How to Fix SSL Certificate Errors on Your Website

Disclosure: Some of the links in this article are affiliate links. If you click on one and make a purchase, I may earn a commission at no extra cost to you. I only recommend products and services I genuinely trust.

There is nothing quite like the sinking feeling you get when you visit your own website and see a big red warning that says “Your connection is not private.” Your visitors see it too, and most of them will not stick around to figure out what went wrong. They will hit the back button and move on, possibly to a competitor.

I have dealt with SSL certificate errors more times than I care to admit, both on my own sites and while helping others troubleshoot theirs. The good news is that most SSL errors are straightforward to fix once you understand what is causing them. In this guide, I will walk you through the most common SSL certificate errors, explain what triggers each one, and give you step-by-step instructions to resolve them.

If you are still on the fence about whether you even need SSL, I strongly recommend reading my guide on whether you need an SSL certificate. Short answer: yes, you absolutely do.

What Is an SSL Certificate Error?

An SSL certificate error occurs when a browser cannot verify the secure connection between itself and a web server. SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) encrypt the data that travels between your visitors and your website. When something goes wrong with that process, browsers step in and display a warning to protect the user.

These errors can happen for a variety of reasons: an expired certificate, a misconfigured server, mismatched domain names, or incomplete certificate chains. Each error has a specific cause, and each one has a specific fix. Let me break them down one at a time.

Error 1: NET::ERR_CERT_AUTHORITY_INVALID

What It Means

This error tells you that the browser does not trust the certificate authority (CA) that issued your SSL certificate. In plain terms, the browser is saying, “I do not recognize who signed this certificate, so I cannot trust it.”

This commonly happens when you are using a self-signed certificate, when the certificate was issued by a CA that is not in the browser’s trusted root store, or when there is a problem with the intermediate certificates on your server.

How to Fix It

1. Stop using self-signed certificates in production. Self-signed certificates are fine for local development and testing environments, but they should never be used on a live website. Browsers will always flag them because no trusted third party has verified them.
2. Install a certificate from a trusted CA. Use a recognized certificate authority. Let’s Encrypt is free and trusted by all major browsers. Most reputable hosting providers also offer free SSL certificates through Let’s Encrypt or similar services. Check out my roundup of the best web hosting providers that include free SSL if you are shopping for a host.
3. Install intermediate certificates. Your CA will provide you with intermediate certificates (sometimes called a CA bundle). These need to be installed on your server along with your primary certificate. Without them, the browser cannot build a chain of trust back to the root certificate. I will cover this in more detail under the incomplete chain error below.
4. Check your server configuration. Use a tool like SSL Labs Server Test (ssllabs.com/ssltest) to scan your domain. It will tell you exactly which certificates are installed and whether the chain is complete.

Error 2: Mixed Content Warnings

What It Means

Mixed content occurs when your website is served over HTTPS but some of the resources on the page, such as images, scripts, stylesheets, or fonts, are still being loaded over plain HTTP. The browser sees this as a security risk because those unencrypted resources could be tampered with in transit.

You will typically see a warning in the browser’s address bar, sometimes a broken padlock icon, or in more severe cases the browser may block the insecure resources entirely.

How to Fix It

1. Identify the offending resources. Open your browser’s developer tools (F12 in most browsers) and check the Console tab. Mixed content warnings will be listed there with the exact URLs of the resources being loaded over HTTP.
2. Update hardcoded HTTP URLs. Go through your website’s code, templates, and database content. Replace every instance of http:// with https:// for resources that support it. In WordPress, you can use a plugin like Better Search Replace to do a database-wide find and replace.
3. Use protocol-relative or relative URLs. Where possible, use relative paths for local resources (e.g., /images/photo.jpg instead of http://yourdomain.com/images/photo.jpg). For external resources, make sure the third-party server supports HTTPS before updating the URL.
4. Add a Content-Security-Policy header. As an extra layer of protection, you can add the upgrade-insecure-requests directive to your Content-Security-Policy header. This tells browsers to automatically upgrade HTTP requests to HTTPS. Add this to your server configuration or your page’s meta tags: <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
5. Force HTTPS through your .htaccess or server config. Make sure all traffic is being redirected to HTTPS. A simple redirect rule in your .htaccess file (for Apache) or server block (for Nginx) will catch most stragglers.

Error 3: Expired SSL Certificate

What It Means

This one is exactly what it sounds like. Every SSL certificate has an expiration date, and when that date passes, browsers will reject the certificate and show an error. Let’s Encrypt certificates expire every 90 days. Paid certificates typically last one year.

This is one of the most common SSL errors I see, and it is almost always caused by someone forgetting to renew or by an automated renewal process that silently failed.

How to Fix It

1. Renew your certificate immediately. Log into your hosting control panel or your certificate provider’s dashboard and renew the certificate. If you are using Let’s Encrypt, you can renew from the command line with sudo certbot renew.
2. Set up automatic renewal. If you are using Let’s Encrypt with Certbot, auto-renewal should be configured by default, but it does not always work. Run sudo certbot renew --dry-run to test whether the automatic renewal process is functioning correctly. If it fails, check your server’s cron jobs to make sure the renewal task is scheduled.
3. Set calendar reminders. Even with auto-renewal in place, I always set a manual reminder about a week before my certificates are due to expire. It is a simple habit that has saved me more than once.
4. Monitor your certificates. Services like UptimeRobot or Oh Dear can monitor your SSL certificate and send you alerts before it expires. This is especially valuable if you manage multiple sites.

Error 4: SSL Certificate Domain Mismatch (NET::ERR_CERT_COMMON_NAME_INVALID)

What It Means

This error appears when the domain name in the SSL certificate does not match the domain name in the browser’s address bar. For example, if your certificate is issued for www.example.com but someone visits example.com (without the www), or vice versa, the browser may throw this error.

It also happens when you have multiple domains pointing to the same server but only one of them is covered by the certificate.

How to Fix It

1. Check which domains your certificate covers. You can view your certificate details by clicking the padlock icon in the browser address bar (when it is working on at least one domain). Look at the Subject Alternative Names (SANs) to see which domains are listed.
2. Reissue or obtain a new certificate. If your certificate does not cover all the domains and subdomains you need, reissue it with the correct SANs. With Let’s Encrypt, you can specify multiple domains: sudo certbot --apache -d example.com -d www.example.com.
3. Redirect to the correct domain. Pick one canonical version of your domain (either with or without www) and redirect the other to it. This is good practice for SEO as well. Make sure your SSL certificate covers the canonical version at minimum.
4. Use a wildcard certificate for subdomains. If you run multiple subdomains (blog.example.com, shop.example.com, etc.), consider a wildcard certificate that covers *.example.com. Let’s Encrypt supports wildcard certificates through DNS validation.

Error 5: Incomplete SSL Certificate Chain

What It Means

An incomplete certificate chain means that your server is not providing all the intermediate certificates that the browser needs to verify the connection back to a trusted root CA. Think of it like a chain of trust: the root CA trusts an intermediate CA, and the intermediate CA trusts your certificate. If one link in that chain is missing, the browser cannot verify the entire path and will throw an error.

Some browsers handle this better than others. Chrome and Firefox may be able to fetch missing intermediates on their own in some cases, but older browsers and mobile devices often cannot. You should never rely on the browser to fill in the gaps.

How to Fix It

1. Identify the missing certificates. Run your domain through the SSL Labs Server Test. It will clearly indicate if there are missing intermediate certificates and show you the chain as the server presents it.
2. Download the correct intermediate certificates. Your certificate authority provides these. They are sometimes called a “CA bundle” or “chain file.” Download them from your CA’s documentation or support page.
3. Install the full chain on your server. The process varies depending on your server software. On Apache, you would use the SSLCertificateChainFile directive (or in newer versions, concatenate the intermediates with your certificate in the SSLCertificateFile). On Nginx, you concatenate your certificate and the intermediate certificates into a single file and reference it with ssl_certificate.
4. Verify the fix. After installing the intermediates, run the SSL Labs test again to confirm the chain is now complete. You should see a clear path from your certificate through the intermediate(s) to the root CA.

How to Check Your SSL Status

Before and after making any fixes, it is essential to verify your SSL configuration. Here are the tools I use and recommend:

• SSL Labs Server Test (ssllabs.com/ssltest): The gold standard for SSL testing. It gives you a letter grade and detailed information about your certificate, chain, server configuration, and protocol support.
• Why No Padlock (whynopadlock.com): A quick and easy tool specifically designed to find mixed content issues on a given page.
• Browser Developer Tools: Open the Security tab in your browser’s developer tools to see certificate details, connection information, and any security warnings.
• OpenSSL command line: For the technically inclined, you can inspect a server’s certificate directly with openssl s_client -connect yourdomain.com:443 -servername yourdomain.com. This shows the full certificate chain as presented by the server.

For a broader look at securing your site beyond just SSL, take a look at my guide on how to secure your website.

Getting Free SSL with Let’s Encrypt

There is no reason to pay for a basic SSL certificate in 2026. Let’s Encrypt provides free, automated, and trusted SSL certificates that work in all major browsers.

Here is a quick overview of how to set it up on a typical Linux server:

1. Install Certbot. Certbot is the recommended client for Let’s Encrypt. On Ubuntu or Debian, you can install it with sudo apt install certbot. If you use Apache, also install python3-certbot-apache. For Nginx, install python3-certbot-nginx.
2. Run Certbot. For Apache: sudo certbot --apache. For Nginx: sudo certbot --nginx. Certbot will automatically detect your domains and configure your server.
3. Test automatic renewal. Run sudo certbot renew --dry-run to make sure the renewal process works correctly.
4. Verify the installation. Visit your site in a browser and check for the padlock icon. Run the SSL Labs test for a thorough check.

If you would rather not deal with server configuration at all, many hosting providers handle SSL for you automatically. I put together a list of the best web hosting providers with free SSL that make the whole process painless.

Frequently Asked Questions

Can SSL errors hurt my search engine rankings?

Yes. Google has used HTTPS as a ranking signal since 2014, and the weight of that signal has only grown over time. Beyond rankings, browsers now display prominent warnings on sites without valid SSL, which will scare away visitors and increase your bounce rate. Both of those factors indirectly hurt your SEO performance as well.

How often do SSL certificates need to be renewed?

It depends on the type of certificate. Let’s Encrypt certificates are valid for 90 days and should be set up with automatic renewal. Most paid certificates from commercial CAs are valid for one year. Regardless of the type, always set up monitoring or reminders so you are not caught off guard by an expiration.

Will an SSL certificate slow down my website?

Not in any meaningful way. The TLS handshake does add a small amount of overhead to the initial connection, but modern hardware handles it effortlessly. In fact, HTTPS enables HTTP/2, which can actually make your site faster through features like multiplexing and header compression. The performance concern is outdated and should not factor into your decision.

I fixed the error but the warning still shows. What do I do?

Browsers cache SSL certificate information and security states. Try clearing your browser cache, or open the site in a private/incognito window. You can also try a hard refresh with Ctrl+Shift+R. If the warning persists after clearing the cache, double-check your fix with the SSL Labs Server Test to make sure the issue is truly resolved on the server side.

Do I need a separate SSL certificate for each subdomain?

Not necessarily. A standard certificate typically covers a single domain and sometimes its www variant. A Subject Alternative Name (SAN) certificate can cover multiple specific domains. A wildcard certificate covers a domain and all of its direct subdomains (e.g., *.example.com). If you have several subdomains, a wildcard certificate is usually the most practical and cost-effective option. Let’s Encrypt supports wildcard certificates at no cost.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the original protocol. TLS (Transport Layer Security) is its successor and the protocol actually in use today. SSL versions are all deprecated due to security vulnerabilities. When people say “SSL” in everyday conversation, they almost always mean TLS. The certificates themselves work with TLS, but the industry still commonly refers to them as SSL certificates.

Final Thoughts

SSL certificate errors are annoying, but they are rarely catastrophic. In most cases, you can diagnose the problem in a few minutes with the right tools and fix it shortly after. The key is not to ignore these errors. Every minute your site displays an SSL warning is a minute you are losing visitors and credibility.

To recap the basics: keep your certificates renewed, install the complete certificate chain, make sure your certificate covers all your domains, and hunt down any mixed content. Use the SSL Labs Server Test regularly to catch issues before your visitors do.

If you are just getting started with website security, I recommend reading my full guide on how to secure your website for a broader perspective on keeping your site and your visitors safe.