LightYear
/Docs
DocsTroubleshootingFix SSL Certificate Errors

Fix SSL Certificate Errors

Diagnose and resolve common SSL/TLS certificate errors including expired certificates and chain issues.

beginner
6 min read
LightYear Docs Team
Updated April 24, 2026
ssltlscertificatehttpslets-encrypttroubleshooting
Ready to get started?

SSL certificate errors prevent users from accessing your website securely. This guide covers the most common SSL errors and how to fix them.

Check Certificate Expiry

>_BASH
$echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
OUTPUT
notBefore=Jan 24 10:00:00 2026 GMT
notAfter=Apr 24 10:00:00 2026 GMT

Check days until expiry:

>_BASH
$echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2 | xargs -I{} date -d "{}" +%s | xargs -I{} bash -c 'echo "Days until expiry: $(( ({} - $(date +%s)) / 86400 ))"'

Error: Certificate Expired

Symptoms: Browser shows "Your connection is not private" with ERR_CERT_DATE_INVALID.

Resolution: Renew the Let's Encrypt certificate:

>_BASH
$certbot renew --force-renewal
$systemctl reload nginx

If auto-renewal is failing, check the Certbot logs:

>_BASH
$cat /var/log/letsencrypt/letsencrypt.log | tail -50

Error: Certificate Chain Incomplete

Symptoms: Certificate works in browsers but fails in some API clients or curl.

Check the chain:

>_BASH
$openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep "s:|i:"

Ensure your Nginx config uses fullchain.pem (not just cert.pem):

NGINX
ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Error: Certificate Name Mismatch

Symptoms: ERR_CERT_COMMON_NAME_INVALID — the domain does not match the certificate.

Check the certificate's domain:

>_BASH
$echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName

If the domain is not covered, obtain a new certificate:

>_BASH
$certbot --nginx -d example.com -d www.example.com -d api.example.com

Test SSL Configuration

Use the SSL Labs API to test your configuration:

>_BASH
$curl "https://api.ssllabs.com/api/v3/analyze?host=example.com&publish=off&all=done" | python3 -m json.tool | grep "grade|status"

Recommended Nginx SSL Configuration

NGINX
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;

[!TIP] Run certbot renew --dry-run monthly to verify that auto-renewal is working before the certificate actually expires.

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy