How to Fix 'Your Connection Is Not Private' and Other SSL Errors

The "Your connection is not private" warning means your browser could not establish a trusted, encrypted (HTTPS) connection to the site. The browser is doing its job: it will not send your data over a connection it cannot verify. The good news is that the message almost always points to a specific, fixable cause. If it is a site you run, start by inspecting the certificate with the SSL / TLS Check check, which shows the issuer, validity dates, and chain, enough to diagnose most of these errors.

Before touching the server, rule out the easy local causes. A wrong system clock is the most common, because TLS validation depends on the date, so if your device's clock is off, valid certificates look expired. Public Wi-Fi captive portals also trigger the warning, so open a plain http site to bring up the login page and then retry. A stale browser cache or a misbehaving extension can do it too, which you can test in an incognito window or another browser.

If the error appears on every device and every network, the problem is the site's certificate rather than your setup, and the sections below will pin down which one. If it only happens on one machine, the fix is almost always local.

An error like NET::ERR_CERT_DATE_INVALID means the certificate has expired, or is not valid yet. Certificates have a fixed lifespan and must be renewed, so confirm the expiry date with the SSL / TLS Check tool. The fix is to renew or reissue the certificate and reload it on the server. To prevent it from happening again, automate renewal with ACME (for example Certbot or your host's built-in Let's Encrypt integration) so certificates renew themselves before expiry.

Most "connection is not private" incidents are simply forgotten renewals, so automation plus an occasional manual check with the SSL / TLS Check tool against your domains eliminates the majority of outages.

NET::ERR_CERT_AUTHORITY_INVALID means the certificate is not signed by a Certificate Authority the browser trusts, usually because it is self-signed or because the intermediate certificate is missing from the chain. The fix is to install a certificate from a trusted CA (Let's Encrypt is free) and make sure you install the full chain, meaning your certificate plus the intermediate, not just the leaf certificate. The SSL / TLS Check tool shows whether the chain is complete.

A related error, NET::ERR_CERT_COMMON_NAME_INVALID or "certificate name mismatch," means the certificate is valid but issued for a different hostname than the one in the address bar, such as a certificate covering example.com when you visited www.example.com. The fix is to issue a certificate that covers every hostname you serve, including both the apex and www, or to use a wildcard. A name mismatch is sometimes really a DNS problem, where the hostname resolves to the wrong server, so verify with the DNS Lookup lookup if the certificate itself looks correct.

An error such as SSL_ERROR_NO_CYPHER_OVERLAP or a generic "handshake failed" means the browser and server could not agree on a TLS version or cipher, typically because the server only offers outdated protocols like TLS 1.0 or 1.1 that modern browsers reject. The fix is to enable TLS 1.2 and 1.3 on the server and disable the deprecated versions.

A "mixed content" warning, shown as a padlock with a caution mark, means the page loads over HTTPS but pulls some resources over plain HTTP. Update those resource URLs to https, and tighten it further with a Content-Security-Policy header. You can grade your headers, including CSP and HSTS, with the Security Headers tool.

Begin by inspecting the certificate: run the SSL / TLS Check check on the affected hostname and note the expiry date, the issuer, and whether the chain is complete. Match the error to the cause using the sections above, then reissue or repair, whether that means renewing an expired certificate, installing the full chain when the intermediate is missing, or reissuing with the correct hostnames for a name mismatch. If the symptom is a name mismatch, confirm the hostname actually points where you expect with the DNS Lookup lookup.

Finally, re-test. Reload the SSL / TLS Check tool and confirm the issuer is a trusted CA, the dates are valid, and the chain is complete, then check the site responds over HTTPS with the Website Status tool. If you renewed but still see the error, the server may still be serving the old certificate and needs a reload, or the new install is missing its intermediate.

Is "Your connection is not private" dangerous? It means the browser cannot verify the connection is secure. On a site you do not control, do not enter passwords or payment details until it is resolved. On a site you run, fix the certificate.

I renewed the certificate but still see the error. Why? The server may still be serving the old certificate and needs a reload or restart, or the new install is missing the intermediate chain. Re-check with the SSL / TLS Check tool.

Can I just click "proceed anyway"? Only if you understand and trust the specific cause, such as your own test server with a self-signed certificate. On public sites, treat the warning as a stop sign.

Does HTTPS cost money? No. Let's Encrypt issues trusted certificates for free, and most hosts automate the process so you rarely think about it.