Knowledge Base

This article covers common browser errors which may appear when testing your SSL certificate.

NET::ERR_CERT_AUTHORITY_INVALID

NET::SEC_ERROR_UNKNOWN_ISSUER

NET::PKIX_ERROR_SELF_SIGNED_CERT

NET::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

• If you receive any of these error messages, then it usually means that you have either installed a self-signed certificate or the Intermediate CA (ICA) certificate is missing. Please ensure that the correct certificate is installed on your server along with the ICA.
• You can check whether your certificate and ICA have been correctly installed using our online certificate checker. 
• You can also refer to this URL which contains SSL certificate installation guides for various servers.

NET::ERR_CERT_COMMON_NAME_INVALID

NET::DLG_FLAGS_SEC_CERT_CN_INVALID

SSL_ERROR_BAD_CERT_DOMAIN

• These error messages mean that the common name on the certificate does not match the domain name used by your server. For a certificate to be trusted, the certificate must include the domain name used by your server as either the common name or one of the SANs on the certificate. Should this be the case, then you will need to generate a CSR; re-issue the certificate and add the missing domain name to the certificate.

NET::ERR_CERT_DATE_INVALID

• This error usually means that the certificate has expired. If you have not already done so, you will need to generate a new CSR and either re-issue or renew your certificate. Information on generating a new CSR can be found here.
• If you have recently installed a new certificate, then it is possible that the certificate binding on the server may not have been updated. Please check this URL for detailed steps on SSL installations to ensure that the configuration is complete. 
• There may be a firewall or loadbalancer which is still serving the old certificate. A look-up of the IP address for the domain will confirm whether the public IP belongs to your server or not. If it belongs to a firewall or loadbalancer, then the certificate must also be installed there.
• A fourth possibility is that an incorrect date or time has been set on either the server or on the machine from which you are connecting. Adjusting the date or time on either the server or your local machine to the correct date and time can resolve this issue.

NET::ERR_SSL_OBSOLETE_VERSION

NET::ERR_SLL_PROTOCOL_ERROR

• These errors are the result of a server which uses deprecated protocols. Any server which uses the SSL v3; TLS v1.0 or TLS v1.1 protocols will produce this error as these protocols are no longer considered secure. These should be disabled in favor of the TLS v1.2 and TLS v1.3 protocols.
• If you are unsure how to update the protocols on your server, you will need to consult your server documentation or reach out to your server vendor for assistance.

NET::ERR_CERT_REVOKED

• This error means that the certificate has been revoked and will have to be replaced. If you have imported a new certificate, you need to ensure that the installation has been completed. Instructions for installing your certificate can be found here.
• Another possibility is that there may be a firewall or loadbalancer which is still serving the old certificate. A look-up of the IP address for the domain will confirm whether the public IP belongs to your server or not. If it belongs to a firewall or loadbalancer, then the certificate must also be installed there.
• If the revoked certificate is a certificate that you have recently installed and you are unaware of a revocation request, then you are welcome to request a live agent to assist you.

NET::ERR_SSL_VERSION_INTERFERENCE

• This error can occur if your server exclusively uses the latest version of the TLS protocol (currently TLS v1.3). Should this be the case, it is recommended that you enable TLS v1.2 as this protocol is more ubiquitous across the various browsers.

NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

• This error means that Certificate Transparency (CT) logging was not enabled for the certificate. This should only occur if CT logging has been disabled for your account or when the person who placed the order and selected the option to disable CT logging for this specific certificate.
• You can check whether CT logging has been disabled for your account using this guide.
• If CT logging was only disabled for this specific certificate, you can simply re-issue the certificate and ensure that the check box labeled "Don’t log this certificate to public CT logs" is unticked before you submit the re-issue request.

NET::SSL_ERROR_RX_RECORD_TOO_LONG

• This error can occur if your server is not using the latest versions of the TLS protocol (currently TLS v1.2 and TLS v1.3). Should this be the case, it is recommended that you enable these protocols and that you also disable the older SSL v3, TLS v1.0 and TLS v1.1 protocols as these are no longer considered secure.
• Another potential cause is that the listening port for SSL connections on your server is not configured. The default port for SSL is 443. You can refer to this URL for SSL certificate installation guides.

NET::SSL_ERROR_NO_CYPHER_OVERLAP

• This error can occur if your server is not using the latest versions of the TLS protocol (currently TLS v1.2 and TLS v1.3). Should this be the case, it is recommended that you enable these protocols and that you also disable the older SSL v3, TLS v1.0 and TLS v1.1 protocols as these are no longer considered secure.
• In addition to the above, your server may be using outdated or weak cipher suites. This can be tested using our online certificate checker.
• If your server does use outdated cipher suites, these should be disabled. Please consult your server documentation or contact your server vendor.

NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

• This error means that the server is using a protocol or cipher suite which is not supported by the browser. Browsers typically only support protocols or cipher suites which are considered secure.
• This error can occur if your server is not using the latest versions of the TLS protocol (currently TLS v1.2 and TLS v1.3). Should this be the case, it is recommended that you enable these protocols and that you also disable the older SSL v3, TLS v1.0 and TLS v1.1 protocols as these are no longer considered secure.
• In addition to the above, your server may be using outdated or weak cipher suites. This can be tested using our online certificate checker.
• If your server does use outdated cipher suites, these should be disabled. Please consult your server documentation or contact your server vendor.