How-to

Common SSL-related problems and how to resolve them

Posted on by SSLGuides

Below is a practical, technical overview of the most common SSL/TLS problems, why they happen, and how to fix them. This applies to websites, APIs, load balancers, and CDNs.

1. Certificate expired

Symptoms

  • Browser warning: “Your connection is not private”
  • Error codes: NET::ERR_CERT_DATE_INVALID, SSL_ERROR_EXPIRED_CERT_ALERT

Causes

  • Certificate validity period ended
  • Auto-renewal failed (Let’s Encrypt, ACME client, cron, DNS challenge)

How to resolve

  • Renew the certificate immediately
  • Verify auto-renewal:
    • ACME client (certbot, acme.sh) is running
    • Port 80/443 or DNS challenge works
  • Reload the web server after renewal

2. Certificate not trusted / untrusted issuer

Symptoms

  • “Certificate not trusted”
  • SEC_ERROR_UNKNOWN_ISSUER

Causes

  • Self-signed certificate
  • Missing intermediate certificate
  • Using a private CA without installing the root

How to resolve

  • Use a publicly trusted CA
  • Install the full certificate chain (leaf + intermediates)
  • For private CAs: install the root CA on clients

3. Missing or incorrect intermediate certificate (chain issues)

Symptoms

  • Works in some browsers but not others
  • SSL checker shows “incomplete chain”

Causes

  • Server sends only the leaf certificate

How to resolve

  • Configure your server to use a fullchain file
  • Common fixes:
    • Apache: SSLCertificateFile fullchain.pem
    • Nginx: ssl_certificate fullchain.pem

4. Domain name mismatch

Symptoms

  • NET::ERR_CERT_COMMON_NAME_INVALID

Causes

  • Certificate does not cover:
    • www vs non-www
    • Subdomain
    • Different domain entirely

How to resolve

  • Reissue certificate with correct:
    • Common Name (CN)
    • Subject Alternative Names (SANs)
  • Use wildcard or multi-domain certificates if needed

5. Mixed content (HTTPS page loading HTTP resources)

Symptoms

  • Browser console warnings
  • Broken styles, scripts, or images
  • Padlock shows warning or disappears

Causes

  • CSS, JS, images loaded over http://
  • Hardcoded URLs in HTML, CSS, or JS

How to resolve

  • Replace all http:// resources with https://
  • Use protocol-relative or absolute HTTPS URLs
  • Enable Content Security Policy (CSP) for enforcement

6. Wrong certificate installed (especially behind a CDN or load balancer)

Symptoms

  • Certificate shown in browser doesn’t match expected one
  • CDN works but origin fails (or vice versa)

Causes

  • Certificate installed on the wrong layer:
    • CDN vs origin server
  • Multiple virtual hosts misconfigured

How to resolve

  • Verify which certificate terminates TLS:
    • Browser → CDN
    • CDN → origin
  • Install correct certificate on each layer
  • Check SNI configuration

7. TLS version or cipher mismatch

Symptoms

  • Some devices/browsers can’t connect
  • Errors like ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Causes

  • TLS 1.0/1.1 disabled (expected)
  • Legacy clients using outdated crypto
  • Server configured with incompatible ciphers

How to resolve

  • Enable TLS 1.2 and TLS 1.3
  • Use modern cipher suites
  • Accept that very old clients may not work

8. OCSP stapling or revocation check failures

Symptoms

  • Slow TLS handshakes
  • Browser revocation warnings (rare but possible)

Causes

  • OCSP responder unreachable
  • Misconfigured stapling

How to resolve

  • Enable OCSP stapling on the server
  • Ensure outbound connections to CA OCSP servers work
  • Monitor stapling status

9. Redirect loops after enabling SSL

Symptoms

  • Browser error: “Too many redirects”

Causes

  • HTTP → HTTPS redirect at multiple layers
  • CDN + origin both forcing redirects incorrectly

How to resolve

  • Decide one place to enforce HTTPS
  • If using a CDN:
    • CDN handles redirect
    • Origin serves HTTPS without redirect logic
  • Check X-Forwarded-Proto handling

10. SSL handshake failures

Symptoms

  • SSL_ERROR_HANDSHAKE_FAILURE
  • Connection resets during TLS negotiation

Causes

  • Incompatible ciphers
  • Incorrect certificate key type
  • Broken OpenSSL or server configuration

How to resolve

  • Verify certificate and private key match
  • Use supported key sizes (RSA 2048+, ECDSA P-256)
  • Test with multiple clients

11. Certificate revoked

Symptoms

  • Browser explicitly blocks connection
  • Security tools flag the certificate

Causes

  • Private key compromised
  • Certificate mis-issued

How to resolve

  • Revoke the certificate
  • Generate a new key pair
  • Issue and install a new certificate immediately

12. HSTS misconfiguration

Symptoms

  • Cannot access site over HTTP anymore
  • Locked into HTTPS even after certificate issues

Causes

  • HSTS enabled with long max-age
  • includeSubDomains applied unintentionally

How to resolve

  • Fix HTTPS first (HSTS cannot be bypassed)
  • Reduce max-age only after HTTPS is stable
  • Be cautious with preload

13. Private key problems

Symptoms

  • Server fails to start
  • TLS errors at handshake

Causes

  • Wrong key file
  • Key doesn’t match certificate
  • File permission issues

How to resolve

  • Verify key and certificate match
  • Ensure correct file permissions and ownership
  • Never reuse compromised keys

14. CDN / proxy SSL mode mismatch

Symptoms

  • Works on CDN domain but fails at origin
  • Infinite redirects or 525/526 errors

Causes

  • CDN set to:
    • Flexible SSL
    • Full vs Full (Strict) mismatch

How to resolve

  • Prefer Full (Strict) mode
  • Install a valid certificate on the origin
  • Avoid “Flexible” SSL for production

15. Client-side time/date incorrect

Symptoms

  • Certificate appears expired/not yet valid on one device

Causes

  • System clock incorrect

How to resolve

  • Correct system date and time
  • Enable automatic time sync

Leave a Reply

Your email address will not be published. Required fields are marked *