What does NET::ERR_CERT_AUTHORITY_INVALID error mean?

This error means the certificate comes from an untrusted certificate authority. Most often it results from using a self-signed certificate or missing intermediate certificates in the chain.

What is a wildcard SSL certificate?

A wildcard certificate (.example.com) covers the root domain and all first-level subdomains. One certificate protects mail.example.com, shop.example.com, blog.example.com, and other subdomains.

Is Let's Encrypt safe?

Yes — Let's Encrypt is a trusted certificate authority recognized by all browsers. DV certificates from Let's Encrypt are free and sufficient for most sites. The only difference from paid ones is the lack of organization identity verification.

SSL/TLS errors — what do they mean and how to fix them?

Q: What does ERR_CERT_EXPIRED error mean?

ERR_CERT_EXPIRED means the SSL certificate has expired. Let's Encrypt certificates are valid for 90 days, commercial ones usually for a year. You should renew the certificate or configure auto-renewal via certbot.

SSL/TLS errors are one of the most common technical problems encountered by website owners and server administrators. The browser displays a security warning when an SSL certificate is invalid, expired, or incorrectly configured. Such an error will effectively deter users and can negatively impact the site's search engine ranking.

Do you want to check your site's SSL certificate?

Check SSL certificate

How does an SSL/TLS certificate work?

An SSL/TLS certificate is a digital document confirming server identity and enabling connection encryption. It is issued by trusted certificate authorities (CA). The browser verifies the certificate with every HTTPS connection — checking if it is valid, has not expired, and comes from a trusted CA.

Most common SSL/TLS errors

ERR_CERT_EXPIRED Certificate expired

An SSL certificate has an expiration date. After it passes, the browser displays an error and blocks access to the page. Let's Encrypt certificates are valid for 90 days, commercial ones usually for 1 year.

Solution

Renew the SSL certificate. For Let's Encrypt, configure auto-renewal via certbot (certbot renew --dry-run). Set up expiration date monitoring — our SSL checker sends alerts.

NET::ERR_CERT_AUTHORITY_INVALID Untrusted Certificate Authority

The certificate was issued by a CA that the browser does not recognize as trusted. This could be a self-signed certificate or one from a CA not present in the browser's trusted certificate store.

Possible causes

Self-signed certificate — used in developer environments
Missing intermediate certificates
Certificate from a CA that has lost trust (e.g., Symantec in 2018)

Solution

In production, use a certificate from a trusted CA (Let's Encrypt, DigiCert, Sectigo). Check if the certificate chain is complete — the server should send the primary certificate + all intermediate certificates.

ERR_CERT_COMMON_NAME_INVALID Domain name mismatch

The certificate was issued for a different domain than the one you are trying to connect to. The browser compares the domain in the certificate (CN or SAN field) with the address in the address bar.

Possible causes

Certificate issued for example.com but the site operates under www.example.com
Missing entry for the subdomain in the SAN (Subject Alternative Names) field
Certificate for a different domain installed on the server (vhost configuration error)

Solution

When issuing a certificate, make sure it covers all domain variants: example.com and www.example.com. Wildcard certificates (.example.com) cover all subdomains of one level.

ERR_SSL_PROTOCOL_ERROR SSL/TLS protocol error

The browser and server cannot agree on a common TLS protocol version or cipher suite. It can also mean the server is sending HTTP data instead of HTTPS.

Possible causes

Server only supports obsolete TLS 1.0/1.1 protocols (deprecated in 2020)
Port 443 returns HTTP traffic instead of HTTPS
Incorrect nginx/Apache configuration — missing ssl on directive

Solution

Configure the server to support TLS 1.2 and TLS 1.3. Check the vhost configuration — ensure port 443 has SSL enabled. Use the SSL Labs tool for configuration audit.

MIXED CONTENT Mixed content HTTP/HTTPS

The site is available via HTTPS but loads resources (images, scripts, styles) via unencrypted HTTP. The browser blocks active resources (JS, CSS) and displays a warning for passive ones (images).

Solution

Replace all http:// references with https:// or use the relative protocol //. In WordPress, use the Really Simple SSL plugin. Add the header Content-Security-Policy: upgrade-insecure-requests.

ERR_TOO_MANY_REDIRECTS SSL redirect loop

The server redirects infinitely between HTTP and HTTPS. It often results from incorrect redirect configuration when a load balancer or CDN that terminates SSL stands behind the server.

Solution

Check the redirect configuration in .htaccess or nginx. If using Cloudflare — set SSL mode to 'Full (strict)'. In WordPress, check URL options in settings.

SSL certificate types

SSL certificates differ in the level of owner identity verification and protection scope.

Type	Verification	Issuance time	Use
DV	Domain Validation	Minutes — hours	Blogs, personal sites, small stores
OV	Organization Validation	1-3 days	Corporate sites, B2B portals
EV	Extended Validation	1-2 weeks	Banks, financial institutions
Wildcard	Subdomain Validation	Minutes — hours	Multiple subdomains of one domain
Multi-SAN	Multiple Domains	Minutes — days	Multiple different domains on one certificate

For most websites, a DV certificate from Let's Encrypt is sufficient and completely free. Let's Encrypt issues certificates automatically and supports auto-renewal every 90 days.

Check SSL certificate

Check certificate validity, expiration date, and HTTPS configuration details.

HTTP Status Checker

Check the HTTP code and redirect chain for any website.