SSL/TLS Error

Security - Certificate validation failed

SSL/TLS Certificate Errors

Common SSL Errors

ERR_CERT_DATE_INVALID

Certificate has expired or is not yet valid

ERR_CERT_AUTHORITY_INVALID

Certificate not signed by a trusted CA (self-signed)

ERR_CERT_COMMON_NAME_INVALID

Certificate doesn't match the domain name

SSL_ERROR_HANDSHAKE_FAILURE_ALERT

TLS version or cipher suite mismatch

Diagnosing Certificate Issues

# Check certificate details
openssl s_client -connect example.com:443 -servername example.com

# View certificate info
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates -subject -issuer

# Check full certificate chain
openssl s_client -connect example.com:443 -showcerts

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

Certificate Expired

SSL certificates have a validity period (usually 90 days for Let's Encrypt, 1 year for paid certs). When expired, browsers refuse to connect. 

# Check expiry date
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -enddate

# Renew Let's Encrypt certificate
sudo certbot renew

# Force renewal
sudo certbot renew --force-renewal

Hostname Mismatch

The certificate must match the domain being accessed. Check that the certificate covers the exact domain or uses a wildcard. 

# Certificate covers:
# - example.com
# - www.example.com

# But NOT:
# - api.example.com (unless using *.example.com wildcard)
# - subdomain.api.example.com (wildcards are single-level)

# Check what names the cert covers
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

Self-Signed Certificates

Self-signed certs aren't trusted by browsers. Use Let's Encrypt for free trusted certificates. 

# Install certbot and get a free certificate
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

# Or for Apache
sudo certbot --apache -d example.com

# Auto-renewal (add to crontab)
0 12 * * * /usr/bin/certbot renew --quiet

Missing Intermediate Certificate

Browsers need the full certificate chain. Missing intermediates cause errors on some clients. 

# Test certificate chain
curl -vvI https://example.com 2>&1 | grep -A 10 "Server certificate"

# Nginx - include full chain
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

TLS Version Issues

Version Status
TLS 1.3 Current standard
TLS 1.2 Still secure
TLS 1.1 Deprecated
TLS 1.0 Insecure
SSL 3.0 Insecure 
# Nginx - modern TLS config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;

Quick Fixes

  • Expired cert: Renew with certbot renew
  • Wrong domain: Reissue cert with correct SANs
  • Self-signed: Switch to Let's Encrypt
  • Chain incomplete: Use fullchain.pem, not just cert.pem
  • Old TLS: Update to TLS 1.2 minimum

How to Monitor SSL Certificates

Expired SSL certificates drive users away with security warnings. UptimeSignal monitors your HTTPS endpoints and tracks certificate expiry, alerting you before certificates expire. Use our free SSL Checker to inspect your current certificate. See also: Port 443 (HTTPS), Connection Refused.

Frequently Asked Questions

What causes SSL certificate errors?
Common causes: expired certificates, self-signed certificates not trusted by browsers, hostname mismatch (certificate doesn't match domain), missing intermediate certificates in the chain, TLS version incompatibility, and revoked certificates. Diagnose with openssl s_client -connect domain:443.
How do I fix an expired SSL certificate?
For Let's Encrypt: sudo certbot renew (auto-renewal should handle this). For other CAs: purchase and install a new cert. Check expiry: echo | openssl s_client -connect domain:443 2>/dev/null | openssl x509 -noout -dates. Prevent with UptimeSignal certificate monitoring.
What does ERR_CERT_AUTHORITY_INVALID mean?
The browser doesn't trust the CA that signed your certificate. Causes: self-signed cert, missing intermediate certificates in the chain, or an unknown CA. Fix by using a trusted CA (Let's Encrypt is free) and including the full certificate chain (fullchain.pem, not just cert.pem) in your server configuration.
How do I check my SSL certificate?
Use openssl s_client -connect domain:443 for full details. Check expiry and issuer: echo | openssl s_client -connect domain:443 2>/dev/null | openssl x509 -noout -dates -subject -issuer. For a web-based check, use our SSL Checker or Qualys SSL Labs.
How do I get a free SSL certificate?
Let's Encrypt provides free certificates: sudo apt install certbot python3-certbot-nginx then sudo certbot --nginx -d yourdomain.com. It auto-configures your server and sets up renewal. Cloudflare, AWS Certificate Manager, and ZeroSSL also offer free SSL. See our Port 443 guide for setup details.

Never let an expired SSL certificate take you down

UptimeSignal monitors your endpoints and catches SSL errors before they affect your users.

SSL monitoring included. 25 monitors free, unlimited for $15/month.

Related Errors & Resources

SSL Checker Tool 525 SSL Handshake Failed Connection Refused DNS Errors Port 443 (HTTPS) HTTP Status Codes Is It Down? All Errors