SSL errors are alarming because the browser blocks the page and shows a red warning, but most of them come from a handful of predictable causes. Here are the ones you'll actually run into, what triggers each, and how to fix it.
SSL_ERROR_RX_RECORD_TOO_LONG
This Firefox error almost always means one thing: the server is sending plain HTTP on port 443. The browser expects an encrypted handshake and gets unencrypted text instead.
- Cause: SSL isn't actually enabled on 443, or a proxy/redirect is serving HTTP there.
- Fix: confirm the certificate is installed and bound to port 443, and that your virtual host is listening with SSL on.
ERR_SSL_PROTOCOL_ERROR
- Cause: the browser and server can't agree on a protocol — often an old config forcing a retired protocol, or a broken certificate.
- Fix: serve TLS 1.2/1.3 only, remove deprecated protocol directives, and re-test the certificate.
NET::ERR_CERT_DATE_INVALID
- Cause: the certificate is expired — or the device clock is wrong.
- Fix: renew the certificate if it lapsed; if only one device shows the error, fix that device's date and time.
NET::ERR_CERT_AUTHORITY_INVALID
- Cause: the certificate isn't trusted — usually a missing intermediate chain, or a self-signed certificate.
- Fix: install the full chain (certificate + intermediate); replace self-signed certs with a CA-issued one for public sites.
NET::ERR_CERT_COMMON_NAME_INVALID (Name Mismatch)
- Cause: the domain you visited isn't covered by the certificate — for example the cert covers example.com but not www.example.com.
- Fix: reissue with the right names in the SAN field, or use a wildcard or multi-domain certificate.
Mixed Content Warning
- Cause: the page loads over HTTPS but pulls images, scripts, or styles over HTTP.
- Fix: update those resource URLs to https:// so the whole page is secure.
Incomplete Certificate Chain
- Cause: the server sends the leaf certificate but not the intermediate, so some clients can't build trust even though others can.
- Fix: add the intermediate to your config (the fullchain file on Nginx, ChainFile on Apache).
Expired Certificate
- Cause: the certificate passed its validity date.
- Fix: renew and reinstall; set an expiry reminder so it doesn't happen again.
💡
Diagnose before you guessMost of these look the same to a visitor — a blocked page — but the fix is different each time. Running the domain through an SSL checker tells you which problem you actually have before you start changing config.
The red warning is the same; the cause rarely is. Check first, then fix.
