Why do SSL connection errors occur and how to fix them?
Often, when installing an SSL certificate, you can encounter many problems that prevent the HTTPS protocol from functioning normally.
In our blog, we will analyze the most common problems with SSL and ways to solve them.
So what exactly is SSL? SSL, the same Secure Socket Layer, is an Internet protocol that creates a closed connection on the user/server path.
If you connect to a resource, it requests server information about the certificate. He also responds positively if the certificate is present. Then the browser receives the same certificate. After that, the name, the validity period of the certificate, and the root certificate are checked.
Causes of SSL connection errors
If the work of the certificate is performed correctly, then the browser line will have a special icon:
The leading causes of these problems may be:
- The date and time on your device are set incorrectly;
- The SSL certificate is unreliable;
- Firewall or antivirus that does not allow access to the resource;
- Using QUIC;
- Old OS version;
- Old, outdated certificates ;
- The appearance of the "Invalid CSR" problem when generating a certificate from the control panel cloud provider.
Now, about each one separately.
Problem related to incorrect date and time
The validity period of the certificate will not be considered if the time and date on your device are not true.
If this is the cause of the problem, then the browser will display a message about the incorrect date and time, as shown in the screenshot below:
To get rid of this warning, you should adjust the time on your device. After the page is reloaded, the problem should disappear.
The "Unsecured SSL—certificate" problem
When you go to a web resource protected by the HTTPS protocol, a warning may appear that "the SSL certificate of the site is not trustworthy".
The set incorrect time, which we have analyzed above, is one of the reasons for this problem. Another reason may be that you do not have a root certificate. To fix this, you need to install a special GeoTrust Primary Certification Authority package, which will contain our missing root certificate.
To do this — after the race, you must:
- Using the Win+R combination, output the command line and enter this certmgr.msc command into it. Then click "Ok". You will see a window with the certificate centre.
- Next, you should open the "Trusted Root Certification Authorities" pool on the left. After that, select the "Certificates" folder, click on it PCM, and then click on "All tasks — import".
After that, you will start the certificate import wizard. Click on the "Next" button.
- Then select the "Overview" menu and specify the root certificate we downloaded. Click on "Next":
- After opening the next window, you should specify the item "Put all certificates in the next storage"/ Then click "Next". You have successfully imported your certificate.
Then reboot and check if you have this problem anymore.
Firewall or antivirus blocking your web resource
Sometimes a firewall can block resources. To check if your firewall blocks a certain one of them, you must disable it and re-visit the site again.
If you were able to connect, then you need to add it to the list of reliable web resources, and then it will work even with the firewall enabled.
Also, your certificate may be blocked by your antivirus tool. If this is the case, then disable SSL and HTTPS protocol verification in it, and then try to access the web resource.
If necessary, then add an exception for the antivirus in the form of the resource we need.
QUIC protocol enabled
QUIC is a protocol that is still in the experimental stage. It provides a fast internet connection. Its main function is to support multiple connections. You can disable this protocol in the browser configuration.
Now we will show you how to disable this protocol in Google Chrome:
- After opening the search engine, enter the chrome command://flags/#enable-quic;
- In the window that appears, it will be highlighted: Experimental QUIC protocol. To the right of this parameter, you will have a menu in which you will have to change the option to Disable.
- Next, make a reboot, and the problem should disappear.
This method works both on Apple's Mac OS and Microsoft's OS.
An old version of your OS
SSL may give an error because you have an old version or an un—updated OS. Most often it appears on older versions of Windows.
To get rid of this problem, all you need to do is install an update on your OS. After that, check whether the SSL certificate has started working correctly.
Using SSL Certificate version 3.0
Sometimes this problem may occur due to the use of outdated SSL protocol version 3.0 by web resources. For the browser to support the outdated protocol, you need to follow these steps:
- You have to open a browser and open "Settings" in it.
- Scroll down the page and select "Additional".
- In it, find the "System" section and select the "Proxy Server Settings" option and use the PCM to open it.
A settings window opens where you can configure your proxy.
- Then switch the parameter you need. Then click on "Ok" and then restart the browser.
Invalid CSR errors when generating a certificate from the cloud provider's control panel
While you are activating the certificate, there is a chance to get this problem: "Invalid CSR". The reasons for this problem may be:
- Invalid FQDN name, like Common Name. In this field, you need to specify the full domain name by type: domain.com or subdomain.domain.com (for subdomains). The domain name must be specified without https://. You cannot use intranet names (text.local). To request wildcard certificates, the domain name must be specified as *.domain.com .
- If any letters or numbers other than Latin letters are used in your CSR or password, special characters cannot be used in it either. This also applies to passwords for the CSR/RSA pair.
- If you have incorrectly specified the country code. The country code must be two—letter. For example UK, IO, BY, etc.
- If the control string has an incorrect number of characters. The CSR request must start with the control line —————BEGIN CERTIFICATE REQUEST————— and end with the control line —————END CERTIFICATE REQUEST—————. These lines should have 5 hyphens on each side.
- If spaces are incorrectly placed at the beginning or end of the CSR string. You cannot use a space at the end of a CSR line.
- If the number of characters in the key is incorrect. Its weight should be more than 256 bytes.
- If an incorrect name is used in the CRS code for the certificate for one domain name. For example, the SAN name. In the CSR code for a certificate designed to protect a single domain name, there should not be a SAN (Subject Alternative Names). SAN names are specified for multi—domain (UCC) certificates.
- If you have recreated or extended the certificate period, and the Common Name field has changed. This field must remain constant. This field should not change.