A Simple Explanation of SSL Certificate Errors & How to Fix Them

Learn More About HubSpot's CMS with SSL

Today there are over 320 million websites with an SSL certificate on the Internet - and this number is expected to increase as more search engines and consumers show preference to these sites.

I use SSL certificates because they make my site look more trustworthy. An SSL error does the opposite. If my customers no longer trust my site, this may cause them to look to a competitor they can actually trust.

In this post, I'll discuss what this error means and what could be causing it. Then I'll walk through the different steps you can take to resolve the error and get your site up and running again. Or you can choose a CMS that includes an SSL certificate - like the Free Content Hub does.

Table of Contents

• What is an SSL certificate error?
• Types of SSL Certificate Errors
• How to Fix SSL Certificate Error
• How to Fix SSL Errors as a Website Visitor

An SSL certificate is a standard security technology for encrypting information between a visitor's browser and my website. Because it helps keep sensitive information like passwords and payment information safe, visitors feel safer on sites that are encrypted with SSL. I can spot an encrypted site by the "HTTPS" in the URL and the padlock icon in the address bar.

Sites that aren't encrypted may see hits to their traffic or conversion rates. Not only are these sites flagged as "Not secure" in Google Chrome, but 20% of online shoppers avoid them.

Thankfully, many hosted platforms like Content Hub and Squarespace will include an SSL certificate in their plans, so I don't have to worry about installing or renewing it.

There are times when opting for a self-hosted platform like WordPress.org makes the most sense to me. This is because most hosting providers will include an SSL in their plans as well. HostGator, for example, includes an SSL certificate in its lowest-tiered plans. However, if your solution does not include SSL, you can acquire one from an SSL certificate provider.

I have sometimes chosen a plan that includes SSL certification or installed a certificate on my site. Then I open Google Chrome and try to visit a page on my site, and instead of the page loading, I get an "ERR_SSL_PROTOCOL_ERROR" message. What gives?

Image Source

This is an SSL error.

This message will look different depending on two factors. The first is the browser I am using. The previous screenshot shows an error message on Google Chrome, while the screenshot below shows a message I've seen on Internet Explorer.

Image Source

The second factor is the type of SSL Certificate error occurring. Let's take a look at these different types below.

Types of SSL Certificate Errors

I have encountered several different types of SSL certificate errors as a web developer. Let's look at the most common ones.

1. SSL Certificate Not Trusted Error

This error indicates that the SSL certificate is signed or approved by a company that the browser does not trust. That means either the company, known as the certificate authority (CA), is not on the browser's built-in list of trusted certificate providers or that the certificate was issued by the server itself. Certificates issued by the server are often referred to as self-signed certificates.

Image Source

2. Name Mismatch Error

This error indicates that the domain name in the SSL certificate doesn't match the URL that was typed into the browser. This message can be caused by something as simple as "www." Say the certificate is registered for www.yoursite.com, and you type in https://yoursite.com. Then, you'll get an SSL certificate name error.

Image Source

3. Mixed Content Error

This error indicates that a secure page (one that is loaded with HTTPS in the address bar) contains an element that's being loaded from an insecure page (one that is loaded with HTTP in the address bar). Even if there's only one insecure file on a page - often, an image, iframe, Flash animation, or snippet of JavaScript - your browser will display an error message instead of loading the page.

Image Source

4. Expired SSL Certificate Error

This error occurs when the site's SSL certificate expires. According to industry standards, SSL certificates cannot have a lifespan longer than 398 days. That means that every website needs to renew or replace its SSL certificate at least once every two years.

Otherwise, when I try to load my site, I'll see an error that looks something like this:

Image Source

5. SSL Certificate Revoked Error

This error indicates that the CA has canceled or revoked the website's SSL certificate. This could be because the website acquired the certificate with false credentials (whether by accident or on purpose), the key was compromised, or the wrong key was issued. These issues result in the following error message:

Image Source

6. Generic SSL Protocol Error

This error is particularly tricky to resolve because there are multiple potential causes, including the following.

An Improperly Formatted SSL Certificate That the Browser Cannot Parse

I recommend double-checking the certificate's format and ensuring it follows the correct standards. When I encountered this issue in the past, I contacted my certificate provider to reissue or repair the certificate.

A Certificate That Is Not Properly Installed on the Server

Ensure that the certificate is installed in the right location and that the server configuration points to the correct certificate file. If this turns out to be the issue, I can simply reinstall or consult my server's documentation.

A Faulty, Unverified, or Missing Digital Signature

SSL certificates rely on digital signatures to ensure their authenticity. Without them, I can get SSL protocol errors. If necessary, I can contact my certificate provider to verify the integrity and validity of the certificate or replace it if necessary.

The Use of an Outdated Encryption Algorithm

Some older encryption algorithms may be considered insecure and unsupported by modern browsers. If my certificate uses one, it can lead to SSL protocol errors. I recommend buying a new SSL certificate that uses a stronger and more secure encryption algorithm.

A Firewall or Other Security Software Interfering With the SSL Protection

I always check my firewall or security software settings to ensure they're not blocking or interfering with SSL connections. Then, I try disabling any features that might disrupt my SSL.

A Problem in the Certificate's Chain of Trust

A chain or trust is the series of certifications that make up your site's SSL encryption. SSL certificates are typically issued by trusted Certificate Authorities (CAs) and should form a chain of trust that browsers can validate. If there's an issue, such as a missing intermediate certificate, SSL protocol errors can occur.

In these cases, I've seen a generic SSL message like this one:

Next up, we'll cover some potential fixes.

1. Confirm that I have an SSL certificate installed on my website.

Before troubleshooting my SSL error, I need to make sure my website has SSL installed. One simple way to do so is to access my website on my browser and look at the address bar.

If my website has an SSL certificate installed, the URL should start with "https://" instead of "http://". I may also see a padlock icon indicating that the connection is secure.

I also recommend checking the status via my hosting provider's portal or an SSL checker like HubSpot's.

2. Edit my Whois email address to validate my SSL.

If I have a Content Hub website and am running into an SSL error, it may be because there is no Whois email associated with my site. Content Hub automatically gives an SSL certificate, but can sometimes cause issues when there's a discrepancy in registration information.

All Content Hub websites include an SSL certificate - 100% free

One such discrepancy is the Whois email. If those don't match, Content Hub is unable to authenticate the domain's ownership.

To solve this problem, I can log into my DNS provider's website and update my Whois email. You can find more detailed instructions here (as well as other methods of resolving this error).

3. Diagnose the problem with an online tool.

Next, use an online tool to identify the problem causing the SSL certificate error on my site. I can use a tool like SSL Checker, SSL Certificate Checker, or SSL Server Test, which will verify that an SSL certificate is installed and not expired, that the domain name is correctly listed on the certificate, and more. To use the tool, I just copy and paste my site address into the search bar.

4. Install an intermediate certificate on my web server.

If the problem is that my CA is not trusted, then I may need to install at least one intermediate certificate on my web server. Intermediate certificates help browsers establish that the website's certificate was issued by a valid root certification authority.

Some web hosting providers, such as GoDaddy, offer information on installing intermediate certificates. So first, I'll double-check that my web host offers the option or a tool to obtain an intermediate certificate.

If not, I'll need to double-check my website's server and find instructions for my server. Let's say I installed an SSL certificate from the popular provider, Namecheap, on my Microsoft Windows Server. Then, I can follow this step-by-step tutorial to install an intermediate certificate.

If you're not on a Windows Server, I can find instructions for my server here.

5. Generate a new Certificate Signing Request (CSR).

If I'm still getting a certificate not trusted error, then I could have installed the certificate incorrectly. In that case, I can generate a new CSR from my server and reissue it from my certificate provider. Steps will vary depending on your server. You can check out this link hub to generate a CSR on different servers.

6. Upgrade to a dedicated IP address.

If I'm getting a name mismatch error, then the problem may be my IP address.

When I type my domain name into my browser, it first connects to my site's IP address and then goes to my site. Usually, a website has its own IP address. But if I use a type of web hosting other than dedicated hosting, my site may be sharing an IP address with multiple sites.

If one of those websites does not have an SSL certificate installed, then a browser might not know which site it's supposed to visit and display a mismatch name error message. To resolve the issue, I can upgrade to a dedicated IP address for my site.

7. Get a wildcard SSL certificate.

If I'm still getting a name mismatch error, then I might need to get a wildcard SSL certificate. This type of certificate will allow me to secure multiple subdomain names as well as my root domain. For example, I could get one Multi-Domain SSL Certificate to cover all of the following names:

• mysite.com
• mail.mysite.com
• autodiscover.mysite.com
• blog.mysite.com

8. Change all URLS to HTTPS.

If I get a mixed content error on one of my web pages, then I can copy and paste the URL into WhyNoPadLock.com to identify the insecure elements. Once I've identified the elements, edit the source code of the page and change the URLs of the insecure elements to HTTPS. Alternatively, I can take a look at the results and see if I need additional support from my web hosting provider.

9. Renew my SSL certificate.

If my SSL certificate is expired, I'll have to renew it immediately. The details of the renewal process change depending on the web host or CA I am using, but the steps remain the same. I'll need to generate a CSR, activate my certificate, and install it.

How to Fix SSL Errors as a Website Visitor

Verify accurate date and time settings.

As a technical consultant, I sometimes have to travel for work. Due to my settings, my computer's time and date weren't updating when I switched time zones. This tiny issue led to certificate validation errors when I browsed other websites because my browser thought the SSL certificate had expired. I fixed this by changing my settings to update my time and date automatically.

If you are using a Mac, click on System Preferences, then Date & Time.

If you are using Windows, click Start, Settings, Time & language, and finally Date & time.

Use an updated browser.

As technology advances, security protocols do, too. I recommend always using an updated browser to stay compatible with SSL changes.

For example, if you are using Chrome and aren't sure if you are using the latest version, follow the steps below to check for an update:

• Launch Chrome.
• Select Chrome.
• Click About Chrome.
• Check for an update. If you are up to date, you may not see this option.

Delete browsing data.

It's always good practice to clear your cookies, caches, and history when you encounter an error. The reason why your information persists across browsing sessions is that data is constantly being stored in your cookies and caches. When expired certificates are still stored in your history, this can cause an SSL error.

Try a different browser.

When I am trying to figure out how to fix an issue, the developer in me always tries to reproduce the issue in a different environment. Whenever I encounter an SSL issue, I try using the same exact website in a different browser. This allows me to narrow down the issue to either being browser-specific or website-specific.

Refresh the page.

Believe it or not, refreshing the page can solve many issues. It's the first step I try whenever I receive an SSL error. Sometimes wires get crossed for no specific reason and a simple page refresh can quickly get you back on track with surfing the web.

Resolving an Invalid SSL Certificate

As I've shown you, there are several possible explanations for an SSL certificate that doesn't work. However, the end result is the same for visitors - they'll see a warning in their browser window explaining that the website they're about to enter is not secure.

Of course, this is far from the best thing for any company's reputation, so be sure to address the lack of encryption as soon as possible. If the methods above don't work, I recommend getting in touch with your hosting provider to help you troubleshoot. Chances are, they've seen problems like yours before.

Editor's note: This post was originally published in April 2020 and has been updated for comprehensiveness.

Topics:Website Development

Don't forget to share this post!