Troubleshooting SSL/TLS Browser Errors and Warnings

It’s all too common to encounter browser error messages like this when accessing websites:

Chrome trust warning

These messages typically begin with a bold headline stating that Your connection is not private or Warning: Potential Security Risk Ahead. These messages can be frustrating for users and website owners, especially when the owner has gone to the effort to secure their website with an SSL/TLS certificate. Often, these errors are caused by server misconfigurations that are simple to correct once you know the root cause. In this guide, we’ll go through some common misconfigurations and the error messages associated with them in various web browsers. The browsers used to generate these screenshots were:

  • Google Chrome 76.0.3809.100 (macOS 10.14.6)
  • Firefox 68.0.1 (macOS 10.14.6)
  • Safari 12.1.2 (macOS 10.14.6)
  • Edge 44.17763.1.0 (Windows 10 Enterprise)
  • Internet Explorer 11.379.11763.0 (Windows 10 Enterprise)

The situations we will cover are:

Expired Certificate

In these cases, the server has a certificate installed that has outlived its validity period and needs replacement:

  • Chrome: NET::ERR_CERT_DATE_INVALID
  • Firefox: The error message includes the text, The website is either misconfigured or your computer clock is set to the wrong time., and clicking the Advanced button shows the error code SEC_ERROR_EXPIRED_CERTIFICATE.
    The website is either misconfigued or your computer clock is set to the wrong time.
    SEC_ERROR_EXPIRED_CERTIFICATE
  • Edge: DLG_FLAGS_SEC_CERT_DATE_INVALID (visible after clicking Details link on This site is not secure message).DLG_FLAGS_SEC_CERT_DATE_INVALID
  • Internet Explorer:  DLG_FLAGS_SEC_CERT_DATE_INVALID (visible after clicking More Information link on This site is not secure message).
  • Safari: The initial error message states that This Connection is Not Private. Clicking the Show Details button presents a message beginning with Safari warns you when a website has an expired certificate. You can also click the view the certificate link to confirm this.
    This connection is not privateSafari warns you when a website has an expired certificate.

Solution: Renew the website’s certificate. End users who are experiencing this error should also confirm that the date and time are set correctly on their computer.

Domain Name Does Not Match Certificate

In these cases, the web server is presenting a certificate that does not match the domain name the user is attempting to access:

  • Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
  • Firefox: SSL_ERROR_BAD_CERT_DOMAIN (visible after clicking Advanced button on Warning: Potential Security Risk Ahead page).
    SSL_ERROR_BAD_CERT_DOMAIN
  • Edge: DLG_FLAGS_SEC_CERT_CN_INVALID (visible after clicking Details link on This site is not secure message).
  • Internet Explorer: DLG_FLAGS_SEC_CERT_CN_INVALID (visible after clicking Details link on This site is not secure message).
  • Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the domain name does not match the certificate.
    Certificate name does not match input

Solution: Make sure that the common name and/or a subject alternative name listed in the certificate matches the website’s domain name.

Incomplete Chain of Trust

If a web server does not have a complete chain of trust including all necessary intermediate certificates installed, these errors can result:

  • Chrome: NET::ERR_CERT_AUTHORITY_INVALID
    NET::ERR_CERT_AUTHORITY_INVALID
  • Firefox: SEC_ERROR_UNKNOWN_ISSUER (visible after clicking Advanced button on Warning: Potential Security Risk Ahead page).
    SEC_ERROR_UNKNOWN_ISSUER
    Note: You may not see this error in Firefox, even if it is shown by other browsers. This is because Firefox caches intermediate certificates in its own certificate store; if you previously visited a website that included any intermediates missing from your server, Firefox will use them to make a complete certificate chain when necessary.
  • Edge: DLG_FLAGS_INVALID_CA (visible after clicking Details link on This site is not secure message).
  • Internet Explorer:  DLG_FLAGS_INVALID_CA (visible after clicking Details link on This site is not secure message).
    DLG_FLAGS_INVALID_CA
  • Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the certificate is not trusted.
    Certificate is not trusted

Solution: Make sure that a complete certificate chain is installed on your server. Please see our article on diagnosing and fixing this problem for more information.

Revoked Certificate

Sometimes, due to server compromise or compliance issues, certificates must be revoked before their scheduled expiration date (for an example, see the serial number entropy issue of early 2019). Failing to replace a revoked certificate will lead to these error messages:

  • Chrome: NET::ERR_CERT_REVOKED
    NET::ERR_CERT_REVOKED
  • Firefox: SEC_ERROR_REVOKED_CERTIFICATE
    SEC_ERROR_REVOKED_CERTIFICATE
  • Edge: ERROR_INTERNET_SEC_CERT_REVOKED (visible after clicking Details link on This site is not secure message).
    ERROR_INTERNET_SEC_CERT_REVOKED
  • Internet Explorer: ERROR_INTERNET_SEC_CERT_REVOKED (visible after clicking Details link on This site is not secure message).
  • Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the certificate is, in fact, revoked.
    Certificate is revoked

Solution: generate a new website certificate chained to a valid, publicly-trusted root and intermediate certificates.

 

We hope this guide has been useful in helping you decipher the (sometimes cryptic) error messages presented by web browsers when they encounter a problematic SSL/TLS installation. If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. Thank you for choosing SSL.com!