SSL Certificate Errors: Complete Troubleshooting Guide 2025

October 20, 2025 By SSL Checker Pro Team 10 min read

SSL certificate errors can be frustrating for both website owners and visitors. These errors prevent secure connections and can damage user trust. This comprehensive guide covers the most common SSL certificate errors, their causes, and step-by-step solutions to fix them quickly.

Common SSL Certificate Errors

1. NET::ERR_CERT_AUTHORITY_INVALID

Error Message: "Your connection is not private" or "NET::ERR_CERT_AUTHORITY_INVALID"

Causes

  • Self-signed certificate used in production
  • Certificate issued by untrusted CA
  • Incomplete certificate chain
  • System date/time incorrect

Solutions

# Check certificate issuer
openssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \
    openssl x509 -noout -issuer

# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts < /dev/null

# Install complete certificate chain (Nginx)
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# Apache
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

2. Certificate Expired Error

Error Message: "NET::ERR_CERT_DATE_INVALID" or "Certificate has expired"

Quick Fix Steps

  1. Check certificate expiration date
  2. Renew certificate immediately
  3. Deploy new certificate
  4. Verify installation
# Check expiration date
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | \
    openssl x509 -noout -dates

# Renew Let's Encrypt certificate
sudo certbot renew --force-renewal

# Reload web server
sudo systemctl reload nginx
# or
sudo systemctl reload apache2

# Verify new certificate
curl -vI https://example.com 2>&1 | grep "expire date"

3. Certificate Name Mismatch

Error Message: "NET::ERR_CERT_COMMON_NAME_INVALID"

Scenario Certificate For Accessing Result
Mismatch example.com www.example.com ❌ Error
Correct example.com, www.example.com www.example.com ✅ Works
Wildcard *.example.com blog.example.com ✅ Works

Solution

# Check certificate domains
openssl s_client -connect example.com:443 < /dev/null 2>/dev/null | \
    openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

# Request new certificate with all domains
sudo certbot certonly --nginx \
    -d example.com \
    -d www.example.com \
    -d blog.example.com

# Or use wildcard
sudo certbot certonly --dns-cloudflare \
    -d example.com \
    -d *.example.com

4. Incomplete Certificate Chain

Error Message: "Unable to verify the first certificate" or chain validation errors

# Test certificate chain
openssl s_client -connect example.com:443 -showcerts

# Verify chain completeness
curl --verbose https://example.com 2>&1 | grep -i "certificate chain"

# Fix: Use fullchain.pem (includes intermediates)
# Nginx
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

# Apache
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

5. Mixed Content Warnings

Error Message: "This page includes resources loaded over HTTP"

Find Mixed Content

# Check for HTTP resources in HTML
grep -r "http://" /var/www/html/ --include="*.html" --include="*.php"

# Browser Console
# Open DevTools → Console → Look for mixed content warnings

# Fix: Update all resources to HTTPS
sed -i 's/http:\/\//https:\/\//g' /var/www/html/index.html

# Or use protocol-relative URLs

6. Self-Signed Certificate Error

Error Message: "NET::ERR_CERT_AUTHORITY_INVALID" (self-signed)

⚠️ Never Use Self-Signed Certificates in Production

Self-signed certificates should only be used for development/testing. Use Let's Encrypt for free trusted certificates.

# Replace self-signed with Let's Encrypt
sudo certbot --nginx -d example.com -d www.example.com

# Automatic renewal
sudo certbot renew --dry-run

Advanced Troubleshooting

SSL Handshake Failures

# Test SSL handshake
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

# Check supported protocols
nmap --script ssl-enum-ciphers -p 443 example.com

# Test specific cipher
openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES128-GCM-SHA256

Certificate Revocation Issues

# Check OCSP status
openssl ocsp -issuer chain.pem -cert cert.pem \
    -url http://ocsp.example.com -resp_text

# Verify CRL
openssl crl -in crl.pem -noout -text

# Enable OCSP stapling (Nginx)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

SNI Issues

# Test with SNI
openssl s_client -connect example.com:443 -servername example.com

# Test without SNI
openssl s_client -connect example.com:443

# Enable SNI in Nginx (default in modern versions)
server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

Browser-Specific Errors

Chrome Errors

Error Code Meaning Solution
NET::ERR_CERT_AUTHORITY_INVALID Untrusted CA Install complete chain
NET::ERR_CERT_DATE_INVALID Expired certificate Renew certificate
NET::ERR_CERT_COMMON_NAME_INVALID Name mismatch Add domain to SAN
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED Missing CT logs Reissue with CT

Firefox Errors

  • SEC_ERROR_UNKNOWN_ISSUER: Certificate chain incomplete
  • SSL_ERROR_BAD_CERT_DOMAIN: Domain name mismatch
  • SEC_ERROR_EXPIRED_CERTIFICATE: Certificate expired
  • MOZILLA_PKIX_ERROR_MITM_DETECTED: MITM proxy detected

Diagnostic Tools

Command Line Tools

# Comprehensive SSL test
testssl.sh example.com

# Check certificate details
echo | openssl s_client -connect example.com:443 2>/dev/null | \
    openssl x509 -noout -text

# Verify certificate against key
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# Hashes should match

# Check certificate dates
openssl x509 -in cert.pem -noout -dates

Online Testing Tools

  • SSL Labs: https://www.ssllabs.com/ssltest/
  • Why No Padlock: https://www.whynopadlock.com/
  • SSL Checker: https://sslcheckerpro.com/
  • Certificate Decoder: https://certlogik.com/decoder/

Prevention Best Practices

1. Automated Monitoring

#!/bin/bash
# Monitor certificate expiration
DOMAIN="example.com"
DAYS_WARNING=30

EXPIRY=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | \
         openssl x509 -noout -enddate | cut -d= -f2)

EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))

if [ $DAYS_LEFT -lt $DAYS_WARNING ]; then
    echo "WARNING: Certificate expires in $DAYS_LEFT days"
    # Send alert
fi

2. Automated Renewal

# Setup automatic renewal (Let's Encrypt)
sudo certbot renew --dry-run

# Add to crontab
0 0,12 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

# Systemd timer (already enabled by default)
sudo systemctl status certbot.timer

3. Configuration Testing

# Test Nginx configuration
sudo nginx -t

# Test Apache configuration
sudo apache2ctl configtest

# Reload without downtime
sudo nginx -s reload
sudo systemctl reload apache2

Emergency Response Checklist

When Certificate Expires

  1. Immediate: Renew certificate (certbot renew --force-renewal)
  2. Deploy: Install new certificate on all servers
  3. Verify: Test from multiple locations
  4. Monitor: Check error logs for issues
  5. Communicate: Notify users if downtime occurred
  6. Post-mortem: Review why monitoring failed

Common Mistakes to Avoid

⚠️ Critical Mistakes

  • Not including www and non-www versions in certificate
  • Using cert.pem instead of fullchain.pem
  • Forgetting to reload web server after certificate update
  • Not testing certificate before expiration
  • Ignoring intermediate certificate installation
  • Using HTTP resources on HTTPS pages
  • Not monitoring certificate expiration

Troubleshooting Workflow

# Step 1: Identify the error
curl -vI https://example.com

# Step 2: Check certificate details
openssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \
    openssl x509 -noout -text

# Step 3: Verify DNS
dig example.com +short
nslookup example.com

# Step 4: Check web server config
sudo nginx -T | grep ssl
sudo apache2ctl -S

# Step 5: Test from external location
curl -vI https://example.com --resolve example.com:443:YOUR_SERVER_IP

# Step 6: Check logs
sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/apache2/error.log

Conclusion

SSL certificate errors can be quickly resolved with proper troubleshooting techniques. By understanding common error types, using diagnostic tools effectively, and implementing preventive measures like automated monitoring and renewal, you can maintain secure, error-free SSL/TLS connections. Remember to always test changes in a staging environment before deploying to production.

Check Your SSL Certificate

Use our free tools to diagnose SSL issues: