This site can't provide a secure connection - ERR_SSL_PROTOCOL_ERROR"

What it means: The browser and server couldn't agree on an SSL/TLS protocol version. Usually happens when:

  • Server only supports outdated protocols (SSLv3, TLS 1.0)
  • Server configuration is broken
  • Firewall is interfering

How to fix it:

  1. Update your SSL configuration to support TLS 1.2 and 1.3:

For Nginx:

ssl_protocols TLSv1.2 TLSv1.3;

For Apache:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  1. Check your firewall - Make sure port 443 is open and not being filtered

  2. Verify certificate installation - The certificate might be corrupted or incorrectly installed

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What you see:

"This site can't provide a secure connection - ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

What it means: The browser and server can't find a common encryption method they both support.

How to fix it:

Update your cipher suite configuration. Here's a modern, secure configuration:

For Nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

For Apache:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

Mixed Content Warnings

For a comprehensive guide on this topic, see our dedicated article: How to Fix Mixed Content Errors After Moving to HTTPS.

What you see:

  • Yellow warning triangle on padlock
  • "This page includes resources from insecure sources"
  • Some content not loading

What it means: Your HTTPS page is loading some resources (images, scripts, stylesheets) over HTTP.

How to fix it:

  1. Find the culprits - Open browser DevTools (F12) → Console tab
  2. Update resource URLs - Change http:// to https://
  3. Use protocol-relative URLs - //example.com/image.jpg (though https:// is preferred)
  4. Update your CMS settings - WordPress, for example, has site URL settings

Quick fix for WordPress:

UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');

Better approach - use Content Security Policy:

<meta
  http-equiv="Content-Security-Policy"
  content="upgrade-insecure-requests"
/>

ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

What you see:

"Your connection is not private - NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"

What it means: The certificate doesn't have Certificate Transparency (CT) logs. Since 2018, Chrome requires all certificates to be logged in public CT logs.

How to fix it:

This is usually a CA issue. Contact your Certificate Authority—they should be including CT information automatically. If you're using a reputable CA, this shouldn't happen with new certificates.

SSL_ERROR_HANDSHAKE_FAILURE_ALERT

What you see:

"Secure Connection Failed - SSL_ERROR_HANDSHAKE_FAILURE_ALERT"

What it means: The TLS handshake failed. Could be caused by:

  • Incompatible protocols
  • Certificate issues
  • Server misconfiguration

How to fix it:

  1. Check your certificate - Make sure it's properly installed
  2. Verify the private key matches - Use this command:
# These two outputs should match
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
  1. Review server logs - They often contain more specific error details

HSTS Errors

What you see:

"You cannot visit example.com right now because the website uses HSTS"

What it means: The site previously told your browser to only connect via HTTPS (using HSTS header), but now there's an SSL problem. The browser won't let you bypass the warning.

How to fix it:

If you're the site owner:

  1. Fix the underlying SSL issue first
  2. Make sure your certificate is valid before enabling HSTS

If you're a visitor:

  1. Clear your browser's HSTS settings (Chrome: chrome://net-internals/#hsts)
  2. Or wait for the HSTS policy to expire

Certificate Revocation Errors

What you see:

"The certificate has been revoked"

What it means: The Certificate Authority has revoked this certificate, usually because:

  • The private key was compromised
  • The certificate was issued incorrectly
  • The domain ownership changed

How to fix it:

You need a new certificate. Contact your CA to understand why it was revoked and get a replacement.

Debugging SSL Issues

Online Tools

  • GuardSSL - Comprehensive certificate analysis
  • SSL Labs - Detailed server configuration test
  • Why No Padlock - Find mixed content issues

Command Line Tools

# Test SSL connection
openssl s_client -connect example.com:443 -servername example.com

# Check certificate details
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text -noout

# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2

Browser DevTools

  1. Open DevTools (F12)
  2. Go to Security tab
  3. View certificate details and any warnings

Prevention Checklist

Set up certificate monitoring - Get alerts before expiration

Use auto-renewal - Let's Encrypt + certbot handles this automatically

Test after changes - Always verify SSL after server updates

Include all domains - Don't forget www and subdomains

Keep software updated - Outdated servers may have SSL bugs

Document your setup - Know where certificates are stored

Key Takeaways

  • Most SSL errors have straightforward fixes
  • Certificate expiration is the #1 cause—set up monitoring
  • Always include the full certificate chain
  • Use modern TLS versions (1.2 and 1.3)
  • Test your configuration after any changes

Having SSL issues? Scan your domain with GuardSSL to identify problems and get actionable recommendations.

Check Your SSL Certificate Now

Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.

Try Free SSL CheckerView Monitoring Plans

No registration required • Instant results • 100% free

Next Post
Extended Key Usage (EKU) Explained: What It Means for Your Certificate