How to Fix SSL Certificate Errors

Why do certificate errors happen?

Certs expire, 90 days for Let’s Encrypt, 1–2 years for paid ones. Miss the renewal and you’ll see “Your connection is not private” or “Certificate has expired.” The other classic is a missing intermediate: the server sends only the leaf cert, so the browser can’t build a chain to a trusted root and throws NET::ERR_CERT_AUTHORITY_INVALID. Fix expiry by renewing; fix the chain by installing the intermediate(s) and pointing the server at the full chain.

Certificate expired or expiring soon – renew it

Cert expired or expiring in the next few weeks? Renew it. How depends on who issued it and where the site lives.

Let’s Encrypt with Certbot

Certbot only renews when the cert is within 30 days of expiry. Run:

sudo certbot renew

To test without writing files: sudo certbot renew --dry-run. Most setups add a cron (e.g. twice daily) to run certbot renew after you first install certbot.

Hosting panel (cPanel, Plesk, etc.)

Use the panel’s SSL/TLS or “SSL Certificate” section. You can often request or install a free Let’s Encrypt cert, or renew an existing one, with one click. If you use a commercial cert, upload the new certificate and key when you get them from the issuer.

Missing intermediate certificate (chain error)

The browser needs the full chain (leaf → intermediates → root). Send only the leaf and some clients show NET::ERR_CERT_AUTHORITY_INVALID. Fix: install the intermediate(s) and tell the server to send the full chain.

1. Download the intermediate (and any additional chain) from your certificate provider (e.g. “Intermediate” or “CA bundle”).
2. Configure your web server to use the full chain (see Nginx and Apache below).
3. Reload the server and verify in the browser or with our HTTPS checker.

Nginx – certificate and chain

In your HTTPS server block, point ssl_certificate to the full chain file (leaf + intermediates in one file), and ssl_certificate_key to the private key.

server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate     /path/to/fullchain.pem;   # leaf + intermediates
  ssl_certificate_key /path/to/privkey.pem;
  # ...
}

Certbot typically writes fullchain.pem (full chain) and privkey.pem. After changing certs, run sudo nginx -t then sudo systemctl reload nginx.

Apache – certificate and chain

Use SSLCertificateFile with the full chain (server certificate first, then intermediates in one file), the recommended approach in Apache 2.4.8+. Older setups sometimes used a separate SSLCertificateChainFile; in 2.4.8+ you typically use a single file for the full chain.

<VirtualHost *:443>
  ServerName example.com
  SSLEngine on
  SSLCertificateFile      /path/to/fullchain.pem
  SSLCertificateKeyFile   /path/to/privkey.pem
  # Full chain (leaf + intermediates) in one file; no separate chain file needed in 2.4.8+
</VirtualHost>

Restart Apache after changing certs: sudo systemctl restart apache2 (or sudo service apache2 restart).

cPanel

In cPanel, go to SSL/TLS Status or Install SSL. Install or renew the certificate for the domain; paste the certificate, private key, and (if asked) the CA bundle / intermediate. The panel will write the correct paths for Apache. If you use AutoSSL (Let’s Encrypt), renewal is usually automatic, check that it’s enabled and that the domain resolves correctly.

Cloudflare

Cloudflare provides an edge certificate for traffic between visitors and Cloudflare. In the dashboard: SSL/TLS → Edge Certificates. Ensure SSL/TLS encryption mode is not “Off” (use “Full” or “Full (strict)” if you have a cert on your origin). Certificate renewal at the edge is handled by Cloudflare. If you see errors, check that your origin certificate (if you use Full strict) is valid and that the origin server is sending the correct chain.