Common SSL/TLS errors: how to find and fix them
HTTPS has a single yet crucial difference from HTTP protocol – an encrypted connection that provides infinitely better security when transferring data between the user browser and site server. An HTTPS connection builds trust and impacts SEO and traffic numbers. To add the “S” to the HTTP protocol, you need to implement secure SSL/TLS settings, which can be challenging.
In this article, we’ll provide an overview of the most popular SSL errors and solutions for how to fix them.
SSL vs. TLS vs. HTTPS
Before we proceed, let’s learn what SSL and TLS are and how they are connected with HTTPS.
HTTPS (Hypertext transfer protocol secure) is an encrypted version of the HTTP protocol based on a request-response structure.
SSL (Secure Sockets Layer) is a security technology that encrypts data between the server and client so that only those with the key can read the data.
TLS (Transport Layer Security) is an upgraded SSL that serves the same purposes.
How do TLS certificates work
SSL/TLS certificates are issued by trusted 3rd-party companies – Certificate Authorities (CA). The website sends its TLS/SSL Certificate and public key to the browser, which validates the CA and certificate data. This process is called a “TLS Handshake”. It happens almost instantly before the data is transmitted between the client and the server. If it’s successful, an HTTPS connection is established, creating a secure connection between the user browser and the website server.
The TLS certificate is actually a sequence of certificates: one from the client, one from the server, and one intermediate to safely transfer data to both sides without compromising any of it.
Why SSL/TLS is important
Internet security is vital to establishing trust between users and websites – would you buy something online knowing your credit card credentials could be stolen?
Another reason is SEO: since 2014, Google has considered a secure connection a ranking factor. It makes a lot of sense – why rank potentially hazardous websites higher than safe ones?
Also, if your HTTPS is configured wrong, most browsers will display a warning message about the issue. It looks scary, so many users will find it suspicious and won't continue to the site. Not only does this impact your traffic, but brand trust as a whole.
How to fix SSL Errors
TLS/SSL error occurs when the client’s encrypted code does not match the code from the server. Unfortunately, there are several reasons why it can happen. Luckily, you don’t need to monitor SSL/TLS monitors daily since they don't occur very often.
To ensure that your HTTPS connection is configured correctly, you can use online SSL checkers on SSLshopper, Digicert, or similar services.
To make absolutely sure that your SSL certificate is fine, it's a good idea to automate the process. For example, the site audit tool by SE Ranking tracks the website's overall health, including an SSL/TLS checkup. Using it, you can forget about manually checking the expiration dates of your certificates or worrying about whether they were revoked or not.
Regardless of how you monitor the certificate, solving any TLS issues is important.
In general, if you choose a well-known Certificate Authority like Comodo, DigiCert, GoDaddy, etc., reissuing a certificate fixes the problem in most cases. Also, some CDNs, e.g., Cloudflare, have built-in free TLS that seamlessly integrates into servers.
Tip: to see all SSL/TLS errors, issues, and scams, visit BadSSL.com.
1. Expired website security certificate
CAs don't provide TLS certificates forever, they have expiration dates. When they end, an HTTPS connection cannot be established because Certificate Authority cannot be trusted due to a lack of 3rd-party due diligence.
To solve this issue, you need to renew your TLS certificate at your CA or get a new one. The most convenient way to avoid the issue is to set up automatic renewal. The intermediate solution is to use reminder tools that help you manage your certificates if there are a lot of them.
2. Outdated security protocol
TLS has 4 versions: 1.0, 1.1, 1.2, and 1.3. To check the website TLS version, use DigiCert SSL checker or a similar service. It’s recommended to use 1.2 and newer since older versions have been deprecated by the Internet Engineering Task Force (IETF) as of March 25, 2021. They don't have any specific SSL/TLS vulnerabilities, but they use outdated cryptographic methods that aren’t supported anymore.
Newer versions feature improved sets of encryption algorithms called “Cipher Suites” (we’ll get to them shortly). To establish a TLS handshake, the browser and server should support the same TLS version. For example, the server is using TLS 1.1, and the client is browsing using up-to-date Chrome. Because Google depreciated support of TLS 1.0 and 1.1, no TLS version can be used by both server and browser, so a secured connection cannot be established.
To upgrade the TLS version, you first need to configure your server to support it. Once that’s done, ensure your certificate supports TLS 1.3 and 1.2 (an older version is optional). If not, you need to get a new SSL certificate that will support it.
3. Certificate name mismatch
Certificate Authorities release certificates for specific subject names – domain, subdomain, etc. If you try to use a certificate with a different name, a secured connection cannot be established because the server name does not correspond to the certificate’s name. For example, if you use an SSL certificate issued for example.com or wrong.com, the HTTPS connection cannot be established on the second domain with this certificate.
To fix the issue, use the correct name in your certificate. Your common name should match the domain name. For subdomain certificates, the name should contain a full subdomain path or domain with the wildcard before it.
4. Missing Hostname
Similar to name mismatch, a missing hostname is an error that hinders establishing a secure connection because it’s impossible to match the certificate name with the server name.
The fix is the same as for mismatch errors – make sure your hostname corresponds to the Subject’s Common name in the certificate.
5. Outdated encryption algorithm
There are several encryption algorithms known as Cipher Suites. Similar to TLS versions, if there is no cipher that is supported by both the client and server, it’s impossible to encrypt the connection, and therefore HTTPS won’t work properly.
The solution to this problem correlates with upgrading the TLS – if you use TLS 1.2 or above, it will include up-to-date cipher suites, so you don’t need to worry about them.
6. Incomplete Certificate Chain
If you closely inspect the SSL certificate in the browser, you’ll see that there are several certificates with hierarchical structures. The root certificate is your client’s certificate that comes from your device and browser. It signs the Intermediate certificate that protects your Root certificate data. The intermediate certificate is a server-side certificate that acts as an agent between the client and server to encrypt the connection and prevent data leaks from both sides. The last certificate is a certificate issued by the CA to a host.
If any of those three certificates aren’t valid or unable to encrypt data correctly, you’ll get the “Incomplete certificate chain” error, making it impossible to establish a secure connection.
Depending on which certificate is broken, you need to fix your server configuration or use another SSL/TLS Certificate.
7. Revoked Certificate
If the certificate’s private key is compromised, attackers might use it to access sensitive data through the HTTPS connection. To prevent this from happening, Certificates Authorities can revoke certificates if they show signs of being compromised. From a security perspective, it’s infinitely better to see the warning from a revoked certificate than browsing an HTTPS website that can theoretically be compromised.
To fix this issue, you need to create a new certificate containing a unique uncompromised public key, ensuring a secure HTTPS connection.
SSL/TLS is a cornerstone of modern web security. This technology allows millions of users to buy, subscribe, and get paid online safely.
Even if you don’t sell anything, enabling an HTTPS connection saves your traffic since browsers won’t show warnings, which improves your SEO and overall website trust. To achieve this, you must set up and maintain SSL/TLS certificates. Once you understand how they work, they will be easy to fix. In most cases, creating a new certificate with a trusted Certificate Authority will fix the majority of problems; if not – now you have answers to do it.
Stay safe, and use TLS!