SSL/TLS certificate problems cause browser warnings that immediately erode visitor trust. Whether it is an expired certificate, a hostname mismatch, or a broken certificate chain, each issue has a specific root cause and a clear fix. This guide covers the most common SSL problems you are likely to encounter and how to resolve them.
1. Expired SSL Certificate
Browser error: ERR_CERT_DATE_INVALID, NET::ERR_CERT_DATE_INVALID, "Your connection is not private"
SSL certificates have an expiry date. When a certificate expires, browsers display a full-page warning blocking access to the site. TLS certificates are currently capped at 398 days (~13 months) by browser requirements.
Fix: Renew the certificate with your CA before it expires. Set up automated renewal (Let's Encrypt with Certbot renews automatically 30 days before expiry). Monitor expiry dates with the ShowDNS SSL Expiration Checker.
# Check certificate expiry from the command line
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Output shows:
# notBefore=Jan 15 00:00:00 2024 GMT
# notAfter=Apr 15 23:59:59 2025 GMT2. Hostname Mismatch
Browser error: ERR_CERT_COMMON_NAME_INVALID, "Certificate does not match name"
This error occurs when the domain name in the browser's address bar does not match the domain(s) listed in the certificate's Common Name (CN) or Subject Alternative Names (SANs). Common scenarios:
- Certificate issued for
example.combut visitor goes towww.example.com(or vice versa). - Certificate for
example.combut server is accessed via IP address. - Certificate issued for one domain but the server is configured with a different certificate.
Fix: Issue a certificate that covers all variants of your domain. Modern certificates should include both example.com and www.example.com as Subject Alternative Names. Wildcard certificates (*.example.com) cover all subdomains.
# Check what domains the certificate covers
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
# Expected output: DNS:example.com, DNS:www.example.com3. Incomplete Certificate Chain
Browser error: ERR_CERT_AUTHORITY_INVALID, "Certificate issuer unknown", "unable to get local issuer certificate"
This happens when your server only sends the leaf certificate without the intermediate CA certificate(s). Some browsers (like Chrome) cache intermediates from previous sessions, so the error may not appear in Chrome but will appear in Safari, Firefox, and server-to-server connections.
Fix: Configure your server to send the full certificate chain. Use the fullchain.pem file (Let's Encrypt) or your CA's bundle file.
Learn more: What Is a Certificate Chain?
4. Mixed Content Warnings
Browser indicator: Padlock with warning icon, mixed content console error
Mixed content occurs when an HTTPS page loads resources (images, scripts, styles, iframes) over HTTP. Browsers block active mixed content (scripts, styles, iframes) and warn on passive mixed content (images).
Fix: Update all resource URLs to use HTTPS. Common sources include:
- Hardcoded
http://URLs in CMS content. - Third-party embeds that use HTTP.
- Theme or plugin assets with absolute HTTP URLs.
# Add this header to auto-upgrade HTTP subresources to HTTPS
Content-Security-Policy: upgrade-insecure-requests5. Self-Signed Certificate Error
Browser error: NET::ERR_CERT_AUTHORITY_INVALID, "Potential security risk ahead"
Self-signed certificates are not trusted by browsers because they are not signed by a recognized Certificate Authority. They are fine for local development but must not be used in production.
Fix: Replace the self-signed certificate with one issued by a trusted CA. Let's Encrypt provides free, trusted certificates with automated renewal. For development environments, consider using mkcert to create locally-trusted certificates.
6. TLS Protocol Version Mismatch
Browser error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
This error occurs when the client and server cannot agree on a TLS version. Chrome and Firefox have dropped support for TLS 1.0 and TLS 1.1. If your server only supports these older versions, modern browsers will refuse to connect.
Fix: Enable TLS 1.2 and TLS 1.3 on your server, and disable TLS 1.0 and 1.1.
# Nginx — enable TLS 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;# Apache — enable TLS 1.2 and 1.3 only
SSLProtocol -all +TLSv1.2 +TLSv1.37. Certificate Revocation
Browser error: ERR_CERT_REVOKED
If a certificate's private key is compromised or the certificate was issued in error, the CA can revoke it. Browsers check revocation status via OCSP or CRL. A revoked certificate causes an immediate browser error.
Fix: Request a new certificate from your CA. Do not attempt to use a revoked certificate. Investigate why it was revoked — if the private key was compromised, regenerate it immediately.
8. HSTS Errors
Browser error: ERR_CERT_AUTHORITY_INVALID (after HSTS is set), NET::ERR_CERT_REVOKED
Once HSTS is set, browsers remember that your domain must use HTTPS. If the SSL certificate subsequently becomes invalid and you try to fall back to HTTP, browsers will block access entirely — even if you try to visit the HTTP version.
Fix: Fix the SSL certificate issue. If you need to remove HSTS temporarily, the only option is to wait for the max-age to expire (unless the user manually clears HSTS state). This is why it is critical to have valid SSL before enabling HSTS. Learn more: How to Fix HSTS Errors.
Diagnosing SSL Problems
Use these tools to diagnose SSL issues:
- ShowDNS SSL Checker — full certificate chain validation, expiry check, and configuration analysis.
- SSL Expiration Checker — monitor when certificates expire.
- TLS Checker — verify TLS version support and cipher suites.
# Quick SSL diagnostic
openssl s_client -connect example.com:443 -showcerts
# Check the full certificate details
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -textFrequently Asked Questions
Why does the SSL error only appear on some devices?
Different devices have different root CA trust stores and cached intermediate certificates. An incomplete chain may work on Chrome (which has its own certificate caching) but fail on Safari or mobile browsers. Always test SSL across multiple browsers and devices.
Can an SSL certificate be valid but the site still show a warning?
Yes. Mixed content warnings appear even with a valid certificate if the page loads HTTP resources. Also, an HSTS error can block access even if the certificate is valid if the browser has previously seen the domain with HSTS.
How do I fix SSL errors for a local development server?
Use mkcert to create locally-trusted certificates. It installs a local CA in your system trust store and generates certificates for localhost and custom development domains.