Search guides

Fix an SSL certificate that shows an error

We'll identify the error type, rule out expiry and clock, check name mismatch and chain, then fix the cert or tell you when to escalate.

Troubleshooting · Home maintenance
10–25 min
What you'll need
  • Browser with the SSL error (to capture the exact code)
  • openssl (for inspection)
  • Access to the server or hosting dashboard (if you manage the cert)
Step 1 of 8

Quick triage — pick your path

Quick triage — pick your path

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Identify the error

Goal: Capture the exact SSL error code from the browser.

  • In Chrome: click “Advanced” and note the error (e.g. ERR_CERT_AUTHORITY_INVALID, ERR_CERT_COMMON_NAME_INVALID, ERR_CERT_DATE_INVALID).
  • In Firefox: note the message. Do not “Accept the Risk” as a fix—identify the cause.
  • Good: You have the exact code. Proceed to Rule out expiry and clock.

Rule out expiry and clock

Goal: Ensure the cert is not expired and the system clock is correct.

  • Check certificate expiry: padlock > certificate > Valid to. Or openssl s_client -connect HOST:443 -servername HOST 2>/dev/null | openssl x509 -noout -dates.
  • Check system clock. Wrong date causes ERR_CERT_DATE_INVALID or generic SSL errors.
  • Good: Cert valid and clock correct. Proceed to Check name mismatch. Bad: See fix-certificate-is-expired.

Check name mismatch

Goal: Verify the certificate covers the hostname you visit.

  • Run openssl s_client -connect HOST:443 -servername HOST 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName. Compare CN and SAN to the URL (e.g. www vs non-www).
  • Good: Hostname in CN or SAN. Bad: Name mismatch—use correct URL or get a cert that covers the hostname. See Check name mismatch.

Fix chain

Goal: Install the full certificate chain when it is broken.

  • Run openssl s_client -connect HOST:443 -servername HOST -showcerts 2>/dev/null. Check verify return code. Non-zero often means broken chain.
  • Get the full chain from your CA (certificate + intermediates). Configure the web server to serve it (e.g. nginx: ssl_certificate file with cert + intermediates). Reload the server.
  • Good: Verify return code 0, no browser error. Bad: Capture output and escalate.

Escalate

Goal: Know when to hand off.

  • If a third party owns the site, contact them—you cannot fix their cert.
  • If you have installed the full chain and fixed the hostname and the error persists, capture the exact error code, openssl s_client output, and browser/OS version for support.

Verification

  • No SSL or certificate warning in the browser when visiting the site.
  • openssl s_client -connect HOST:443 -servername HOST 2>&1 | grep "verify return code" shows Verify return code: 0 (ok).
  • Certificate details show the correct hostname in CN or SAN and a valid expiry date.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Identify error Note the exact error code (ERR_CERT_*); rules out guesswork.
  2. Expiry and clock Check cert dates and system clock; fix if wrong.
  3. Name and chain Verify hostname in CN/SAN; verify full chain with openssl s_client -showcerts.
  4. Fix cert Install full chain, fix hostname, or renew cert.
  5. Escalate Contact third party or support with error code and openssl output.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • Exact browser error code (e.g. ERR_CERT_AUTHORITY_INVALID)
  • Certificate expiry (notBefore, notAfter)
  • System clock (date)
  • openssl s_client -showcerts output
  • Verify return code from openssl
  • Hostname you visit vs CN/SAN in cert

What is the exact SSL error?

Chrome: Advanced > note error code. Firefox: note the message. Common: ERR_CERT_AUTHORITY_INVALID, ERR_CERT_COMMON_NAME_INVALID, ERR_CERT_DATE_INVALID.

Click Advanced and note the error code. Good: you have the code. Bad: generic—try rule out expiry and clock first.
Question

Do you have the exact error code?

Continue

You can change your answer later.

Is the cert expired or is the system clock wrong?

Both cause ERR_CERT_DATE_INVALID or generic SSL errors.

Check cert expiry (padlock > certificate > Valid to) and system clock (date). Expired or wrong clock: fix first—see fix-certificate-is-expired. OK: proceed to name and chain.

Yes No

You can change your answer later.

Fix expiry or clock

Renew the cert or fix the system clock. See fix-certificate-is-expired. Retest after fixing.

Done

Is it ERR_CERT_COMMON_NAME_INVALID (name mismatch)?

The cert must list your hostname in CN or SAN.

Run openssl s_client -connect HOST:443 -servername HOST 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName. Compare to the URL you visit. Mismatch: use correct URL or get cert that covers hostname. Not mismatch: check chain.

Yes No

You can change your answer later.

Fix name mismatch

Use the URL that matches the cert (e.g. www vs non-www), or get a new cert that includes the hostname in SAN. Reload server. Retest.

Done

Is the certificate chain complete?

Missing intermediates cause ERR_CERT_AUTHORITY_INVALID.

Run openssl s_client -connect HOST:443 -servername HOST -showcerts 2>/dev/null. Check verify return code. Broken chain: install full chain (cert + intermediates) from your CA, reload server. OK: escalate or check for self-signed.

Yes (broken) No (complete)

You can change your answer later.

Install full chain

Get full chain from your CA. Configure web server to serve cert + intermediates. Reload. Run openssl s_client again—verify return code should be 0. Retest in browser.

Done

Escalate

If third party owns the site, contact them. If you manage it and chain is complete, capture error code, openssl s_client output, browser/OS version. Contact CA or host support.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why does my browser say "Your connection is not private"?
Common causes are an expired certificate, wrong system clock, name mismatch (cert does not cover the hostname), or a broken certificate chain. Check the exact error code (e.g. ERR_CERT_AUTHORITY_INVALID) and rule out clock and expiry first.
What is ERR_CERT_COMMON_NAME_INVALID?
The certificate does not match the hostname you are visiting. The cert must list your hostname in the Common Name (CN) or Subject Alternative Names (SAN). Use the correct URL (e.g. www vs non-www) or get a cert that covers both.
What is ERR_CERT_AUTHORITY_INVALID?
The browser does not trust the certificate. Causes include a broken chain (missing intermediates), a self-signed cert, or an untrusted CA. Install the full chain from your CA or use a trusted CA like Let's Encrypt.

Rate this guide

Was this helpful?

Continue to