You have probably seen it yourself: a full-screen browser warning telling you that a website is "not secure" or that "attackers might be trying to steal your information." That warning appears when something is wrong with the site's SSL certificate. When it happens to your own website, it does more than look bad -- it drives visitors away, damages your search rankings, and can cost you customers.
SSL (Secure Sockets Layer) certificates are what make the padlock icon appear in your browser's address bar. They encrypt the connection between your website and your visitors, ensuring that data like passwords, contact forms, and payment details cannot be intercepted. When the certificate has a problem, the browser warns visitors instead of loading your site.
Let's walk through the most common SSL errors, what causes them, and what you can do about each one.
What SSL certificates actually do
An SSL certificate is a small digital file installed on your web server. It serves two purposes: it encrypts data sent between your website and your visitors' browsers, and it proves your website's identity. When a browser connects to your site, it checks the certificate to confirm it is valid, current, and matches your domain name. If any of those checks fail, the browser shows a warning.
Without a valid certificate, everything sent between your site and your visitors -- including form submissions, login details, and personal data -- travels in plain text that can be read by anyone on the same network. That is why browsers treat certificate errors as serious security issues.
Common SSL certificate errors explained
Expired certificate
This is the most common SSL error. Certificates have an expiry date, and once they pass it, browsers refuse to trust them. Since 2020, certificate authorities can issue certificates for a maximum of 398 days. Free certificates from Let's Encrypt expire every 90 days.
Expired certificates usually happen because auto-renewal failed, the payment for a paid certificate lapsed, or nobody was monitoring the expiry date. The fix is straightforward: renew the certificate. If you use Let's Encrypt, check that your renewal cron job is running. If you use a paid certificate, log into your provider and renew it. Most hosting providers also offer one-click renewal.
Name mismatch
A certificate is issued for a specific domain or set of domains. If the domain in the certificate does not match the URL the visitor typed, the browser shows a name mismatch error. The most common cause is a certificate that covers example.co.uk but not www.example.co.uk, or vice versa.
To fix this, make sure your certificate covers every domain and subdomain your site uses. Most modern certificates include both the bare domain and the www subdomain, but it is worth checking. If you have subdomains like shop.example.co.uk or app.example.co.uk, they each need to be covered by the certificate or you need a wildcard certificate.
Untrusted issuer
Browsers only trust certificates issued by recognised certificate authorities. If your certificate was issued by an authority the browser does not recognise -- or was self-signed -- visitors see a warning that the certificate is not trusted. Self-signed certificates are fine for testing but should never be used on a live website.
The fix is to obtain a certificate from a trusted authority. Mozilla's TLS guidance recommends Let's Encrypt as a trusted, free certificate authority, and most hosting providers include free certificates with their plans. There is no reason to use a self-signed certificate on a production website.
Weak signature algorithm
Older certificates use signature algorithms that are no longer considered secure, such as SHA-1. Modern browsers reject these certificates because the signatures can be forged. If your certificate uses a weak algorithm, you need to replace it with one that uses SHA-256 or stronger.
This is rarely an issue with certificates issued in the last few years, as certificate authorities stopped issuing SHA-1 certificates in 2016. However, if you are running an older system with certificates that were somehow renewed without updating the algorithm, this error can still appear.
Certificate chain incomplete
SSL certificates work in a chain: your certificate was issued by an intermediate authority, which was in turn authorised by a root authority. Your server needs to present not just your certificate but also the intermediate certificates that link yours back to a trusted root. If the chain is incomplete, the browser cannot verify your certificate's legitimacy.
This error often occurs after a server migration, certificate renewal, or configuration change where the intermediate certificate bundle was not installed alongside the site certificate. The fix is to download the full certificate chain from your provider and install all the intermediate certificates on your server.
What visitors see when SSL fails
When an SSL error occurs, most modern browsers show a full-page warning before the visitor can proceed. Chrome displays "Your connection is not private" with a red screen. Firefox shows "Warning: Potential Security Risk Ahead." Safari shows "This Connection Is Not Private."
In all cases, the visitor must click through a warning and explicitly choose to continue. Most people do not. Studies consistently show that over 80% of visitors leave immediately when they see an SSL warning. For an e-commerce site or a business collecting contact details through its website, that is a direct loss of revenue.
The SEO impact of SSL problems
Google has used HTTPS as a ranking signal since 2014. Sites with valid SSL certificates get a small ranking boost, while sites with certificate problems can be actively penalised. If Google's crawler encounters an SSL error on your site, several things can happen:
- Google may display a "Not secure" label in search results instead of your page title
- The page may be dropped from search results entirely until the issue is resolved
- Your overall site authority can be reduced if SSL errors persist
- Visitors who do click through but see a browser warning tend to bounce immediately, sending negative engagement signals to Google
SSL errors are also one of the fastest ways to undo months of SEO work. A single expired certificate can cause rankings to drop within days, and recovery after fixing the issue is not instant.
How to prevent SSL errors
Most SSL errors are preventable with a few basic practices:
- Use auto-renewal: If your hosting provider supports automatic certificate renewal, enable it. Let's Encrypt's Certbot handles this automatically when properly configured.
- Monitor expiry dates: Even with auto-renewal, things can go wrong. Set a calendar reminder for 30 days before expiry and check that renewal has happened.
- Check your certificate covers all domains: Make sure every domain and subdomain your site uses is covered by the certificate.
- Test after changes: Any time you migrate servers, change hosting, or update your DNS configuration, check your SSL certificate immediately afterwards.
- Fix mixed content: If your site loads any resources over HTTP (images, scripts, stylesheets) on an HTTPS page, browsers show warnings. Check for mixed content after enabling SSL.
A quick way to check your entire SSL setup is to run a free PulseShield scan. It checks your certificate validity, expiry date, chain completeness, and flags any mixed content issues, all in a single report.
For ongoing protection, PulseShield's monitoring service watches your SSL certificate around the clock and alerts you immediately if anything changes. That means no more expired certificates catching you by surprise.