Troubleshooting SSL/TLS Browser Errors and Warnings

SSL.com Support Team

5 years ago

Browser Errors and Warnings

It’s all too common to encounter browser error messages like this when accessing websites:

These messages typically begin with a bold headline stating that Your connection is not private or Warning: Potential Security Risk Ahead. These messages can be frustrating for users and website owners, especially when the owner has gone to the effort to secure their website with an SSL/TLS certificate. Often, these errors are caused by server misconfigurations that are simple to correct once you know the root cause. In this guide, we’ll go through some common misconfigurations and the error messages associated with them in various web browsers. The browsers used to generate these screenshots were:

Google Chrome 76.0.3809.100 (macOS 10.14.6)
Firefox 68.0.1 (macOS 10.14.6)
Safari 12.1.2 (macOS 10.14.6)
Edge 44.17763.1.0 (Windows 10 Enterprise)
Internet Explorer 11.379.11763.0 (Windows 10 Enterprise)

The situations we will cover are detailed in the Table of Contents below.

Compare Email, Client, And Document signing certificates from SSL.com, starting at just $20.00/yr.

COMPARE

Expired Certificate

In these cases, the server has a certificate installed that has outlived its validity period and needs replacement:

Chrome: NET::ERR_CERT_DATE_INVALID
Firefox: The error message includes the text, The website is either misconfigured or your computer clock is set to the wrong time., and clicking the Advanced button shows the error code SEC_ERROR_EXPIRED_CERTIFICATE.
Edge: DLG_FLAGS_SEC_CERT_DATE_INVALID (visible after clicking Details link on This site is not secure message).
Internet Explorer: DLG_FLAGS_SEC_CERT_DATE_INVALID (visible after clicking More Information link on This site is not secure message).
Safari: The initial error message states that This Connection is Not Private. Clicking the Show Details button presents a message beginning with Safari warns you when a website has an expired certificate. You can also click the view the certificate link to confirm this.

Solution: Renew the website’s certificate. End users who are experiencing this error should also confirm that the date and time are set correctly on their computer.

Go to top

Domain Name Does Not Match Certificate

In these cases, the web server is presenting a certificate that does not match the domain name the user is attempting to access:

Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
Firefox: SSL_ERROR_BAD_CERT_DOMAIN (visible after clicking Advanced button on Warning: Potential Security Risk Ahead page).
Edge: DLG_FLAGS_SEC_CERT_CN_INVALID (visible after clicking Details link on This site is not secure message).
Internet Explorer: DLG_FLAGS_SEC_CERT_CN_INVALID (visible after clicking Details link on This site is not secure message).
Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the domain name does not match the certificate.

Solution: Make sure that the common name and/or a subject alternative name listed in the certificate matches the website’s domain name.

Go to top

Incomplete Chain of Trust

If a web server does not have a complete chain of trust including all necessary intermediate certificates installed, these errors can result:

Chrome: NET::ERR_CERT_AUTHORITY_INVALID
Firefox: SEC_ERROR_UNKNOWN_ISSUER (visible after clicking Advanced button on Warning: Potential Security Risk Ahead page).

Note: You may not see this error in Firefox, even if it is shown by other browsers. This is because Firefox caches intermediate certificates in its own certificate store; if you previously visited a website that included any intermediates missing from your server, Firefox will use them to make a complete certificate chain when necessary.
Edge: DLG_FLAGS_INVALID_CA (visible after clicking Details link on This site is not secure message).
Internet Explorer: DLG_FLAGS_INVALID_CA (visible after clicking Details link on This site is not secure message).
Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the certificate is not trusted.

Solution: Make sure that a complete certificate chain is installed on your server. Please see our article on diagnosing and fixing this problem for more information.

Go to top

Revoked Certificate

Sometimes, due to server compromise or compliance issues, certificates must be revoked before their scheduled expiration date (for an example, see the serial number entropy issue of early 2019). Failing to replace a revoked certificate will lead to these error messages:

Chrome: NET::ERR_CERT_REVOKED
Firefox: SEC_ERROR_REVOKED_CERTIFICATE
Edge: ERROR_INTERNET_SEC_CERT_REVOKED (visible after clicking Details link on This site is not secure message).
Internet Explorer: ERROR_INTERNET_SEC_CERT_REVOKED (visible after clicking Details link on This site is not secure message).
Safari: Generic This Connection is Not Private message. If you click the Show Details button and then the view the certificate link, you can confirm that the certificate is, in fact, revoked.

Solution: generate a new website certificate chained to a valid, publicly trusted root and intermediate certificates.

We hope this guide has been useful in helping you decipher the (sometimes cryptic) error messages presented by web browsers when they encounter a problematic SSL/TLS installation. If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.Thank you for choosing SSL.com!