Table of Contents
Every reputable online business needs to have a valid SSL certificate to safeguard their clients’ security and brand’s credibility. These days, you can even get a valid SSL certificate for free thanks to the open Certificate Authority (CA) Let’s Encrypt. Despite the type of SSL you choose, you may still come across SSL errors if there is an issue with the certificate or its configuration.
SSL errors on your site can severely damage your brand reputation, push visitors away and affect your SEO ranking. To prevent any of these negative outcomes, you should promptly fix this kind of error on your website. Thus, knowing what SSL errors mean and how to mend them is crucial for your business.
In this post, we’ll focus on what an SSL certificate is, common SSL errors, and how to fix them.
What Is an SSL/TLS Certificate?
Secure Socket Layer (SSL) is an encryption protocol that provides security for online transactions and sensitive information.
TLS (Transport Layer Security) is a more secure successor to SSL. Nowadays, all SSLs are based on TLS protocol, but SSL is the more broadly recognized term.
An SSL certificate is a digital certificate that authenticates a website’s identity and allows an encrypted connection. The connection could be between the browser and server, server to server, or another network.
These protocols use complicated algorithms to encrypt sensitive data transmitted through the network. This way, the entire exchange between a client and server remains private and protected from web criminals.
A website with a properly configured SSL loads with a padlock icon and HTTPS (Hypertext Transfer Protocol Secure) in front of the domain name.
How do SSL certificates work?
When you access a website over HTTPS, your web browser first connects to the server where the site resides. Then, your browser (SSL Client) requests verification from the server to confirm that site’s identity. The SSL server sends its SSL certificate and public key to the browser in a piece of encoded text.
Then the SSL Client checks the server’s SSL for an expiration date, revokes, and whether it is valid. When your browser has confirmed all that information, both entities compute a new symmetrical encryption key (a.k.a session key). Next, the server sends an acknowledgment to the SSL Client (in that case – your browser).
Afterward, the server and client establish a secure connection using the session key to encrypt the data in transit.
This entire process defines the SSL Handshake, which happens behind the scenes, unnoticed by the visitor.
However, If any step fails to be completed successfully, you may encounter an SSL connection error. Further in this article, we’ll outline the most common SSL certificate errors and how to fix them, so read on.
Why Do You Need an SSL Certificate?
A valid and correctly configured SSL certificate issued by a trusted certificate authority is vital for any site. According to SERPWatch, more than 46 million websites worldwide use SSL certificates. Moreover, 95% of search engine page results are for sites that load with HTTPS://, making it a crucial SEO factor.
Here are just a few reasons why you definitely need an SSL certificate on your website:
- Secures sensitive information by encryption – The key function of an SSL certificate is to encrypt all data exchanged in server-client communication. This includes credit card numbers, IDs, passwords, messages, etc. Since SSL encrypts everything on a site from the moment the certificate is configured, your browsing data is protected from eavesdropping.
- Verifying your website’s identity – The SSL confirms your website’s identity and thus provides protection from phishing attacks. This way, no other domain name can impersonate your website and scam your visitors.
- Improves your website’s SEO ranking – Search engines prefer sites with valid SSL certificates, and therefore they rank them better. Google changed its algorithm in 2014 to show sites with valid SSL certificates higher up in search engine page results (SERPs). Check our blog post if you want to learn more about the basics of SEO.
- Helps establish a trustworthy brand – For retailers accepting online payments, they need to be PCI compliant. One of the 12 requirements for a site to be PCI/DSS compliant is to have an SSL certificate. This is a security standard that is established by the Payment Card Industry. By fulfilling this requirement, you instill consumers’ trust in your brand.
- Better user experience – A properly installed SSL certificate provides a better user experience to your target audience. You see, people nowadays are savvy about the importance of their security online and prioritize safety. If your site has a valid SSL, visitors will feel safe making purchases and even come back for more.
What is an SSL certificate error?
An SSL certificate error results from an issue with the website’s certificate itself or its configuration on the server. If your browser is unable to establish a secure connection with a website due to any of the above issues – it will display a particular error message.
These errors may not be too wordy, but they always hint at where the problem might be.
The following section will explain the meaning of the SSL errors you are most likely to encounter.
Common SSL errors
Let’s Encrypt Installation errors
At times, you may stumble upon an SSL error during the installation process. Such errors are
“429 Too Many Requests”, “No Domains Authorized,” and “Certificate is not for the chosen domain.”
You receive these errors because your domain name is not pointed properly or has been registered or pointed recently. As you probably know, after any DNS change, a domain goes into a DNS propagation period that may take up to 72 hours. Until this process is complete, you could encounter any of these Let’s Encrypt installation errors.
Hence, you should ensure your domain is pointing to the right server and not propagating before attempting to install Let’s Encrypt SSL.
Expired SSL Certificate Error
This error means exactly what it says – the SSL certificate for your site has expired. This SSL error can happen to anyone, as it’s easy to forget when precisely your security certificate expires. Most commonly, paid SSLs are valid for one year, and free ones like Let’s Encrypt last for three months. At SiteGround, we renew SSL certificates automatically to ensure the integrity of your website.
SSL Certificate Not Trusted Error
SSL Certificate Not Trusted Error indicates that the SSL certificate has been issued by a company that your browser doesn’t trust. This means that the certificate of authority (CA) that issued the certificate is not present in the local trusted root certificates store.
Usually, this happens when the server itself issues the SSL, which is not a CA certificate. These server certificates are called self-signed certificates, and browsers do not trust them. You will likely see a “Your connection is not private” error in the Google Chrome browser.
At SiteGround, we offer Premium Wildcard SSL certificates by GlobalSign and free ones by Let’s Encrypt. Both CAs are trusted worldwide and provide certificates with the same level of security encryption.
However, only premium SSLs include dynamic site seals, which look like clickable badges. These seals redirect to the issuing Certificate Authority’s official website and instill trust in your customers.
Name Mismatch Error
The “Name Mismatch Error” occurs when the domain name listed in the SSL certificate does not match the URL you are trying to reach. This error appears if the security certificate was initially issued for another domain name (or a subdomain). Sometimes, if your SSL is installed on yourdomain.com, it may not cover the www part of it, and as a result, this error will appear.
Mixed Content Error
Your browser displays this error message when the site you are trying to access has insecure content. This usually happens when you install an SSL certificate and configure your site to work with HTTPS.
Mixed content may be caused by non-secure external resources or files still being requested with HTTP. Applications like WordPress may hardcode URLs with HTTP within plugins and themes. In such a case, your browser will see them as mixed content and won’t display the padlock.
Generic SSL Protocol Error
A Generic SSL Protocol Error is, for example, the err_ssl_protocol_error, which can stem from several different factors.
This isn’t an exhaustive list, but we’ve outlined the most common reasons below, with brief descriptions.
- Browser-related issues – There may be browser extensions or other settings obstructing the encrypted connection to a website. For instance, if the browser doesn’t support the TLS protocol version the SSL certificate is based on – it will display a generic SSL error.
- Not correctly installed SSL on the server – If one of the chain certificates between yours and the root certificate is not properly installed on the server.
- Faulty or not verified SSL signature – The SSL signature is included in the certificate and contains all data needed to verify the server. If any of these details are modified by a man-in-the-middle, the SSL validation will fail.
- Outdated encryption algorithm – For example, since 2005, the SHA-1 has been an obsolete cryptographic standard developed initially by NSA. This hashing algorithm was widely used for SSL certificate encryption but is now considered insecure. Thus, your browser does not trust SSL certificates based on this type of encryption.
- A firewall or other local system settings are disrupting the SSL connection – Your local firewall may be blocking a website if it marks its SSL certificate invalid. Alternatively, your OS may need some tweaking or an update to parse the SSL certificate properly.
- An issue with the certificate’s chain of trust – The SSL chain of trust refers to the way your SSL certificate links back to a Trusted Certificate of Authority. In order for an SSL to be valid, it has to trace back to the trust root certificate. A chain of trust includes root, intermediate certificates, and end-entity certificates. All of them must be trusted in order for an SSL certificate to be trusted.
The Root certificate belongs to the Certificate Authority issuer and is listed in the trusted root certificate store. Intermediate certificates branch off of root certificates and serve as interceders between the root and server SSL certificates. The End-entity certificates are the SSLs issued to a particular domain name. All three are a part of the CA Bundle, completing the SSL chain of trust.
If the SSL certificate can not be chained back to the root certificate – the browser will throw an SSL error.
SSL Certificate Revoked Error
This SSL error occurs when the Certificate Authority has revoked/canceled a particular domain’s SSL certificate. The CA may revoke the certificate if its private key shows any signs of compromise. A certificate is also invalidated if the domain it was issued for is not operational. Revoked certificates are stored in the Certificate Revocation List (CRL); if the browser finds it there, it will display an SSL error.
How to Fix SSL Errors
An SSL error on your website may prevent access to it, and you should troubleshoot this issue to correct it. Fixing SSL connection errors is definitely worth your while; otherwise, they may negatively impact your site’s SEO ranking. Not to mention that such errors can discourage visitors from interacting with your site.
In this section, we’ll get into fixing SSL errors on your website and provide you with troubleshooting points you can follow.
Make sure you have SSL installed
First, make sure that you have an SSL installed on your website from your web hosting account. SiteGround clients can verify this and install a new SSL certificate from Site Tools > Security > SSL Manager. Select the domain you want SSL installed on, pick an SSL and click on Install.
Reinstall the SSL
Even though you have already installed SSL for your website, accessing it through a secure HTTPS connection might fail. As a result, your browser may serve a warning that the SSL certificate is not issued by a trusted authority. In most cases, this is resolved by reinstalling the SSL.
SiteGround clients can do this in Site Tools > Security > SSL Manager. Once in the tool, delete the SSL-causing issues and install it anew.
Diagnose the problem with a web SSL checker
If you notice an SSL error on your website, you should check it with a web SSL checker. These online tools check the certificate’s chain of trust and whether it validates back to the CA. They also provide information about the SSL’s expiration date, hostname, certificate serial number, signature algorithm, etc. If any of these checks fail, the web tool may hint at what you should focus on fixing.
Renew your SSL certificate
If your SSL certificate expires, your site will likely become inaccessible to your client base. That brings a plethora of detrimental effects to your website, especially if the expired SSL is not taken care of in time. To mitigate this, you should promptly renew your SSL certificate to get your site back online.
Change all URLs to HTTPS
When you install an SSL certificate on your website and reconfigure it to open via HTTPS, some items on the website may still be requested via HTTP. As we mentioned, this is called mixed content, and browsers will show a warning if this kind of content is present.
If you are experiencing this issue, check our post on How to fix mixed content.
Update your browser or OS version
Let’s Encrypt has recently upgraded its certificates, and the new ones no longer support older OS and browser versions. The new SSLs have updated OS requirements which may prevent Let’s Encrypt secured websites from displaying properly.
If you have your SSL installed and renewed and still see an error, you probably have an outdated OS and/or browser. A reliable way to test this is to open your website from another device (another PC, mobile phone, etc.). If you don’t see any SSL errors on the new device, the issue is most certainly caused by the recent change.
To ensure that you have access to websites encrypted by Let’s Encrypt, update your browser and operating system to a supported version.
List of the supported OS and browser versions:
- Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
- macOS >= 10.12.1
- iOS >= 10 (iOS 9 does not include it)
- iPhone 5 and above can upgrade to iOS 10 and can therefore trust ISRG Root X1
- Android >= 7.1.1 (but Android >= 2.3.6 works by default due to our special cross-sign)
- Mozilla Firefox >= 50.0
- Ubuntu >= xenial / 16.04 (with updates applied)
- Debian >= jessie / 8 (with updates applied)
- Java 8 >= 8u141
- Java 7 >= 7u151
- NSS >= 3.26
Browsers (Chrome, Safari, Edge, Opera) generally trust the same root certificates as the operating system they run on.
You can find the complete list of supported browsers and OS here.
Install an intermediate certificate
If the browser can not trace your SSL certificate back to the root certificate, it will display an SSL error. Thus, you may need to install an intermediate certificate on your web server. Some people buy an SSL issued by a third party and import the SSL keys to install it. In this case, you may need to contact the SSL issuer to provide your SSL’s CA Bundle, and then reinstall it.
Generate a new Certificate Signing Request
If you are still struggling to fix the SSL error on your site, your SSL might be incorrectly installed. Therefore, you may need to generate a new Certificate Signing Request to resolve the issue.
Upgrade to a dedicated IP address
If a “Name Mismatch Error” is the message you see, the browser may not be able to define which domain the SSL is signed for. A browser first resolves the domain to its corresponding IP address and then parses the SSL. However, if you are on a shared hosting account, most likely, your site shares the same IP as other sites on the same server. Therefore, the browser cannot confirm that the SSL matches your domain name.
To resolve this, you can upgrade to a Dedicated IP address that only your site uses.
Get a Wildcard SSL certificate
Lastly, if you are still seeing the “Name Mismatch Error,” you may need to get a Wildcard SSL certificate. A Wildcard SSL covers not only your root domain but also its subdomains, for example:
- www.sgdomain.tld
- shop.sgdomain.tld
- mysubdomain.sgdomain.tld
Monitor Your SSL Certificates
You will surely agree that the best protection from SSL errors is prevention, and you can achieve this with monitoring. To monitor your SSL certificates effectively, you can use a Chrome browser extension that detects validity, expiration, and changes in the certificate.
If you are a SiteGround client and experience issues with your SSL certificate at any time – do not hesitate to contact us.
