If a site is showing an SSL error, the fastest diagnostic is to run it through SSL Checker — the report will identify expired certificates, missing intermediates, hostname mismatches, and weak protocols immediately. This page is a reference for understanding the error itself: what it means, why it appears, and what to fix.
Errors are grouped by what's actually wrong, not by which browser displays them. Each error includes the equivalent codes across Chrome, Firefox, and Safari where they differ.
NET::ERR_CERT_DATE_INVALID
Certificate has expired (or device clock is wrong)
The certificate's validity period doesn't include the current moment. Either the certificate has genuinely expired, or the visitor's device clock is incorrect.
Site owner fix
Renew the certificate. With Let's Encrypt: sudo certbot renew --force-renewal && sudo systemctl reload nginx. With a paid CA: log into the CA's portal, generate a new CSR, install the new cert. After renewal, run SSL Checker to confirm the new expiry date.
Visitor fix
If only one site shows this error, it's the site. If every HTTPS site shows it, your device clock is wrong — set it to auto-sync via NTP and the error disappears immediately.
ChromeEdgeFirefox: SEC_ERROR_EXPIRED_CERTIFICATESafari: NSURLErrorServerCertificateHasExpired
NET::ERR_CERT_AUTHORITY_INVALID
Certificate isn't trusted
The browser can't trace the certificate back to a trusted root CA. Three common causes: the certificate is self-signed, the server is missing an intermediate, or the device's trust store is missing the root.
Most common cause: missing intermediate
The chain on the server is incomplete — the leaf cert is being served, but not the intermediate that links it to a trusted root. Mobile and API clients fail; desktop Chrome may "work" because it auto-fetches the missing intermediate. Reinstall with the full chain (fullchain.pem on Linux servers, or paste the CA bundle into cPanel's CA Bundle field). Run SSL Checker after the fix to confirm the chain is complete.
If self-signed
Self-signed certs are fine for local dev but never appropriate for public sites. Issue a real cert via Let's Encrypt or a paid CA.
ChromeEdgeFirefox: SEC_ERROR_UNKNOWN_ISSUERSafari: untrusted
NET::ERR_CERT_COMMON_NAME_INVALID
Certificate doesn't cover this hostname
The certificate is valid, but it doesn't include the hostname the user is trying to reach in its Subject Alternative Names. Common when a wildcard cert (*.example.com) is being used to serve the apex (example.com) — wildcards don't cover the parent.
Fix
Reissue the certificate with the missing hostname added as a SAN. With Let's Encrypt, just include all the names you need on the next issuance: certbot certonly -d example.com -d www.example.com -d api.example.com.
ChromeEdgeFirefox: SSL_ERROR_BAD_CERT_DOMAINSafari: hostname mismatch
ERR_SSL_PROTOCOL_ERROR
TLS handshake failed
The TLS handshake itself couldn't complete. Less about the certificate, more about how the server is configured. Common causes:
- Only TLS 1.0 or 1.1 enabled — modern browsers refuse these.
- Cipher suite mismatch — server requires a cipher the browser doesn't support.
- Server is responding on port 443 with plain HTTP instead of HTTPS.
- CDN / origin certificate misconfiguration (e.g., Cloudflare "Full (strict)" with a self-signed origin).
Fix
Enable TLS 1.2 and TLS 1.3, disable TLS 1.0 and 1.1. Apply Mozilla's "intermediate" SSL configuration (the Mozilla SSL Configuration Generator outputs ready-to-paste configs for nginx, Apache, HAProxy, and others). Verify port 443 is bound to the TLS handler.
ChromeEdgeFirefox: SSL_ERROR_NO_CYPHER_OVERLAP
ERR_CERT_REVOKED
Certificate has been revoked
The CA has explicitly marked the certificate as no longer valid, usually after a private key compromise.
Fix
Issue a new certificate with a fresh private key. Don't reuse the old keypair — it's the keypair that was compromised. After install, verify with SSL Checker and confirm the new serial number.
ChromeEdge
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
No common TLS version or cipher
The client and server can't agree on a TLS version or cipher suite. The server is restricting too narrowly, or supporting only outdated options.
Fix
Apply Mozilla's intermediate SSL configuration — it works with every browser released in the last decade while remaining secure. Don't apply the "modern" preset unless you're sure you don't need to support older clients.
ChromeEdge
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Certificate uses a deprecated signature algorithm
The certificate is signed with SHA-1 or another algorithm browsers no longer trust. Any cert still using SHA-1 today is many years past its issue date.
Fix
Reissue the certificate. Modern CAs only issue SHA-256 (or stronger) signatures by default, so simply renewing through a current CA fixes this. Let's Encrypt has always issued SHA-256.
ChromeEdge
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
Certificate isn't logged in CT
Chrome requires every certificate to be logged in Certificate Transparency logs. The cert in question isn't logged, or its SCTs (Signed Certificate Timestamps) aren't being delivered.
Fix
Reissue the certificate from a CA that logs to CT. Every reputable CA does this by default in 2026 — Let's Encrypt, DigiCert, Sectigo, GlobalSign, and others have logged everything for years. If you see this, contact your CA; reissuance is normally free.
ChromeEdge
ERR_SSL_BAD_RECORD_MAC_ALERT
Cryptographic record corruption
Less common. Indicates the encrypted data was corrupted in transit, or one side's session state got out of sync. Usually transient; persistent occurrences point to a buggy middlebox or a TLS implementation bug.
Fix
Try a different network — if it works on mobile data but not on a corporate network, an intercepting proxy is breaking the connection. If it persists across networks, check whether your server is fronted by a load balancer or CDN and see if upgrading its TLS implementation helps.
SSL_ERROR_RX_RECORD_TOO_LONG
Server is responding with HTTP, not TLS
Firefox-specific error indicating that the server sent a non-TLS response when TLS was expected. Almost always means the server is listening on port 443 with plain HTTP.
Fix
Check your web server configuration. The TLS-enabled site should be bound to port 443, not the HTTP one. On nginx, look for listen 443 ssl. On Apache, look for <VirtualHost *:443> with SSLEngine on.
Firefox
Mixed Content Warning
HTTPS page loading HTTP resources
Not technically an SSL error — the page itself loaded over HTTPS — but the browser found insecure resources on the page. Modern browsers block scripts and stylesheets outright; images may be silently upgraded.
Fix
Update every http:// URL in your HTML, CSS, and JS to https://. Add the upgrade-insecure-requests directive in your Content-Security-Policy header to handle legacy URLs automatically. Hard-coded URLs in databases (WordPress sites are notorious for this) need a search-and-replace pass.
"This site can't provide a secure connection"
Generic Chrome message — needs further diagnosis
Chrome occasionally shows this without a specific error code. The underlying problem is one of the others on this page; the code is just not surfaced.
Fix
Open Chrome DevTools, go to the Security tab, and reload — the detailed certificate state appears there. Or run the domain through SSL Checker, which surfaces the actual issue without needing to reproduce the error.
SSL_ERROR_NO_CYPHER_OVERLAP
No common cipher suite
Firefox's version of ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Server and client can't agree on a cipher.
Fix
Same as the Chrome equivalent — apply a current Mozilla SSL configuration. The "intermediate" preset solves this for nearly every site.
Firefox
SEC_ERROR_OCSP_FUTURE_RESPONSE / OCSP_INVALID_SIGNING_CERT
OCSP stapling problem
The server is stapling an OCSP response that's invalid, future-dated (clock issues on the server), or signed by an unexpected certificate.
Fix
Check the server clock is correct. Force the server to re-fetch its OCSP staple: on nginx, reload the service; on Apache, restart with SSLUseStapling On verified. Modern web servers handle this automatically; older versions can serve a stale staple for hours.
Firefox
Diagnostic Steps That Apply to Every Error
If an error doesn't match any of the above precisely, three steps almost always surface the root cause:
- Run SSL Checker. It uses a clean PHP TLS implementation — no browser cache, no extensions, no proxies — and reports exactly what it sees: cert, chain, expiry, protocols, issues.
- Try a different network. If the error appears on a corporate or hotel network but not on mobile data, it's a TLS-intercepting proxy injecting an untrusted CA. Not a website problem.
- Try a different browser or device. Errors that appear in Chrome but not Safari (or on iPhone but not desktop) usually indicate a missing intermediate — desktop Chrome auto-fetches it via AIA, mobile Safari doesn't.
Most SSL errors are preventable with three habits: automate renewal, install the full certificate chain, and run a regular check. Even one of those three eliminates the most common failure modes.