When visiting a website and seeing a red screen in the browser saying "Your connection is not secure" or "NET::ERR_CERT_DATE_INVALID", it is an extremely unpleasant situation for both the site owner and the visitor. This error indicates a problem with the certificate and must be addressed immediately, because every minute of downtime causes loss of visitors and potential customers. In this article we will examine in detail the causes of all NET::ERR_CERT family errors and practical ways to fix them.
NET::ERR_CERT_DATE_INVALID error
This is the most common error, occurring when the certificate has expired or has not yet started. The browser compares the "Not Before" and "Not After" dates inside the certificate with the current date and if the current date is outside this range, throws an error. The solution is simple — renew the certificate immediately. But sometimes the problem is not on the server but in the incorrect date-time on the user's computer, so first check the time on your own device.
NET::ERR_CERT_AUTHORITY_INVALID error
This error means the certificate authority (CA) that issued the certificate is not trusted by the browser. There can be many reasons: a self-signed certificate is used, an intermediate certificate is not installed, or the certificate is genuinely issued by an untrusted CA. Often the cause is missing intermediate chain — Apache or Nginx configuration must specify the full fullchain.pem file. The SSL Labs test (ssllabs.com/ssltest) immediately detects this problem.
NET::ERR_CERT_COMMON_NAME_INVALID
This error occurs when the domain name in the certificate does not match the domain you are accessing. For example, the certificate is obtained for example.uz but you visit www.example.uz or vice versa. The solution is to add all necessary variants to the Subject Alternative Names (SAN) list or obtain a wildcard certificate. A wildcard certificate has the form *.example.uz and covers all subdomains, which is very convenient for projects with many subdomains.
NET::ERR_CERT_REVOKED and OCSP issues
If the certificate has been revoked by the CA, the browser displays this error. Certificates are usually revoked due to security compromise, key leak or owner request. A revoked certificate cannot be restored — a new one must be obtained and installed on the server. Also if the OCSP server is not responding, some browsers may produce errors, in which case enabling OCSP stapling solves the issue.
Sayt.uz practice
23% of Sayt.uz clients contact us with NET::ERR_CERT errors. Of these, 58% are expired certificates, 24% intermediate chain issues, 11% domain mismatch and 7% other causes. Our services prevent such errors: automatic renewal from 95,000 UZS/year, monitoring and alerts 40,000 UZS/year, professional installation 150,000 UZS one-time. Sayt.uz clients encounter certificate errors on average 0.3 times per 12 months, independent owners 4.7 times.