An SSL error means your browser or HTTP client could not complete the TLS handshake with the server. The connection was dropped before any data was exchanged. Instead of your page, your users see a full-screen warning — and most of them leave.
The term "SSL error" is a holdover. SSL (Secure Sockets Layer) was deprecated in 2015 when RFC 7568 declared SSL 3.0 obsolete. Every modern HTTPS connection uses TLS (Transport Layer Security) — versions 1.2 or 1.3. Browsers still display "SSL" in error codes because the names stuck, but the protocol under the hood is always TLS. Throughout this article, "SSL error" refers to any TLS handshake failure your browser surfaces.
What happens during a TLS handshake
When a browser connects to an HTTPS server, the TLS handshake negotiates a shared encryption key. The server presents its certificate, the browser verifies the chain of trust back to a root CA, checks the hostname, and confirms the certificate has not expired. If any step fails, the browser aborts and shows an error page.
The three most common failure points:
- Certificate validity — the cert is expired, not yet valid, or revoked
-
Hostname mismatch — the cert was issued for
api.example.combut the browser hitwww.example.com - Chain of trust — an intermediate certificate is missing, or the cert is self-signed
Understanding which step failed tells you exactly where to look.
Decode the error message — Chrome, Firefox, and Safari
Different browsers surface different error codes for the same underlying TLS failure. This table maps the most common ones:
| Problem | Chrome | Firefox | Safari |
|---|---|---|---|
| Expired certificate | NET::ERR_CERT_DATE_INVALID |
SEC_ERROR_EXPIRED_CERTIFICATE |
"This certificate has expired" |
| Wrong hostname | NET::ERR_CERT_COMMON_NAME_INVALID |
SSL_ERROR_BAD_CERT_DOMAIN |
"This certificate is not valid for the requested site" |
| Self-signed cert | NET::ERR_CERT_AUTHORITY_INVALID |
SEC_ERROR_UNKNOWN_ISSUER |
"This certificate was signed by an unknown authority" |
| Incomplete chain | NET::ERR_CERT_AUTHORITY_INVALID |
SEC_ERROR_UNKNOWN_ISSUER |
"This certificate is not trusted" |
| TLS version too old | ERR_SSL_VERSION_OR_CIPHER_MISMATCH |
SSL_ERROR_UNSUPPORTED_VERSION |
Connection refused (no specific code) |
| Revoked certificate | NET::ERR_CERT_REVOKED |
SEC_ERROR_REVOKED_CERTIFICATE |
"This certificate has been revoked" |
If you see ERR_SSL_PROTOCOL_ERROR in Chrome, the server likely rejected the handshake outright — possibly because it only supports TLS 1.0/1.1 (both deprecated) or has a misconfigured cipher suite.
Fix 1 — Expired or not-yet-valid certificate
An expired certificate is the single most common cause of SSL errors. Certificates have a fixed validity window — typically 90 days for Let's Encrypt and up to 398 days for paid CAs.
Diagnose it with openssl:
openssl s_client -connect yoursite.com:443 -servername yoursite.com 2>/dev/null | openssl x509 -noout -dates
Example output:
notBefore=Feb 15 00:00:00 2026 GMT
notAfter=May 16 23:59:59 2026 GMT
If notAfter is in the past, the cert has expired.
Fix it:
- Renew the certificate through your CA or ACME client (
certbot renew, for example) - Reload your web server —
sudo systemctl reload nginxorsudo systemctl reload apache2 - Verify the new cert is live: re-run the
opensslcommand above and confirm the dates
If your cert is not yet valid (notBefore is in the future), either the cert was issued early and installed before activation, or your server clock is wrong. Check with date -u and sync via NTP if needed.
Fix 2 — Wrong hostname or missing SAN
Your certificate must cover the exact hostname the client connects to. A cert issued for example.com does not automatically cover www.example.com — that requires a Subject Alternative Name (SAN) entry.
Diagnose it:
openssl s_client -connect yoursite.com:443 -servername yoursite.com 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
Example output:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com
If the hostname your users hit is not listed, you need to reissue the certificate with the correct SANs — or use a wildcard cert (*.example.com). Wildcard certs cover one level of subdomains only; *.example.com matches api.example.com but not v2.api.example.com.
A common mistake: deploying behind a load balancer or CDN and forgetting that the cert on the edge must match the public hostname, not the origin hostname.
Fix 3 — Incomplete chain or self-signed certificate
Browsers verify certificates by walking the chain from your server cert through intermediate CAs to a trusted root. If an intermediate is missing, the chain breaks and the browser shows ERR_CERT_AUTHORITY_INVALID.
Diagnose the chain:
openssl s_client -connect yoursite.com:443 -servername yoursite.com -showcerts 2>/dev/null | grep "s:" | head -5
A healthy chain shows your cert, then one or two intermediates, ending at the root:
s:CN = yoursite.com
s:CN = R11, O = Let's Encrypt
s:CN = ISRG Root X1, O = Internet Security Research Group
If you see only your cert with no intermediates, your server is not sending the full chain. Fix it by concatenating the intermediate cert(s) with your server cert. For Nginx:
cat server.crt intermediate.crt > bundle.crt
Then reference bundle.crt in your Nginx config's ssl_certificate directive and reload.
Self-signed certificates fail on public-facing sites because they are not issued by a trusted CA. Replace them with a cert from Let's Encrypt (free) or any recognized CA. Self-signed certs are fine for internal services — but add them to your internal trust store explicitly rather than telling users to "click through the warning."
Fix 4 — Mixed content and HSTS issues
Mixed content errors happen when an HTTPS page loads a resource (image, script, stylesheet) over plain HTTP. Modern browsers block mixed active content (scripts, iframes) entirely and show a broken padlock for mixed passive content (images).
Find mixed content using your browser's developer console (F12 → Console tab). The browser logs every blocked resource with its URL.
Fix it by updating hardcoded http:// URLs to https:// or using protocol-relative paths. If you use a CMS, update the site URL in settings.
HSTS (HTTP Strict Transport Security) adds another layer: once a browser has seen an HSTS header, it refuses to connect over HTTP at all — even if the cert is temporarily broken. If you deployed a broken cert and HSTS is active, users cannot click through the warning. The only fix is deploying a valid cert. You can inspect cached HSTS policies in Chrome at chrome://net-internals/#hsts.
Fix 5 — Client-side false positives
Not every SSL error is a server problem. Three common client-side causes:
- System clock skew. Certificates are time-sensitive. If a laptop's clock is set to 2024, a cert valid from 2026 appears "not yet valid." Fix: enable automatic time sync in the OS.
- Antivirus TLS inspection. Some antivirus software intercepts HTTPS connections by inserting its own root certificate. If the AV root is not trusted by the browser — or if the AV botches the re-encryption — the browser shows an SSL error. Temporarily disabling the AV's "web shield" or "HTTPS scanning" confirms this as the cause.
- Corporate proxy. Transparent HTTPS proxies (common in enterprise networks) perform the same kind of TLS interception. The corporate root CA must be installed on the client machine. If it is not, every HTTPS site shows a certificate warning.
These are real scenarios, not edge cases. If users report SSL errors that you cannot reproduce, ask about their local environment first.
Prevent SSL errors with certificate monitoring
You have seen how certificates break: expiry, hostname mismatches, incomplete chains, mixed content, client-side false positives. Every one of these failures is predictable. Certificates do not expire by surprise — they have a fixed lifetime printed right in the X.509 data. The problem is never that the failure was unknowable. The problem is that nobody was watching.
The fix-then-forget cycle is the real trap. You renew the cert, confirm it works, and move on. Ninety days later, the same NET::ERR_CERT_DATE_INVALID reappears because the auto-renewal cron broke silently two weeks ago and nobody noticed until a customer opened a support ticket at 2 AM.
Here is how to build a monitor that catches every failure mode we covered — before your users do.
Set up two expiry thresholds, not one
Most monitoring setups check whether the certificate expires within some number of days and call it done. That is not enough. You need two thresholds: an early warning and a hard deadline.
Let's Encrypt certificates last 90 days. If auto-renewal is working, you will never think about expiry. But if it breaks — a DNS validation failure, a misconfigured certbot hook, a container rebuild that lost the renewal cron — you want to know at 30 days remaining, not the day it expires. A WARN-severity assertion at 30 days gives your team two full weeks to investigate and fix the renewal pipeline without any urgency. A FAIL-severity assertion at 14 days is the hard deadline: drop everything and renew manually, because you are two weeks from a full outage.
Validate the endpoint, not just the certificate
A valid certificate does not mean your site works. The cert could be fine while your origin returns 502s, or while a misconfigured cipher suite causes 15-second handshakes that make the page feel broken. Adding a status code check (expected: 200) and a response time threshold (thresholdMs: 2000) catches the class of problems where TLS technically succeeds but the user experience is degraded. Slow TLS handshakes often point to missing OCSP stapling, oversized certificate chains, or a server negotiating an expensive cipher when a faster one is available.
Monitor from multiple regions
This is the one most teams skip, and it is the one that bites hardest. If you run behind a CDN — Cloudflare, AWS CloudFront, Fastly — your certificates are managed per edge location. A cert that is perfectly valid on the us-east edge node might already be expired on an ap-south node because the edge cert rotation did not propagate uniformly. Checking from a single region gives you a false sense of security. Checking from us-east, eu-west, and ap-south catches regional cert failures before the affected users report them.
Pick the right check frequency
Certificates change slowly. Unlike an API endpoint that might go down and recover in seconds, certificate state transitions happen once every 90 days (or 398 days for paid CAs). Running SSL checks every 30 seconds is wasteful — you are burning check quota on a signal that changes a handful of times per year. A 5-minute interval (frequencySeconds: 300) gives you more than enough visibility. If a cert expires, you will know within 5 minutes. The trade-off is worth it: save the high-frequency checks for your API health endpoints where seconds matter.
The full config
Here is a DevHelm monitor that covers everything above — expiry thresholds, endpoint validation, multi-region checks, and a sensible frequency:
{
"name": "production-ssl-health",
"type": "HTTP",
"frequencySeconds": 300,
"regions": ["us-east", "eu-west", "ap-south"],
"config": {
"url": "https://yourapp.com",
"method": "GET"
},
"assertions": [
{ "config": { "type": "status_code", "operator": "equals", "expected": 200 } },
{ "config": { "type": "response_time", "thresholdMs": 2000 } },
{ "config": { "type": "ssl_expiry", "minDaysRemaining": 14 } },
{ "config": { "type": "ssl_expiry", "minDaysRemaining": 30 }, "severity": "WARN" }
]
}
The first two assertions confirm the endpoint is healthy and responsive. The third fires a critical alert at 14 days before expiry — your hard deadline. The fourth fires a warning at 30 days — your early warning that gives you time to fix the renewal pipeline without scrambling.
You can create this monitor from the CLI in one command:
devhelm monitor create --type http
Or configure it through the dashboard. 50 monitors free, no credit card required.
Originally published on DevHelm.
Top comments (0)