T
ssl tls security certificates web-development

Solving 'certificate expired' and common SSL/TLS Errors

A comprehensive guide to fixing SSL/TLS errors like 'ERR_CERT_DATE_INVALID', 'self-signed certificate', and 'handshake failed'. Learn how to secure your website.

2026-04-11

Solving "certificate expired" and common SSL/TLS Errors: A Complete Guide

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are the protocols that keep the internet secure. They ensure that the data sent between your browser and a website is encrypted and private. However, when something goes wrong with a certificate, browsers show scary warning pages that can drive away 99% of your visitors.

In this guide, we will explain the most common SSL/TLS errors, why they happen, and how to fix them for both users and website owners.

1. Common SSL/TLS Error Messages

Depending on your browser (Chrome, Firefox, Safari) or your development environment (Node.js, Python), you will see different error codes:

  • Chrome: ERR_CERT_DATE_INVALID, ERR_CERT_AUTHORITY_INVALID, ERR_CERT_COMMON_NAME_INVALID, ERR_SSL_PROTOCOL_ERROR
  • Node.js: CERT_HAS_EXPIRED, UNABLE_TO_VERIFY_LEAF_SIGNATURE, SELF_SIGNED_CERT_IN_CHAIN
  • Python (Requests): SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
  • Firefox: SEC_ERROR_EXPIRED_CERTIFICATE, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

2. Top Causes and Solutions

2.1 "certificate expired" (ERR_CERT_DATE_INVALID)

SSL certificates are issued for a specific period (usually 90 days to 1 year). Once that date passes, the certificate is no longer valid.

The Cause: The website owner forgot to renew the certificate, or the automated renewal process (like Let's Encrypt) failed.

The Solution:

  • For Website Owners: Renew your certificate immediately. If using Let's Encrypt, check your certbot logs or your ACME client configuration.
  • For Users: Check your computer's system date and time. If your clock is wrong, the browser will think a valid certificate is expired.

2.2 "self-signed certificate" (ERR_CERT_AUTHORITY_INVALID)

By default, browsers only trust certificates issued by a known "Certificate Authority" (CA) like DigiCert or Let's Encrypt. A self-signed certificate is one that you created yourself.

The Cause:

  • Using a self-signed certificate on a production website.
  • A private/corporate CA that hasn't been added to your computer's "Trusted Root" store.

The Solution:

  • For Production: Obtain a free certificate from Let's Encrypt or a paid one from a commercial CA.
  • For Development: It's okay to use self-signed certificates locally, but you'll need to tell your tools to trust them or bypass verification (though the latter is insecure).

2.3 "certificate chain incomplete" (UNABLE_TO_VERIFY_LEAF_SIGNATURE)

An SSL certificate isn't just one file; it's a chain of trust leading back to a Root CA. If a "middle" certificate (an Intermediate CA) is missing from your server configuration, the browser can't verify the chain.

The Cause: The server is only serving the "Leaf" (site) certificate and not the "Fullchain" (Site + Intermediate).

The Solution: Ensure your web server (Nginx, Apache) is configured to use the fullchain.pem (or equivalent) file provided by your CA.

2.4 "SSL handshake failed"

This is a broad error that occurs during the initial "handshake" between the client and server.

The Cause:

  • Mismatched protocols (e.g., client only supports TLS 1.0, but server requires TLS 1.3).
  • Mismatched cipher suites (no common encryption methods).
  • Server-side firewall or proxy blocking the connection.

The Solution: Check your server's TLS configuration. We recommend using the Mozilla SSL Configuration Generator to get secure, compatible settings.

3. Advanced Troubleshooting

3.1 SNI (Server Name Indication) Issues

On modern servers hosting multiple websites on a single IP address, the server needs to know which certificate to show. If the client doesn't support SNI (rare nowadays), the server might show the wrong certificate, leading to a COMMON_NAME_INVALID error.

3.2 HSTS (HTTP Strict Transport Security)

If a website uses HSTS, the browser will refuse to let users "proceed anyway" on an SSL error. This is a security feature to prevent "Man-in-the-Middle" attacks. Solution: You must fix the SSL error; there is no bypass for HSTS.

4. Prevention and Best Practices

  1. Auto-Renewal: Always use a service with auto-renewal (like Let's Encrypt with Certbot or Cloudflare's Managed SSL).
  2. Monitoring: Use a service to monitor your SSL certificate's expiration and health.
  3. Use the Full Chain: Always provide the full certificate chain in your server configuration.
  4. Disable Weak Protocols: Disable SSLv2, SSLv3, TLS 1.0, and TLS 1.1. Only allow TLS 1.2 and 1.3.

5. FAQ: Frequently Asked Questions

Q: Is it safe to click "Proceed Anyway" on an SSL warning?

A: Only if you are a developer testing your own local site. Never do this on a public website, especially for banking, email, or social media, as it makes you vulnerable to data theft.

Q: Why does my site work on desktop but show an SSL error on mobile?

A: This is usually a Certificate Chain Incomplete issue. Desktop browsers are better at "filling in the gaps" of missing intermediate certificates, while mobile browsers are much stricter.

Q: Does Cloudflare fix SSL errors?

A: Cloudflare can hide SSL errors between the user and Cloudflare, but you still need a valid (or at least a Cloudflare Origin) certificate between Cloudflare and your server to be fully secure.

6. Quick Check Tool

Need to inspect a certificate or check a chain? Use our SSL Certificate Checker & Decoder. It allows you to:

  • Decode PEM and CRT files to see expiration dates and issuer info.
  • Verify certificate chains and identify missing intermediates.
  • Convert between formats like PEM, DER, and PFX.

Related Errors

Back to Blog