Visitors see a security warning
Visitors are seeing a security warning instead of your site, and you need to know what's wrong and how to fix it — fast. This page routes you from the browser's error code to the specific SSL issue.
Symptom
- Visitors see a full-page browser warning instead of your site (e.g. "Your connection is not private", "This site can't provide a secure connection")
- The padlock icon is missing from the address bar
- A browser-specific error code is shown —
NET::ERR_CERT_*in Chrome/Edge,SSL_ERROR_*orMOZILLA_PKIX_*in Firefox, error numbers in Safari
What it means
Browsers show full-page warnings when they don't trust a site's SSL certificate. The warning is deliberately scary because the browser is protecting visitors from a potentially compromised connection. There are several distinct reasons this happens — the browser error code tells you which one applies, and each has its own troubleshooting page below.
Possible underlying issues
Match the browser's error code (or DomainDash's status) to one of these:
| Browser error | DomainDash error_code | Issue |
|---|---|---|
NET::ERR_CERT_DATE_INVALID (expiry in past) | expired | Certificate expired |
NET::ERR_CERT_DATE_INVALID (start in future) | not_yet_valid | Certificate not yet valid |
NET::ERR_CERT_COMMON_NAME_INVALID | wrong_host | Hostname doesn't match certificate |
NET::ERR_CERT_AUTHORITY_INVALID (self-signed) | self_signed | Self-signed certificate |
NET::ERR_CERT_AUTHORITY_INVALID (with intermediates) | untrusted_root | Certificate signed by an untrusted authority |
NET::ERR_CERT_REVOKED | revoked | Certificate has been revoked |
NET::ERR_CERT_INVALID (signature) | bad_signature | Certificate signature is invalid |
SSL_ERROR_HANDSHAKE_FAILURE or no cert presented | tls_error | TLS handshake failed |
How to identify which issue you have
Open DomainDash and look at the SSL check status for the affected site. The error code shown in the badge tells you exactly which issue you have.
If you can't reach DomainDash, run this from any terminal:
bashopenssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuerLook at the dates first (expired? not yet valid?), then the subject (does it cover your domain?), then the issuer (is it a recognised CA?).
Open the site in an incognito Chrome window. Click "Not secure" in the address bar, then "Certificate is not valid". The reason shown is the underlying issue.
How to verify
After applying the fix from the specific issue page:
- Open the site in an incognito window — the padlock should appear cleanly.
- Click "Check now" in DomainDash — status should flip to Healthy.
Related
- SSL certificates — overview of what DomainDash checks
- How incidents work — how DomainDash confirms and notifies about SSL issues