SSL Certificate Error — Common Causes and Fast Fixes
💡An SSL certificate error means the browser cannot verify a site's HTTPS certificate. The cause is usually expiry, hostname mismatch, or a missing intermediate certificate. Check the certificate chain with ToolDock SSL Checker, then inspect the endpoint response if the issue is server-side.
You may also see this as:
NET::ERR_CERT_COMMON_NAME_INVALIDNET::ERR_CERT_DATE_INVALIDSSL_ERROR_BAD_CERT_DOMAINYour connection is not private
Quick Diagnosis
If you see “ERR_CERT_DATE_INVALID” → it means the certificate is expired or not yet valid → do this: renew the certificate and verify server time
If you see “COMMON_NAME_INVALID” → it means the certificate hostname does not match the domain → do this: issue a certificate for the correct hostname or update DNS
If you see “incomplete chain” → it means the server is not sending intermediate certificates → do this: install the full certificate chain on the server
Quick Fix — Step by Step
- Check the certificate expiration date and renew it if needed
- Verify the certificate SAN/CN includes the exact domain you are visiting
- Install the full certificate chain including intermediate certificates
- Retest the domain with SSL Checker and confirm HTTPS resolves correctly
Common Causes and Fixes
Expired certificate
❌ Wrong
openssl x509 -in cert.pem -noout -enddate
notAfter=Apr 10 12:00:00 2026 GMT✅ Fixed
certbot renew && systemctl reload nginxAn expired certificate must be renewed and reloaded on the server.
Wrong hostname
❌ Wrong
Certificate SAN: api.internal.local
Request URL: https://api.example.com✅ Fixed
Issue cert with SAN: api.example.comThe hostname in the certificate must match the hostname users visit.
Incomplete chain
❌ Wrong
ssl_certificate cert.pem;✅ Fixed
ssl_certificate fullchain.pem;Browsers often need the full chain, not only the leaf certificate.
HTTP mixed with HTTPS
❌ Wrong
<script src='http://cdn.example.com/app.js'></script>✅ Fixed
<script src='https://cdn.example.com/app.js'></script>Mixed content can make an HTTPS page look broken even when the certificate is valid.
Real-World Context
Production API endpoint
curl -Iv https://api.example.comThe TLS handshake fails before the API can respond because the certificate chain is incomplete.
Staging subdomain
https://staging.example.comA wildcard certificate covers the main domain but not the new subdomain you deployed.
Load balancer termination
server {
listen 443 ssl;
ssl_certificate fullchain.pem;
}The load balancer serves an outdated certificate after a partial deploy.
Mobile app backend
fetch('https://auth.example.com/login')Clients reject the endpoint because the server clock or certificate dates are wrong.
💡 All tools run in your browser. No data is sent to any server.
Related Guides
- → HTTP Status Codes Guide
- → HTTP vs HTTPS Difference
- → DNS Lookup Examples
- → IP Address Lookup Examples
Frequently Asked Questions
What causes an SSL certificate error?
An SSL certificate error usually comes from an expired certificate, a hostname mismatch, a broken chain, or a local clock problem. The browser refuses to trust the HTTPS connection until the certificate validates correctly.
How do I fix ERR_CERT_COMMON_NAME_INVALID?
ERR_CERT_COMMON_NAME_INVALID means the certificate does not include the hostname you are visiting. Reissue the certificate with the correct SAN entries or use the correct domain.
Can an intermediate certificate cause SSL errors?
Yes. If the server sends only the leaf certificate and omits the intermediate certificates, browsers may fail validation even though the certificate itself is valid.
All tools run in your browser. Your data never leaves your device.