An SSL error immediately stops visitors from accessing your website, displaying a scary warning page. Each error type has a specific cause and fix. This guide walks through the most common SSL errors, how to diagnose them, and how to resolve them quickly.
Step 1: Identify the Error Type
Use the ShowDNS SSL Checker to get a full diagnosis, or check the browser's error message:
| Browser Error | Likely Cause |
|---|---|
| ERR_CERT_DATE_INVALID | Certificate expired or device clock is wrong |
| ERR_CERT_AUTHORITY_INVALID | Untrusted CA, self-signed cert, or incomplete chain |
| ERR_CERT_COMMON_NAME_INVALID | Hostname does not match certificate's SAN/CN |
| ERR_SSL_VERSION_OR_CIPHER_MISMATCH | TLS version or cipher suite not supported |
| ERR_CERT_REVOKED | Certificate has been revoked by the CA |
| Mixed content warning | HTTPS page loading resources over HTTP |
Fix 1: Expired Certificate (ERR_CERT_DATE_INVALID)
An expired certificate must be renewed. If you are using Let's Encrypt:
# Check when the certificate expires
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Renew with Certbot immediately
sudo certbot renew --force-renewal
# Reload the web server
sudo systemctl reload nginx
# or
sudo systemctl reload apache2For certificates from a paid CA:
- Log in to your CA's portal and renew the certificate.
- Download the new certificate and fullchain file.
- Replace the old certificate files on your server.
- Reload the web server.
sudo certbot renew --dry-run. Also add certificate expiry monitoring with the ShowDNS SSL Expiration Checker.Fix 2: Untrusted Certificate (ERR_CERT_AUTHORITY_INVALID)
This error has three common causes:
Incomplete Certificate Chain
Your server is not sending intermediate certificates. Fix by using the fullchain file:
# Check if intermediate is being served
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep "Certificate chain"
# If only 1 certificate shown, chain is incomplete
# Fix for Nginx — use the fullchain file
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# NOT: ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;Self-Signed Certificate
Replace with a trusted certificate from Let's Encrypt or a paid CA:
# Install Let's Encrypt certificate
sudo certbot --nginx -d example.com -d www.example.comDevice's Trust Store Missing the Root CA
On older devices or operating systems, the root CA may not be installed. This is rare with modern CAs. If the certificate works on all other devices but one old device, the device's root store needs updating.
Fix 3: Hostname Mismatch (ERR_CERT_COMMON_NAME_INVALID)
The certificate does not cover the domain being accessed. Check what domains the certificate covers:
# Check certificate SANs
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
# Should show: DNS:example.com, DNS:www.example.comFix by issuing a new certificate that includes the correct domain:
# Issue cert covering both root and www
sudo certbot --nginx -d example.com -d www.example.com
# For a wildcard cert (covers all subdomains)
sudo certbot --nginx -d example.com -d "*.example.com" --preferred-challenges dnsFix 4: TLS Version/Cipher Mismatch
Your server only supports deprecated TLS versions or cipher suites. Update your server configuration:
# Nginx — enable only TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;# Apache — enable only TLS 1.2 and 1.3
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5Fix 5: Mixed Content Warnings
Your HTTPS page is loading resources (images, scripts, styles) over HTTP. Browsers block active mixed content and warn on passive mixed content.
Find all mixed content by opening browser DevTools → Console. Look for warnings like: "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource".
Fix by updating all resource URLs to use HTTPS. Also add this CSP directive to automatically upgrade mixed content:
Content-Security-Policy: upgrade-insecure-requestsadd_header Content-Security-Policy "upgrade-insecure-requests" always;Fix 6: Revoked Certificate (ERR_CERT_REVOKED)
A revoked certificate cannot be un-revoked. You must obtain a new certificate:
- Generate a new private key and CSR.
- Request a new certificate from your CA.
- Install the new certificate on your server.
- If you believe the private key was compromised, audit your server for unauthorized access.
Verifying the Fix
After making changes, verify the SSL configuration:
# Full SSL test
openssl s_client -connect example.com:443 -showcerts
# Check expiry
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check TLS version used
openssl s_client -connect example.com:443 2>/dev/null | grep "Protocol"Use the ShowDNS SSL Checker and TLS Checker to confirm the configuration is correct from an external perspective.
Frequently Asked Questions
My SSL certificate is valid but visitors still see an error — why?
Common causes: the certificate chain is incomplete (Chrome may cache the intermediate, but other browsers won't), the wrong certificate file is configured in the web server, or there is a misconfiguration between www and non-www versions. Check with the ShowDNS SSL Checker from outside your network.
How do I fix SSL errors for a specific user only?
If the SSL error only appears for one user, the problem is likely on their device — outdated OS, incorrect system clock, antivirus software intercepting SSL connections, or corporate proxy/firewall modifying HTTPS traffic.
Can I bypass the SSL error temporarily?
In Chrome, you can type thisisunsafe on the error page to proceed to the site. This bypasses the error for that session only and should only be used for testing on your own site. Never advise users to bypass SSL errors.