How to fix common SSL/TLS certificate errors
Expired, untrusted or mismatched certificates throw scary browser warnings that kill trust. Here's how to diagnose and fix the most common SSL/TLS errors.
An SSL/TLS certificate proves your site is who it says and encrypts the connection. When something's wrong, browsers show a full-page warning that most visitors will never click past. Here are the errors you'll actually hit and how to fix each.
Expired certificate#
The most common and most avoidable outage. Certificates are short-lived (often 90 days); if auto-renewal fails, the site goes down with NET::ERR_CERT_DATE_INVALID.
- Use automated issuance/renewal (Let's Encrypt via your host, ACME, or a managed CDN cert).
- Monitor expiry so a failed renewal warns you before it bites — set up an SSL-expiry monitor.
Incomplete chain#
Your certificate must be served together with the intermediate certificate(s) that link it to a trusted root. Miss them and some clients (especially non-browser/API clients) reject it even though desktop Chrome may appear fine.
- Install the full chain (your cert + intermediates), usually a
fullchain.pem. - If desktop browsers work but mobile/API clients fail, an incomplete chain is the usual cause.
Hostname mismatch#
NET::ERR_CERT_COMMON_NAME_INVALID means the certificate doesn't cover the hostname you're on — e.g. a cert for example.com served on www.example.com.
- Issue a cert that lists every hostname you serve in its Subject Alternative Names (SAN), or a wildcard
*.example.com. - Make sure both apex and
www(and any subdomains) are covered.
Mixed content#
The page loads over HTTPS but pulls a script, image or stylesheet over http://. Browsers block active mixed content and flag the page as not fully secure.
- Change subresource URLs to
https://(or protocol-relative), or self-host them. - Add
upgrade-insecure-requeststo your CSP to auto-upgrade legacy references.
Frequently asked questions
▸ ▾ How long are SSL certificates valid?
Publicly-trusted TLS certificates are typically issued for up to about 90 days (and the industry is moving shorter). That's why automated renewal and expiry monitoring matter — manual renewal doesn't scale to that cadence.
▸ ▾ Why does my site work in Chrome but fail elsewhere?
Usually an incomplete certificate chain. Desktop browsers sometimes cache or fetch missing intermediates, but stricter clients (mobile, API libraries) don't. Serve the full chain (leaf + intermediates).
▸ ▾ What is mixed content?
An HTTPS page loading a subresource (script, image, CSS, font) over plain HTTP. Browsers block active mixed content and downgrade the page's security indicator. Fix by serving every subresource over HTTPS.
Do it with a free tool
Related guides
Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.