SSL certificate errors prevent visitors from reaching your site securely. This guide covers every common error code, what it means, and how to fix it — whether you’re a visitor or a website owner.
For the most common error specifically, see our dedicated guide: “Your connection is not private” fix →
Error reference table
| Error code (Chrome) | Firefox equivalent | Meaning | Fix |
|---|---|---|---|
NET::ERR_CERT_DATE_INVALID | SEC_ERROR_EXPIRED_CERTIFICATE | Certificate expired | Renew certificate |
NET::ERR_CERT_COMMON_NAME_INVALID | SSL_ERROR_BAD_CERT_DOMAIN | Domain doesn’t match certificate | Get cert for correct domain |
NET::ERR_CERT_AUTHORITY_INVALID | SEC_ERROR_UNKNOWN_ISSUER | Self-signed or untrusted CA | Use Let’s Encrypt |
NET::ERR_CERT_REVOKED | SEC_ERROR_REVOKED_CERTIFICATE | Certificate has been revoked | Get a new certificate |
NET::ERR_SSL_PROTOCOL_ERROR | SSL_ERROR_RX_RECORD_TOO_LONG | TLS handshake failed | Check server config |
NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH | SSL_ERROR_NO_CYPHER_OVERLAP | No common TLS version/cipher | Enable TLS 1.2+ |
ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN | — | HPKP pin doesn’t match | Update or remove HPKP pins |
ERR_CERTIFICATE_TRANSPARENCY_REQUIRED | — | Missing CT log entry | Re-issue from a CT-compliant CA |
Detailed error solutions
ERR_CERT_DATE_INVALID — Certificate expired
Cause: The certificate’s Not After date has passed. With 90-day Let’s Encrypt certificates, this happens if you forget to renew.
Visitor fix: Check your device’s date and time — if your clock is wrong, valid certificates appear expired.
Owner fix:
# Check the actual expiry
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddateRenew immediately, replace the files, reload the server. Set up monitoring to prevent this in the future.
ERR_CERT_COMMON_NAME_INVALID — Domain mismatch
Cause: The certificate was issued for example.com but you’re visiting www.example.com (or vice versa), or the certificate covers a different domain entirely.
Owner fix:
# Check which domains the certificate covers
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -ext subjectAltNameGet a new certificate that includes all needed domains. In GetHTTPS, add both example.com and www.example.com.
ERR_CERT_AUTHORITY_INVALID — Untrusted CA
Cause: The certificate is self-signed, issued by an unknown CA, or the intermediate chain of trust is incomplete.
Owner fix:
- If self-signed → replace with a Let’s Encrypt certificate
- If chain incomplete → use
fullchain.pem(Nginx) or addSSLCertificateChainFile(Apache) - If unknown CA → switch to a trusted CA
ERR_SSL_PROTOCOL_ERROR — Handshake failure
Cause: The server’s TLS configuration is broken — wrong certificate path, corrupted files, or misconfigured settings.
Owner fix:
# Test the TLS connection
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
# Check if the certificate and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privkey.pem | openssl md5
# Hashes must matchCommon causes: wrong file path in server config, certificate and key from different sessions, file permissions too restrictive.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH — No compatible TLS
Cause: The server only supports old TLS versions (1.0/1.1) that the browser has dropped, or uses cipher suites the browser doesn’t support.
Owner fix:
# Nginx — enable modern TLS
ssl_protocols TLSv1.2 TLSv1.3;# Apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1Mixed content warnings
Cause: Your HTTPS page loads images, scripts, or CSS over HTTP.
This isn’t a certificate error — the certificate is fine, but the page references insecure resources. Full mixed content fix guide →
Diagnostic workflow
When you see any SSL error, follow this sequence:
1. Check the error code → identifies the category
↓
2. Check the certificate details
openssl s_client -connect domain:443 -servername domain
↓
3. Is it expired? → Renew
Domain mismatch? → Re-issue for correct domain
Chain incomplete? → Use fullchain.pem
Self-signed? → Switch to Let's Encrypt
Config error? → Check file paths and permissions
↓
4. After fixing → reload server, clear browser cache, verifyOnline diagnostic tools
| Tool | URL | What it checks |
|---|---|---|
| SSL Labs | ssllabs.com/ssltest | Complete SSL audit (grade A-F) |
| SSL Checker | sslshopper.com/ssl-checker | Chain, expiry, domain match |
| Certificate Search | crt.sh | Certificate Transparency logs |
| Why No Padlock | whynopadlock.com | Mixed content detection |
Frequently asked questions
I fixed the error but the browser still shows it
Clear your browser cache (Ctrl+Shift+Delete) or test in an incognito window. Browsers cache SSL states, and HSTS may force a cached decision. On Windows, also clear the SSL state: Internet Properties → Content → Clear SSL State.
The error appears on some browsers but not others
Different browsers have different trust stores and caching. Most commonly: an incomplete certificate chain that some browsers can fill in from cache while others can’t. Fix by serving the full chain on your server.
How do I prevent SSL errors?
- Monitor certificate expiry — set alerts for day 60 of 90
- Use
fullchain.peminstead ofcert.pem— prevents chain errors - Include all domain variants (www + non-www) in your certificate
- Set up auto-renewal with Certbot for production servers
- Test after every change with SSL Labs