How to Fix "Your Connection Is Not Private" Error

2026-05-08

ssl-errortroubleshootingchromehttpscertificate

“Your connection is not private” is the most common SSL error. It means your browser detected a problem with the website’s SSL certificate and refused to establish a secure connection. The error appears as NET::ERR_CERT_* in Chrome, “Warning: Potential Security Risk” in Firefox, or “This connection is not private” in Safari.

This guide covers fixes for both sides: if you’re a visitor seeing the error, and if you’re a website owner whose visitors see it.

If you’re a visitor (quick fixes)

These steps fix client-side causes — problems on your device, not the website.

1. Reload the page

The error is sometimes transient — a network glitch during the TLS handshake. Press F5 or Ctrl+R.

2. Check your device’s date and time

SSL certificates have validity dates. If your computer’s clock is wrong, the browser thinks the certificate is expired or not yet valid. Fix:

Windows: Settings → Time & language → Set time automatically
macOS: System Settings → General → Date & Time → Set automatically
Linux: sudo timedatectl set-ntp true

3. Try incognito/private mode

If it works in incognito but not in normal mode, a browser extension is interfering — likely an antivirus, VPN, or ad blocker that inspects HTTPS traffic. Disable extensions one by one to find the culprit.

4. Clear browser cache and SSL state

Your browser may have cached an old certificate:

Chrome: Settings → Privacy → Clear browsing data → Cached images and files
Windows: Internet Properties → Content → Clear SSL State
macOS: Keychain Access → search for the domain → delete cached entries

5. Check your network

Corporate proxies, hotel Wi-Fi captive portals, and some VPNs inject their own certificates. Try:

Disconnect VPN and try again
Switch to a different network (e.g., mobile hotspot)
Connect to the captive portal if you’re on hotel/airport Wi-Fi

6. Update your browser

Old browsers may not trust newer Certificate Authorities or support modern TLS. Update to the latest version.

Should you click “Proceed anyway”? Only if you understand the risk and trust the site (e.g., your own development server with a self-signed cert). Never bypass the warning on banking, email, or shopping sites.

If you’re the website owner (server fixes)

Your visitors see this error because something is wrong with your SSL setup. Here’s how to diagnose and fix each cause.

Cause 1: Certificate expired

The most common cause. Let’s Encrypt certificates expire every 90 days.

Diagnose:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates

Fix: Renew your certificate. With GetHTTPS, it takes 5 minutes. Then replace the files and reload your server.

Cause 2: Certificate doesn’t match the domain

The certificate was issued for example.com but you’re accessing www.example.com (or vice versa).

Diagnose:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -ext subjectAltName

Fix: Get a new certificate that includes both the bare domain and www. In GetHTTPS, add both example.com and www.example.com.

Cause 3: Incomplete certificate chain

Your server isn’t sending the intermediate certificate. The browser can’t build the trust path from your cert to the root CA.

Diagnose:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep "Verify return code"
# "21 (unable to verify the first certificate)" = chain incomplete

Fix:

Nginx: Use fullchain.pem (not cert.pem) in ssl_certificate
Apache: Add SSLCertificateChainFile chain.pem

Chain of trust explained →

Cause 4: Self-signed certificate

Self-signed certificates aren’t trusted by browsers — there’s no CA vouching for them.

Fix: Replace with a real certificate from Let’s Encrypt (free) or a commercial CA.

Cause 5: Wrong certificate served

If you host multiple sites on one server, the wrong certificate may be served (SNI misconfiguration).

Diagnose:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject
# Check the CN matches your domain

Fix: Ensure each server block (Nginx) or <VirtualHost> (Apache) has the correct ssl_certificate for that domain.

Cause 6: TLS version too old

Your server only supports deprecated TLS versions (1.0/1.1) that browsers have dropped.

Fix:

# Nginx
ssl_protocols TLSv1.2 TLSv1.3;

# Apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Cause 7: Cloudflare “Flexible” SSL mode

Cloudflare’s “Flexible” mode can cause this error when there’s no valid certificate on the origin server.

Fix: Install a certificate on your origin (GetHTTPS or Cloudflare Origin CA) and switch to “Full (Strict)” mode.

Cause 8: HSTS cached a bad state

If you previously served HSTS headers but then broke HTTPS, browsers refuse to connect over HTTP as a fallback.

Fix: Restore HTTPS with a valid certificate. If testing, use a short HSTS max-age (e.g., 300 seconds) until you’re confident.

Error code reference

Chrome error code	Meaning	Common fix
`NET::ERR_CERT_DATE_INVALID`	Certificate expired or not yet valid	Renew certificate or fix system clock
`NET::ERR_CERT_COMMON_NAME_INVALID`	Domain doesn’t match certificate	Get cert for correct domain
`NET::ERR_CERT_AUTHORITY_INVALID`	Self-signed or untrusted CA	Use a trusted CA like Let’s Encrypt
`NET::ERR_CERT_REVOKED`	Certificate has been revoked	Get a new certificate
`NET::ERR_SSL_PROTOCOL_ERROR`	TLS handshake failed	Check server TLS config
`NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH`	No common TLS version/cipher	Enable TLS 1.2+ on server
`SSL_ERROR_HANDSHAKE_FAILURE_ALERT`	(Firefox) Handshake rejected	Check server certificate and config

Frequently asked questions

Is it safe to click “Proceed” / “Accept the risk”?

Only on sites you trust and understand the risk — like your own development server with a self-signed certificate. Never bypass the warning on banking, e-commerce, email, or social media sites. The warning exists because someone could be intercepting your traffic.

I see this error on my own site. How do I fix it fastest?

Go to GetHTTPS, get a new free certificate, install it, reload your web server. Takes 5 minutes. If the error persists, check the error code — it tells you exactly what’s wrong (expired, wrong domain, missing chain, etc.).

The error appears on some devices but not others

Usually a chain of trust issue — your server isn’t sending the intermediate certificate. Some browsers/OS have cached the intermediate from previous visits, but new devices haven’t seen it. Fix by using fullchain.pem on your server.

My certificate is valid but I still see the error

Check for: domain mismatch (www vs non-www), incomplete chain, HSTS caching a previous failure, or a proxy/CDN serving a different certificate. Use openssl s_client to see exactly what certificate the server is presenting.

Deployment 2026-05-07

How to Check SSL Certificate Expiry

Check when your SSL certificate expires using your browser, OpenSSL, or online tools. Set up monitoring to avoid unexpected expiration and downtime.

Deployment 2026-05-07

How to Fix Mixed Content Warnings

Mixed content happens when an HTTPS page loads resources over HTTP. Learn how to find and fix mixed content errors to get a clean padlock icon.

SSL & Certificates 2026-05-07

Certificate Chain of Trust Explained

How browsers verify SSL certificates through a chain from root CA to intermediate CA to your certificate. Learn why chain order matters and how to fix 'certificate not trusted' errors.

Getting Started 2026-05-08

How to Get a Free SSL Certificate (Step-by-Step Guide)

Get a free SSL certificate from Let's Encrypt in 5 minutes — no software to install, no account to create. Complete guide covering 4 methods, both challenge types, installation on 6 platforms, and troubleshooting.