Troubleshooting SSL Certificate Errors

Common SSL Errors

Certificate Expired

# Check certificate expiry
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

# Renew with Certbot
sudo certbot renew

Certificate Name Mismatch

# Check what names the cert covers
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep DNS

The certificate must include the exact domain name visitors use (including www vs non-www).

Incomplete Certificate Chain

# Test the chain
openssl s_client -connect example.com:443 -servername example.com

# Look for: "Verify return code: 0 (ok)"
# If not, you may be missing intermediate certificates

Fix: Use fullchain.pem instead of cert.pem in your web server config.

Mixed Content Warnings

The page loads over HTTPS but includes HTTP resources (images, scripts). Fix by updating all URLs to HTTPS or using protocol-relative URLs (//example.com/image.jpg).

Certbot Renewal Failures

# Test renewal
sudo certbot renew --dry-run

# Common issues:
# - Port 80 blocked (needed for HTTP-01 challenge)
# - DNS not pointing to server (for new domains)
# - Rate limited (too many cert requests)