SSL certificates are the foundation of web security, but they can be notoriously finicky. From expired certs to broken trust chains, SSL errors can take your site offline in an instant. In this guide, we'll break down the most common SSL errors and provide step-by-step instructions on how to fix them.
Don't let a "Connection Not Private" warning drive your users away. Learn how to diagnose and resolve SSL issues like a pro.
1. Error: Certificate Expired
This is the most common SSL issue. Every certificate has a fixed expiry date (usually 90 days for Let's Encrypt).
How to Diagnose
- Browser shows
NET::ERR_CERT_DATE_INVALID. - Use our SSL Checker to see the exact expiry date.
How to Fix
- Renew the certificate with your CA (Certificate Authority).
- Pro Tip: Enable auto-renewal via Certbot or your hosting provider's panel to prevent this from happening again.
2. Error: Broken Certificate Chain
Your server must serve your "leaf" certificate plus any "intermediate" certificates. If the intermediates are missing, browsers can't verify the link to the Root CA.
How to Diagnose
- Site works on some browsers (which cache intermediates) but fails on others (especially mobile).
- Browser shows
ERR_CERT_AUTHORITY_INVALID.
How to Fix
- Bundle your intermediate certificates into your
fullchain.pemfile. - In Nginx, ensure
ssl_certificatepoints to the full chain file, not just the leaf cert.
3. Error: Name Mismatch
An SSL certificate is only valid for the specific domains listed on it (e.g., example.com and www.example.com).
How to Diagnose
- Browser shows
SSL_ERROR_BAD_CERT_DOMAINorCommon Name Mismatch. - Happens when you access
https://sub.example.combut the cert only covers the root.
How to Fix
- Issue a new certificate that includes all necessary SANs (Subject Alternative Names).
- Use a Wildcard Certificate (
*.example.com) if you have many subdomains.
4. Error: Mixed Content
This isn't an error with the certificate itself, but with how the page is loaded. It happens when an HTTPS page tries to load resources (images, scripts) over plain HTTP.
How to Diagnose
- Padlock icon has a warning triangle or is missing.
- Console shows "Mixed Content: The page at... was loaded over HTTPS, but requested an insecure...".
How to Fix
- Update all internal links to use
https://. - Use the
Content-Security-Policy: upgrade-insecure-requestsheader to automate this.
5. Error: Insecure Cipher Suites
If your server supports old, vulnerable protocols like TLS 1.0 or 1.1, modern browsers may flag your connection as insecure.
How to Diagnose
- Security audit tools (like UpMonitor) flag "Weak Protocol" or "Legacy Ciphers".
How to Fix
- Update your server configuration to only allow TLS 1.2 and TLS 1.3.
- Disable weak ciphers like RC4, 3DES, and MD5.
Conclusion
SSL issues can be complex, but with the right tools, they are easy to solve. Regularly auditing your SSL configuration is the best way to ensure your site stays secure and accessible.
