SSL Certificate Troubleshooting Guide
SSL certificate issues can cause browser warnings, broken HTTPS, or complete site inaccessibility. This guide covers the most common SSL problems and how to resolve them.
Common SSL Errors and Solutions
1. NET::ERR_CERT_DATE_INVALID (Certificate Expired)
What it means: The SSL certificate’s validity period has passed.
Solutions:
- Renew the SSL certificate immediately.
- If recently renewed, ensure the new certificate has been installed on the server.
- Verify the server’s date and time are correct — an incorrect system clock can trigger this error.
2. NET::ERR_CERT_AUTHORITY_INVALID (Untrusted Certificate)
What it means: The browser doesn’t trust the Certificate Authority that issued the certificate, or the certificate chain is incomplete.
Solutions:
- Install the intermediate/CA bundle certificates on your server.
- Ensure you’re not using a self-signed certificate in production.
- Verify the full certificate chain using SSL Labs.
3. NET::ERR_CERT_COMMON_NAME_INVALID (Domain Mismatch)
What it means: The domain in the browser doesn’t match the domain on the certificate.
Solutions:
- Verify the certificate covers the exact domain you’re accessing (including
wwwvs. non-www). - For subdomains, ensure you have a wildcard certificate or the specific subdomain is listed as a SAN.
- Re-issue the certificate with the correct Common Name if needed.
4. ERR_SSL_PROTOCOL_ERROR
What it means: The browser cannot establish a secure connection with the server.
Solutions:
- Check that your server supports TLS 1.2 or TLS 1.3 (older protocols like SSL 3.0 and TLS 1.0/1.1 are deprecated).
- Verify the SSL certificate is properly installed.
- Check for server configuration errors in your Apache/Nginx SSL settings.
5. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
What it means: The server and browser cannot agree on a common encryption protocol or cipher suite.
Solutions:
Update your server’s SSL configuration to support modern cipher suites:
# Nginx example ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on;Remove support for weak ciphers (RC4, DES, 3DES, export ciphers).
Ensure the certificate uses RSA 2048-bit or higher, or ECDSA keys.
6. Mixed Content Warnings
What it means: The page loads some resources over HTTP instead of HTTPS.
Solutions:
See Mixed Content Errors Blocking SSL in WordPress for WordPress-specific fixes.
Update all resource URLs to use
https://or protocol-relative URLs (//).Use Content Security Policy headers to detect or block mixed content:
Content-Security-Policy: upgrade-insecure-requests;
7. SSL Certificate Chain Incomplete
What it means: The server is not sending the intermediate certificates needed to build a chain of trust to the root CA.
Solutions:
Download the intermediate certificates from your CA’s website.
Install them on your server alongside your domain certificate.
For Nginx, concatenate certificates in the correct order:
cat yourdomain.crt intermediate.crt root.crt > fullchain.crtFor Apache, use the
SSLCertificateChainFiledirective.
8. Too Many Redirects (Redirect Loop)
What it means: The server is stuck in an infinite redirect loop, often between HTTP and HTTPS.
Solutions:
- Check for conflicting redirect rules in
.htaccess, server configuration, and application code. - If using a CDN or reverse proxy (like Cloudflare), ensure the SSL mode is set correctly (e.g., “Full” or “Full (Strict)”).
- Avoid having both the application and the server force HTTPS redirects.
Diagnostic Tools
Command Line
Check certificate details:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -text
Check certificate expiration:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
Verify certificate chain:
openssl s_client -connect yourdomain.com:443 -showcerts
Online Tools
| Tool | Purpose |
|---|---|
| SSL Labs Server Test | Comprehensive SSL configuration analysis |
| SSL Checker | Quick certificate validation |
| WhyNoPadlock | Mixed content detection |
| Certificate Decoder | Decode and inspect certificate details |
Browser Developer Tools
- Open your website in Chrome.
- Press
F12→ Security tab. - View certificate details, connection protocol, and any security issues.
General Troubleshooting Steps
- Identify the exact error — note the specific error code or message.
- Check the certificate — verify it’s valid, not expired, and covers the correct domain.
- Verify the certificate chain — ensure intermediate certificates are installed.
- Test server configuration — use SSL Labs to check for misconfigurations.
- Check for mixed content — ensure all resources load over HTTPS.
- Clear caches — clear browser cache, server cache, and CDN cache.
- Restart the web server — apply any configuration changes.
- Re-test — verify the issue is resolved.
When to Contact Support
Contact your hosting provider or SSL certificate provider if:
- You cannot install the certificate on your server.
- The certificate was issued with incorrect information.
- The certificate needs to be re-issued or revoked.
- You experience persistent issues after following all troubleshooting steps.