Troubleshooting Most Common SSL Errors

It is necessary to regularly check that the SSL certificate on the site is properly configured to ensure the security of the site and the people who visit it.

An SSL (Secure Sockets Layer) certificate will create a secured connection between the browser of the user and the website by encrypting the information being transmitted.

How to check Website SSL Certificate?

Here is a full breakdown of how to check your SSL and what some SSL ambiguities may mean.

Check the URL

The first and easiest way to verify if a SSL certificate is active on a website is to check the URL.

Websites with an SSL Certificate will have a URL that starts with “https://” instead of “http://”. The “s” in “https” is simply an indication that the website is using Secure Sockets Layer (SSL) encryption as opposed to traditional http.

This is a clear indication that the information being passed between the browser and the server is secured which provides an additional layer of protection.

Steps to Check:

• Open the website you want to check.
• Look at the URL in the address bar of your browser.
• Ensure that the URL starts with “https://”. If it does, the website is using an SSL certificate. If it starts with “http://”, the connection is not secured by SSL.

Look for the Padlock

The second way in which SSL security can be determined is by the presence of a padlock which is located at the bottom of the web browser window.

Often you will see the padlock sit near the website address when a connection with the browser is initiated. which indicates that the connection with the browser is secure

Steps to Check:

• In the address bar of the browser. Look for the square padlock icon on the right of the URL.
• The padlock icon will be in the address bar, and you can click it to find out more about the contained SSL certificate.
• You will see a drop down menu or dialog box with some of the information you need to know about the certificate including the certificate validity period, the authority which issued the certificate and the validity of the certificate etc.

Get a Security Overview

If you want to provide a further dive into the SSL certificate information, you have some viewers in your browsers that will perm you with a complete security review.

This is particularly helpful related to the SSL details, including information surrounding issuance date, expiry date and strength regarding encryption.

Steps to Check:

• Right-click any part of the webpage and click on “Inspect” or “Inspect Element” (depending on the browser you use).
• Select the “Security” tab in the developer tools panel.
• You will see the SSL/TLS certificate information including the validity period of the certificate, the protocol (TLS 1.2 or TLS 1.3), the cipher suite, and if the certificate is trusted by the browser.
• In some browsers, they summarize also known security problems or even warnings about expired SSL certificates, incorrect SSL certificate configuration or unsupported protocol/older protocols.

Most Common SSL Errors & How to Fix It

Below are some of the most common SSL error including what causes those errors and ideas to fix them:

SSL Certificate Not Trusted Error

The “SSL Certificate Not Trusted” error usually means that the SSL certificate cannot be verified as authentic by the browser because it is not issued from a trusted Certificate Authority (CA), Browsers are programmed to trust SSL certificates that are issued by known CAs.

If the certificate is self-signed or the CA is not known to the browser, the browser will warn the user they are not secure.

Causes:

• The SSL certificate is self-signed.
• The SSL certificate is from a CA that is untrusted or unknown.
• Missing intermediate certificates which cause the browser to be unable to map the SSL to a trusted root.

How to Fix:

• Make sure you purchased your SSL certificate from a legitimate CA.
• Make sure you have the correct intermediate certificates installed on your server to complete the chain.
• Consider using an automated tool like Certbot for easier management of certificates.

Expired SSL Certificate

SSL certificates have a finite validity in time. Usually somewhere between 1 and 3 years. After the amount of time you put into this there is an expiration, and if you do not renew, browsers will flag your website as insecure.

Users will see a warning that your site has an expired SSL certificate and be deterred from accessing your site.

Causes:

• The SSL certificate has expired.
• The owner of the website failed to renew the ssl certificate before it expired,

How to Fix:

• Keep track of when your SSL certificate is going to expire.
• To avoid disruptions, Renew the certificate before it expires.
• If your CA has an automated renewal service take advantage of it, or you can set a reminder to renew the ssl certificate when it expires.

Mixed Content Warnings

Mixed content Warning occurs when secure HTTPS is used to load a website, but one or more resources on the webpage (images, scripts or stylesheets) are not secure and loaded over an insecure HTTP connection. This could risk compromising the entire page, and could issue warnings in browsers and to the user about the insecurities of the page.

Causes:

• Referring elements on the web page to resources (images, scripts or styles) with HTTP instead of HTTPS.
• Outdated content management systems or plugins that serve HTTP content

How To Fix:

• Making sure all resources on the website (images, scripts, stylesheets, etc.) are served over HTTPS
• Updating the website content and backend code so that they are referring all
• HTTP links to HTTPS
• Use CDN’s (content delivery networks) which support HTTPS.

SSL Protocol or Cipher Mismatch

This error occurs when the browser and server are not capable of coming to an agreement regarding a common SSL protocol or cipher suite for the establishment of a secure connection, based upon its configuration.

Also Read: How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error?

This could be in place if the server has accepted outdated or weak encryption protocols which are no longer supported by the current browsers.

Causes:

• Server is using SSL/TLS protocols that are now deprecated – i.e. SSLv3, TLS 1.0, TLS 1.1…
• Server configured with weak – or outdated cipher suites.

How to Fix:

• Update your server settings to support modern SSL/TLS protocols, attested by protocols TLS 1.2 or TLS 1.3.
• Disable older protocols, such as SSLv2, SSLv3, TLS 1.0, and TLS 1.1.
• Configure your server to use strong cipher suites and comply with best practices for secure encryption settings.

Improperly Configured Certificate Chain

SSL certificates are made up of the SSL certificate, intermediate certificates, and the root certificate. If a complete certificate chain is improperly configured, a browser may display an error stating that the connection is not secure because it could not verify the authenticity of the certificate.

Causes:

• SSL certificate chain has missing intermediate certificates.
• Incorrectly configured SSL certificate chain on the web server.

How to Fix:

• Make sure you have installed all intermediate certificates necessary on your server.
• Confirm that your SSL certificate chain is configured correctly and goes back to a trusted root certificate authority.
• Utilize online tools like SSL Labs’ SSL Test and enter your domain name, to analyze your certificate chain and find issues.

Name Mismatch Error

The name mismatch, as seen in the name mismatch error example, occurs when the domain name in the URL does not match the domain name that the SSL certificate is issued for.

For example, if an SSL certificate is issued for www.example.com and you try to access the website at example.com (without the www), you might see a name mismatch error in the browser.

Causes:

• The SSL certificate is for a specific domain (e.g., www.example.com) and not the claimed domain (e.g., example.com).
• The website is using a single-domain SSL certificate as opposed to a wildcard or SAN (Subject Alternative Name) certificate.

How to Fix:

• Either purchase a wildcard SSL certificate or a SAN certificate that permits for multiple domain names and their variations.
• Redirect all traffic to the designated domain name as noted on the SSL certificate.
• Make sure the SSL certificate covers all domain names that it needs to cover.

Self-Signed Certificate Error

Self-signed certificates are SSL certificates that have not been issued by a trusted Certificate Authority, and because of that, they are not trusted by browsers.

Also Read: How to Resolve the “Self-Signed Certificate in Certificate Chain” Error?

Self-signed certificates can be used for internal testing, or private use on private networks, but aside from that, they will get warning messages for public websites.

Causes:

• The SSL certificate was generated in-house and therefore doesn’t comply with a trusted CA
• The certificate is being used for a public website and doesn’t have a CA-verified signature.

How to Fix:

• For public websites, obtain an SSL certificate from a trusted CA
• Use self-signed certificates when you are in internal / development environments
• With self-signed certificates, if you are in a closed network, install the CA’s root certificate on client devices.

Untrusted Root Certificate

The “Untrusted Root Certificate” error means that the root certificate in the SSL certificate chain is not recognized by the browser. This will occur when the root certificate is not included in the browsers trusted root certificate store so you cannot establish a trusted connection and a security warning will be presented to users.

Causes:

• The root certificate is from a lesser known or untrusted Certificate Authority (CA).
• The root certificate is too old or not trusted and is not included in the browsers list of trusted root certificates.

How to Fix:

• Confirm that the SSL certificate is from a reputable and trustworthy CA.
• If using a private CA, distribute the root certificate to all clients’ devices and be sure it is in the clients’ trusted root certificate store.
• Consider a possible exchange of the SSL certificate with a CA that is known and accepted by most everyone.

Certificate Revoked Error

This is an error that means that an SSL certificate has been revoked by the CA before its expiration date for a reason. Revocation may occur for numerous reasons, like a private key has been compromised or the CA identified a fraudulent use of the certificate.

Also Read: How to Fix NET::ERR_CERT_REVOKED_Certificate Error?

Browsers that check for certificate revocation will block access to sites with revoked certificates.

Cause:

• The SSL certificate has been revoked by the CA due to some security issue.
• The private key that was associated with the certificate may have been compromised.
• The website operator may have accidentally or mistakenly revoked the certificate.

How to Fix:

• Contact the CA to determine the reason for the revocation and obtain a new SSL Certificate.
• Remove the revoked SSL certificate and replace it with a new, valid one.
• Adhere to security best practices that help protect the future compromise of SSL certificates.

SSL Certificate Not Yet Valid

This fatal error happens when the validity start date of the SSL certificate has not been reached and the certificate is not yet active. The browsers will warn that the certificate is not yet valid and users will not be able to access the web site securely at that point in time.         

Causes:

• Authenticated SSL cert has a future start date and is not valid yet.
• The server date and time settings mean that the current time is out of sync with the SSL certificate validity period.

How to Fix:

• Check the validity start date of the SSL certificate. If it is in the future, make sure you are viewing the current date.
• Verify the server date and time. If the server date and time are also indicating the current date, perhaps the server is misconfigured with regards to its time zone.
• If you have been issued an SSL certificate with an incorrect start date, please talk to your CA as they may provide you a replacement certificate.

Conclusion

Don’t leave your website vulnerable and untrustworthy due to SSL errors! With CheapSSLWeb, you get only the best ssl certificates and support so you can be confident your website is always secure and your visitors are safe!

Search