Is an SSL certificate error dangerous to bypass?

On a website you trust where you are only reading content, clicking through is usually low risk. The catch: the same warning shows up when a connection is being intercepted, so never bypass it to log in, make a payment, or enter personal data. When in doubt, leave the website and contact its owner.

Why does only my computer show the SSL error when everyone else can open the website?

Most likely your device has the wrong date and time. Browsers use your clock to judge whether a certificate is currently valid, so if it is off by days or years, a good certificate looks expired. Fix the clock, turn on automatic time, and it usually clears. A stale cache, an outdated browser, or security software intercepting HTTPS can also produce a single-device error.

How long do SSL certificates last?

Not long. Publicly trusted certificates are issued for short windows, commonly a year or less, and free authorities like Let's Encrypt issue 90-day certificates. Because those windows are short, the safe play is automatic renewal plus monitoring that warns you before the expiry date, so a lapse never reaches your visitors.

What is the difference between an expired certificate and an untrusted one?

An expired certificate was valid once, but its dates have passed. You see NET::ERR_CERT_DATE_INVALID, and the fix is renewal. An untrusted certificate, NET::ERR_CERT_AUTHORITY_INVALID, is one the browser cannot tie to a recognized authority, usually because it is self-signed or the intermediate is missing. The fix there is to install a properly issued certificate with its full chain.

Is a free SSL certificate less secure than a paid one?

No. A free certificate from an authority like Let's Encrypt uses the same encryption and earns the same browser trust as a paid one, so the padlock and the protection are identical. Paying for a commercial certificate buys you extras around the certificate, things like organization-validated or extended-validation vetting, longer support, warranties, and bundled tooling, not stronger encryption. For most websites, a free auto-renewing certificate removes the single most common cause of SSL errors: a lapsed manual renewal.

What is an intermediate certificate, and why does a missing one break HTTPS?

Browsers trust only a small set of root certificates, kept offline for safety. So authorities sign your certificate with an intermediate certificate that links back to one of those roots. Your browser then follows the chain from your certificate, through the intermediate, to a trusted root before it loads the page. Send only your own certificate and skip the intermediate, and many browsers cannot complete that chain. They show NET::ERR_CERT_AUTHORITY_INVALID even though the certificate is perfectly valid. Serving fullchain.pem rather than the bare leaf bundles the intermediate in and fixes it.

Why is there no "Proceed anyway" link on some SSL warnings?

A website that sends an HSTS header is telling browsers to connect only over a trusted HTTPS connection. The browser responds by stripping the bypass link, so you cannot click past a certificate warning at all. This is on purpose. It protects logins and payments, and it means the only real fix lives on the server: correct the certificate so it is valid and trusted again. As a visitor you cannot safely override it, and you should not try. Contact the website owner instead.

SSL Certificate Error

An SSL certificate error means your browser could not establish a trusted, encrypted HTTPS connection, so it blocked the page and showed a warning such as "Your connection is not private". It is almost always a problem with the certificate or your device clock, not the page itself.

Updated June 2026 · 6 min read

Written by

Andrian Valeanu Founder of Pulsetic

Andrian Valeanu founded Pulsetic and, before it, Designmodo. Across 15-plus years he has shipped web products, design tools, and monitoring software teams around the world rely on.
Reviewed by

Ionut Caval Technical reviewer

Ionut Caval reviews Pulsetic's technical guides for accuracy. He works hands-on with web servers, networking, and uptime monitoring day to day, and makes sure the causes and fixes here hold up in production.

The short version: An SSL certificate error means your browser could not verify a website's HTTPS certificate, so it blocked the page behind a warning like "Your connection is not private". Usual suspects: an expired certificate, a wrong device clock, a hostname mismatch, or a missing intermediate certificate. If you are a visitor, check your clock first. If you own the site, renew or reinstall the certificate.

Key takeaways

An SSL certificate error happens after the HTTPS handshake finishes and the browser has already read the certificate. The browser then refuses it because the credential is expired, untrusted, revoked, or issued for a different hostname. This is not a connection or cipher fault.
The exact NET::ERR_CERT_* code tells you the cause. DATE points to expiry or a wrong device clock. AUTHORITY means an untrusted issuer or a missing intermediate. COMMON_NAME means the hostname is not on the certificate. REVOKED means the authority canceled it.
On the visitor side, a wrong date and time on your own device causes this more than anything else. The browser leans on your clock to decide whether the certificate is valid right now.
Owners fix it server-side. Renew before expiry, serve the full chain (fullchain.pem) so the intermediate travels with the leaf, and put every hostname in the Subject Alternative Name field.
The expiry date sits inside the certificate and is readable from outside weeks ahead. An external SSL check can warn you long before a single visitor ever runs into the warning.

Error type: HTTPS / TLS certificate error
Whose side: Usually the website; sometimes your clock
Fix difficulty: Easy to moderate
Common cause: Expired certificate or wrong device clock

What does SSL Certificate Error mean?

Open an HTTPS website and the server hands your browser an SSL/TLS certificate. That certificate proves the server owns the domain and lets your browser encrypt the connection. Before trusting it, the browser runs three checks: is the certificate still valid, was it issued by a trusted authority, and does it match the exact hostname you typed? If any check fails, the browser stops cold and shows an SSL certificate error rather than load a page it cannot trust. In Chrome you usually see "Your connection is not private" with a code like NET::ERR_CERT_DATE_INVALID. Other browsers word it differently but mean the same thing.

Most of these errors trace back to the website or its certificate, so the owner is the one who fixes them. The main exception is a wrong clock on your own device, the most common reason a single visitor sees the warning while everyone else gets through. If you only need to read the page and you do not control the website, you are limited to a handful of safe checks. If you run the website, the fix lives on the server.

The path a request takes from your browser to the website's servers. A SSL Certificate Error is produced at the highlighted stages.

90 days: Let's Encrypt certificate lifetime
443: HTTPS port
fullchain.pem: File that includes the intermediate

How the SSL Certificate Error error appears

The wording changes depending on your browser, device, or server. Here is how this error commonly shows up:

Your connection is not private

Attackers might be trying to steal your information from example.com.

NET::ERR_CERT_AUTHORITY_INVALID

What a SSL Certificate Error looks like in the browser. The exact wording varies by browser, device, and server.

NET::ERR_CERT_DATE_INVALID expired or not yet valid
NET::ERR_CERT_AUTHORITY_INVALID untrusted or self-signed issuer
NET::ERR_CERT_COMMON_NAME_INVALID certificate hostname mismatch
NET::ERR_CERT_REVOKED certificate revoked by the authority
SSL_ERROR_BAD_CERT_DOMAIN Firefox hostname mismatch
ERR_SSL_PROTOCOL_ERROR TLS handshake or protocol failure

Common SSL certificate error codes and what to do

The exact code shown after "Your connection is not private" tells you which certificate check failed, which narrows down the fix.

Error code	What it means	Most likely fix
NET::ERR_CERT_DATE_INVALID	The certificate is past its expiry date, has not started yet, or your device clock is set to the wrong date.	Visitor: correct your device date and time. Owner: renew the certificate with `certbot renew` and reload the web server.
NET::ERR_CERT_AUTHORITY_INVALID	The browser cannot trace the certificate to a trusted root, because it is self-signed, internal, or missing its intermediate certificate.	Owner: install a certificate from a public authority and serve the full chain (`fullchain.pem`) so the intermediate is included.
NET::ERR_CERT_COMMON_NAME_INVALID	The hostname you opened is not listed on the certificate, for example you visited `www` but only the bare domain is covered.	Owner: reissue the certificate listing every hostname in the Subject Alternative Name field, or add a redirect to the covered name.
NET::ERR_CERT_REVOKED	The issuing authority canceled the certificate before its expiry, often after a key compromise or mis-issuance.	Owner: request a fresh certificate, rotate the private key, and deploy the replacement; the old one cannot be reinstated.
ERR_SSL_PROTOCOL_ERROR	The TLS handshake failed before any certificate check, so this is usually a protocol, cipher, or server-config fault rather than a bad certificate.	Owner: enable TLS 1.2 and 1.3, remove outdated protocols, and confirm port 443 is open. Visitor: clear the browser SSL state and try another network.

NET::ERR_CERT_* codes you have not seen yet

Beyond the common expiry and authority codes, these certificate-stage errors each point at a specific defect in the credential itself.

Error code	What it means	Most likely fix
`NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM`	The certificate is signed with an algorithm browsers no longer trust, almost always SHA-1, which Chrome has blocked since version 56.	Owner: reissue the certificate signed with SHA-256 from any current authority; SHA-1 cannot be made acceptable again.
`NET::ERR_CERT_SYMANTEC_LEGACY`	The certificate traces back to a legacy Symantec, Thawte, GeoTrust, or RapidSSL root that Chrome distrusted over past mis-issuance.	Owner: replace it with a certificate from a currently trusted authority; the legacy root will never be re-trusted.
`NET::ERR_CERT_INVALID`	The certificate is malformed or fails a strict structural policy check, so the browser cannot parse or accept it at all.	Owner: reissue a standards-compliant certificate and confirm the file is not truncated or corrupted on the server.
`NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED`	The certificate is not logged in a public Certificate Transparency log, which Chrome requires for publicly trusted certificates.	Owner: obtain a certificate from an authority that submits to CT logs (every major public authority now does).
`NET::ERR_CERT_SYMANTEC_LEGACY` vs `NET::ERR_CERT_AUTHORITY_INVALID`	Both are trust failures, but SYMANTEC_LEGACY is a deliberate distrust of a once-valid root, while AUTHORITY_INVALID is usually self-signed, internal, or a missing intermediate.	Owner: for AUTHORITY_INVALID, install the full chain so the intermediate links to a trusted root; for SYMANTEC_LEGACY, reissue from a different authority.

openssl commands to inspect a certificate from outside

Run these from any machine to read what the server is actually presenting, which separates an expiry problem from a chain or hostname problem.

Goal	Command	What to look for
Read the validity dates	`echo \| openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \| openssl x509 -noout -dates`	`notAfter` in the past means expired; a `notBefore` in the future means not yet valid.
List the hostnames covered	`echo \| openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \| openssl x509 -noout -ext subjectAltName`	The exact host you visit, including `www`, must appear here or you get a COMMON_NAME error.
Check the full chain is sent	`openssl s_client -connect example.com:443 -servername example.com -showcerts`	Two or more certificate blocks means the intermediate is included; a single block means the chain is incomplete.
Confirm the issuer	`echo \| openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \| openssl x509 -noout -issuer`	A public authority confirms trust; your own name or hostname means a self-signed certificate.

What causes SSL Certificate Error?

The certificate has expired, or has not started yet, so the browser rejects it with NET::ERR_CERT_DATE_INVALID.
The certificate does not cover the hostname you opened. Maybe it is issued for the bare domain but you went to the www version, or the name is simply not in the certificate's Subject Alternative Name (SAN) field: NET::ERR_CERT_COMMON_NAME_INVALID.
The certificate is self-signed, or it came from an authority the browser does not trust: NET::ERR_CERT_AUTHORITY_INVALID.
The chain is incomplete. The intermediate certificate was never installed on the server, so the browser cannot link the leaf back to a trusted root.
Your device's date and time are wrong. A perfectly valid certificate then looks expired or not yet valid. This one is genuinely on the visitor.
The page pulls some resources, scripts, images, or iframes, over plain HTTP, which triggers mixed-content warnings on an otherwise secure page.
The certificate was revoked by the issuing authority. Or an antivirus or corporate proxy is intercepting HTTPS and presenting its own untrusted certificate.

How to find the cause fast

Click the padlock or "Not secure" in the address bar, open the certificate details, and read the issuer, the validity dates, and the names it covers.
Check your device's date, time, and time zone. Set them to update automatically.
Run an online SSL checker such as SSL Labs to test the chain, expiry, and hostname from outside.
Open the website in incognito, in another browser, or on another device. That separates a server-side certificate problem from a local one.

curl -I https://example.comcurl: (60) SSL certificate problem: certificate has expired# inspect the validity dates directly:echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -datesnotAfter=May 28 23:59:59 2026 GMT

What a SSL Certificate Error looks like from the command line. The grey lines starting with # are explanatory comments.

How SSL Certificate Error looks from the outside

An expiring certificate is the rare outage you can actually see coming. The expiry date is printed inside the certificate, so a check from the outside can read it weeks ahead and warn you while the website is still working perfectly. That is the whole point: no one should first hear their certificate expired from a customer. And the errors we see most are not exotic attacks. They are lapsed auto-renewals and missing intermediate certificates, both visible long before a browser throws the warning.

How to fix SSL Certificate Error

If you are a visitor

Check your device's date, time, and time zone, and set them to update automatically. A wrong clock is the single most common visitor-side cause of this error.
Hard-refresh the page to clear a stale cached version, then try the website again.
Switch browser, device, or network. If the warning shows up on only one of them, the problem is local to that device or connection, not the website.
On public or guest Wi-Fi, move to a trusted network or your phone's hotspot. Captive portals and shared networks can interfere with HTTPS.
Continue past the warning only if you fully trust the website and are not sending anything sensitive. Never bypass an SSL error to log in, pay, or enter personal data. Report the error to the website owner instead.

If you run the website

Renew the certificate if it has expired, for example with certbot renew, then reload your web server so it picks up the new one.
Install the full certificate chain, intermediate included, so browsers can trace your certificate back to a trusted root.
Cover the exact hostname visitors use, both the bare domain and www, by listing every name in the SAN field.
Automate renewal so the certificate is replaced well ahead of expiry instead of waiting on a manual reminder.
Verify from outside with openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts or an online SSL checker. Confirm the expiry date, the hostname, and that the response carries the full chain (two or more certificate blocks, not just your own).
Clear up any mixed content by serving every script, image, font, and iframe over HTTPS so the page stays fully secure.

Still not fixed? Next steps

Renewal worked but the error sticks around? The old certificate is almost certainly cached or pinned somewhere in front of the origin. Purge your CDN or reverse-proxy cache and reload the edge so it picks up the new certificate.
When openssl shows a valid certificate yet only some visitors hit the error, suspect a missing intermediate that their devices cannot fetch for themselves. Serve fullchain.pem instead of the leaf alone, then re-test from a clean device.
A revoked certificate means the private key is compromised, full stop. Rotate the key, reissue, and deploy the replacement. A revoked certificate is never coming back.
Running many hostnames or short-lived certificates? Put external SSL monitoring in place. It reads the expiry date and chain from outside and warns you ahead of expiry, so one missed renewal never reaches a visitor.

Code & configuration

Copy-paste starting points. Replace example.com and the paths with your own, and test changes on staging before production.

Renew the certificate (Certbot)

certbot renew --dry-run
certbot renew
sudo systemctl reload nginx

Check the certificate and full chain from outside

openssl s_client -connect example.com:443 -servername example.com -showcerts

Serve the full chain, not just the leaf (Nginx)

ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

How to prevent SSL Certificate Error

Most SSL certificate errors stay silent until a visitor walks into one, because a certificate can expire or lose its chain without your website going down at all. Pulsetic's SSL certificate monitoring checks your certificate from outside on a schedule and alerts you ahead of the expiry date, and the moment it turns invalid or misconfigured, so you can renew or reinstall before users ever see a warning. Alerts come through by email, SMS, voice call, Slack, Discord, Telegram, or webhook, and SSL checks run alongside Pulsetic's uptime monitoring, so one tool watches both that your website is up and that its certificate is trusted.

Learn how Pulsetic's SSL certificate monitoring detects this from the outside, across 15+ locations.

Related errors

Browse all error guides

Frequently asked questions

Is an SSL certificate error dangerous to bypass?

On a website you trust where you are only reading content, clicking through is usually low risk. The catch: the same warning shows up when a connection is being intercepted, so never bypass it to log in, make a payment, or enter personal data. When in doubt, leave the website and contact its owner.
Why does only my computer show the SSL error when everyone else can open the website?

Most likely your device has the wrong date and time. Browsers use your clock to judge whether a certificate is currently valid, so if it is off by days or years, a good certificate looks expired. Fix the clock, turn on automatic time, and it usually clears. A stale cache, an outdated browser, or security software intercepting HTTPS can also produce a single-device error.
How long do SSL certificates last?

Not long. Publicly trusted certificates are issued for short windows, commonly a year or less, and free authorities like Let's Encrypt issue 90-day certificates. Because those windows are short, the safe play is automatic renewal plus monitoring that warns you before the expiry date, so a lapse never reaches your visitors.
What is the difference between an expired certificate and an untrusted one?

An expired certificate was valid once, but its dates have passed. You see NET::ERR_CERT_DATE_INVALID, and the fix is renewal. An untrusted certificate, NET::ERR_CERT_AUTHORITY_INVALID, is one the browser cannot tie to a recognized authority, usually because it is self-signed or the intermediate is missing. The fix there is to install a properly issued certificate with its full chain.
Is a free SSL certificate less secure than a paid one?

No. A free certificate from an authority like Let's Encrypt uses the same encryption and earns the same browser trust as a paid one, so the padlock and the protection are identical. Paying for a commercial certificate buys you extras around the certificate, things like organization-validated or extended-validation vetting, longer support, warranties, and bundled tooling, not stronger encryption. For most websites, a free auto-renewing certificate removes the single most common cause of SSL errors: a lapsed manual renewal.
What is an intermediate certificate, and why does a missing one break HTTPS?

Browsers trust only a small set of root certificates, kept offline for safety. So authorities sign your certificate with an intermediate certificate that links back to one of those roots. Your browser then follows the chain from your certificate, through the intermediate, to a trusted root before it loads the page. Send only your own certificate and skip the intermediate, and many browsers cannot complete that chain. They show NET::ERR_CERT_AUTHORITY_INVALID even though the certificate is perfectly valid. Serving fullchain.pem rather than the bare leaf bundles the intermediate in and fixes it.
Why is there no "Proceed anyway" link on some SSL warnings?

A website that sends an HSTS header is telling browsers to connect only over a trusted HTTPS connection. The browser responds by stripping the bypass link, so you cannot click past a certificate warning at all. This is on purpose. It protects logins and payments, and it means the only real fix lives on the server: correct the certificate so it is valid and trusted again. As a visitor you cannot safely override it, and you should not try. Contact the website owner instead.

Catch the next outage before your visitors do.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed