What is an SSL/TLS certificate?
An SSL/TLS certificate establishes the encrypted HTTPS connection between your server and visitors' browsers. It also authenticates your server's identity — proving to the browser that it is genuinely talking to your domain and not an impersonator.
When something is wrong with your certificate, browsers display security warnings, search engines may penalise your site, and in some cases the connection is blocked entirely. Automated clients and APIs that enforce strict certificate validation will fail silently.
Finding types and what to do
Expired certificate
The certificate's validity period has passed. Browsers will show a hard warning blocking visitors from proceeding.
Fix: Renew or reissue the certificate immediately. If you use Let's Encrypt, enable auto-renewal via certbot renew on a cron schedule or systemd timer. Most managed hosting platforms renew automatically — check whether auto-renewal is enabled and that your hosting account is in good standing.
Prevention: Set up monitoring or calendar reminders 30 days before expiry. Let's Encrypt certificates expire every 90 days and are designed to be renewed automatically.
Self-signed certificate
The certificate was signed by the server itself rather than a trusted Certificate Authority. Browsers do not trust self-signed certificates for public-facing services and will show a security error.
Fix: Replace the self-signed certificate with one issued by a trusted CA. Free options:
- Let's Encrypt — Free, automated, widely supported. Use
certbotor your hosting platform's built-in integration. - ZeroSSL — Another free, automated option.
Self-signed certificates are acceptable only for internal services where all clients are explicitly configured to trust them.
Weak cipher suites or protocol version
Your server supports outdated TLS protocol versions (TLS 1.0, TLS 1.1, SSLv3) or weak cipher suites (RC4, DES, export-grade ciphers). These have known vulnerabilities that allow downgrade or decryption attacks.
Fix: Configure your server to use TLS 1.2 minimum, with TLS 1.3 preferred.
Nginx:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
Apache:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...
Use Mozilla SSL Configuration Generator to generate a recommended configuration for your server and use case.
Certificate hostname mismatch
The certificate is valid but was issued for a different domain name (e.g. the certificate covers www.yourdomain.com but the scan found it served on mail.yourdomain.com).
Fix: Issue a new certificate that covers the correct hostname. Wildcard certificates (*.yourdomain.com) cover all direct subdomains and reduce the risk of hostname mismatches across your infrastructure.
Certificate chain incomplete
The server is not sending the full certificate chain (the intermediate CA certificates). Some clients may not be able to verify the certificate and will show errors.
Fix: Configure your server to serve the complete chain. For Let's Encrypt, use fullchain.pem (not just cert.pem) as the certificate file:
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
Verify your full configuration
Use SSL Labs Server Test for a comprehensive graded report covering protocol versions, cipher suites, certificate chain, and known vulnerabilities. Aim for an A or A+ rating.
Last updated: March 28, 2026