Common TLS errors and what they actually mean
ERR_CERT_DATE_INVALID, ERR_CERT_AUTHORITY_INVALID, ERR_SSL_PROTOCOL_ERROR, certificate mismatch, mixed content, HSTS, self-signed certificates
TLS Errors Decoded
When TLS fails, browsers show cryptic error codes. Here is what each one means and how to fix it.
Common errors
ERR_CERT_DATE_INVALID / Certificate expired. The certificate's notAfter date is in the past. Fix: renew the certificate. Let's Encrypt certificates expire every 90 days — automate renewal with certbot renew.
ERR_CERT_AUTHORITY_INVALID. The certificate is signed by a CA the browser does not trust. Usually caused by: a self-signed certificate, a missing intermediate certificate in your server's chain, or an internal/private CA. Fix: install the full chain (leaf + intermediate), or install the CA cert in the browser/OS for internal use.
ERR_CERT_COMMON_NAME_INVALID / SSL_ERROR_BAD_CERT_DOMAIN. The domain in the certificate's SAN does not match the hostname. Common cause: serving www.example.com with a cert for example.com only. Fix: use a wildcard cert (*.example.com) or a multi-domain SAN cert.
# Test certificate chain validity
curl -v https://your-domain.com 2>&1 | grep -E "SSL|certificate|verify"
# Check if cert includes www subdomain
openssl s_client -connect your-domain.com:443 2>/dev/null \
| openssl x509 -noout -text | grep DNS:Mixed content. An HTTPS page loads HTTP resources. Browsers block active mixed content (scripts, iframes) and warn on passive (images). Fix: serve all assets over HTTPS and use protocol-relative or absolute HTTPS URLs.