SSL Certificate FAQ
Answers to the most common SSL certificate problems: auto-renewal failures, chain errors, mixed content, and why browsers sometimes show warnings after you have already renewed.
SSL Certificate FAQ
My Let's Encrypt certificate expired even though auto-renewal should have worked. Why?
Let's Encrypt auto-renewal via certbot runs as a cron job or systemd timer. Common failure reasons:
Certbot not running: Check if the cron job or timer is active. Run certbot renew --dry-run manually to test.
Port 80 blocked: The HTTP-01 challenge requires port 80 to be open. If your firewall blocks port 80, the challenge fails. Solution: use DNS-01 challenge instead, or temporarily open port 80.
Web root mismatch: The webroot challenge writes a file to your document root. If your config points to the wrong directory, the challenge fails. Check --webroot-path matches your actual web root.
Certbot out of date: Old versions of certbot sometimes fail silently. Update certbot: pip install --upgrade certbot.
Server was down during renewal attempt: Certbot retries, but if the server was unreachable for the entire renewal window, it fails. The certificate expires 30 days after the first failed renewal attempt (renewal attempts start at 30 days before expiry).
My browser still shows a security warning after I renewed the certificate. Why?
Old certificate cached: Browsers cache SSL state. Hard refresh (Ctrl+Shift+R) or clear the browser cache.
Wrong certificate installed: You renewed but the old certificate is still installed on the server. Restart nginx/apache after renewal: sudo systemctl reload nginx.
Mixed content: Your site loads resources (images, scripts) over HTTP while the page itself is HTTPS. Browsers block or warn about mixed content. Fix: ensure all resources use https:// URLs or protocol-relative //urls.
Certificate chain incomplete: The server is sending the leaf certificate but not the intermediate. Install the full chain (fullchain.pem for Let's Encrypt, not cert.pem).
HSTS cached old state: If you previously served the site over HTTP and the browser has HSTS cached from an old misconfigured state, clear HSTS in browser settings.
What is a certificate chain error and how do I fix it?
A certificate chain error means the browser cannot verify the path from your certificate to a trusted root CA. This happens when the server only sends the leaf certificate without the intermediate certificate(s).
Fix for Nginx: ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; Use fullchain.pem, NOT cert.pem. fullchain.pem includes both the leaf and intermediates.
Fix for Apache: SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
What is mixed content and why does it break HTTPS?
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, fonts, iframes) over HTTP. Browsers block or warn about this because it undermines the security of the HTTPS connection — an attacker on the network can intercept and modify the HTTP resources.
Active mixed content (scripts, iframes over HTTP): Blocked by all modern browsers. Passive mixed content (images, videos over HTTP): Shown with a warning, not blocked.
How to find and fix it:
- Open browser DevTools (F12) → Console → look for "Mixed Content" warnings.
- Update all resource URLs to use https:// or protocol-relative //.
- If you use a CMS, search the database for http:// URLs pointing to your own domain and update them.
My SSL certificate covers example.com but not www.example.com. How do I fix it?
Your certificate needs both domains listed as Subject Alternative Names (SANs). When requesting a new certificate, explicitly include both:
For certbot: certbot --domains example.com,www.example.com
The certificate will then cover both. Check the current SANs list in ElasticDomain's SSL tab.
What is HSTS and why does it matter for SSL?
HSTS (HTTP Strict Transport Security) tells browsers to only connect to your domain over HTTPS — even if the user types http://. Without HSTS, the first request after a user clears their browser cache goes over HTTP before being redirected to HTTPS, which is a window for SSL stripping attacks.
Add to your web server: Strict-Transport-Security: max-age=31536000; includeSubDomains
How often does ElasticDomain check my SSL certificate?
On every domain scan. The scan interval depends on your domain's configured check frequency (every 6 hours, 24 hours, or weekly). The SSL check makes a live TLS connection each time, so expiry dates and certificate changes are always up to date.