NET::ERR_CERT_INVALID: What It Means and How to Fix It

When Chrome shows NET::ERR_CERT_INVALID, it's telling you it doesn't trust the SSL certificate being presented by the website. The page might technically be loading, but Chrome is blocking it to protect you from a potentially insecure connection.

This can happen to visitors on sites you run, and it can happen to you when browsing. The fix depends on which side the problem is on.

What Is the SSL Certificate Invalid Error?

Chrome and other browsers maintain a list of trusted Certificate Authorities (CAs). When you visit an https:// site, the browser checks:

1. Is the certificate issued by a trusted CA?
2. Is it within its validity period (not expired)?
3. Does it match the domain you're visiting?
4. Is the certificate chain complete?

If any of these checks fail, Chrome shows NET::ERR_CERT_INVALID and blocks the page.

Common Causes

1. Self-Signed Certificate

A self-signed certificate is one that wasn't issued by a trusted CA — it was signed by itself. These are common in development environments but should never be used on production sites. Browsers don't trust them by default.

Fix for production: Replace with a certificate from a trusted CA. Let's Encrypt provides free, trusted certificates. See our guide to SSL certificates for how to set one up.

2. Expired Certificate

If the certificate's expiry date has passed, browsers reject it immediately. This is one of the most common causes of unexpected SSL errors — a certificate that was valid yesterday fails today.

Check expiry:

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Fix: Renew or reissue the certificate. If using Let's Encrypt with Certbot, auto-renewal should handle this, but sometimes it fails silently. Check your renewal cron job.

Set up SSL monitoring to get alerted weeks before expiry — Domain Monitor does this automatically.

3. Domain Mismatch

The certificate is valid, but it's not issued for the domain you're visiting. For example:

• Certificate is for www.example.com but you're visiting example.com
• Certificate is for the old domain after a migration to a new one
• A wildcard certificate (*.example.com) doesn't cover the root domain

Fix: Issue a certificate that covers all variants of your domain. Let's Encrypt allows you to include multiple domain names in a single certificate (Subject Alternative Names).

4. Incomplete Certificate Chain

Your certificate is valid, but intermediate certificates that link it to a trusted root CA are missing. Some clients (particularly on mobile or older systems) can't complete the trust chain without the intermediates.

Fix: Check your server's SSL configuration. Most CAs provide a bundle file containing your certificate plus the intermediate certs. Ensure this full chain is configured in your web server.

Nginx:

ssl_certificate /path/to/fullchain.pem;  # Contains cert + intermediates
ssl_certificate_key /path/to/privkey.pem;

5. Wrong System Clock (Client-Side)

SSL certificates have validity periods. If your device's clock is significantly off (more than a few minutes), certificate validation fails even for valid certs — the browser thinks the cert is either not yet valid or already expired.

Check your system time and enable automatic time synchronisation.

6. Antivirus or Corporate Network SSL Inspection

Some antivirus tools and corporate network proxies perform "SSL inspection" — they decrypt, inspect, and re-encrypt HTTPS traffic using their own certificate. If their root certificate isn't trusted by Chrome on a specific device, the browser shows cert errors.

If this is happening on a corporate device, check with your IT team. On a personal machine, check what security software might be intercepting connections.

What to Do as a Website Owner

If visitors are reporting this error on your site:

1. Check your certificate is valid and not expired — run the openssl command above
2. Check the certificate covers all your domain variants — www and non-www, any subdomains you use
3. Verify the certificate chain — test with SSL Labs which checks chain completeness
4. Confirm your certbot/renewal process is working — if using Let's Encrypt, check that auto-renewal is set up and running
5. Set up SSL monitoring — so you know about certificate issues before your users do

What to Do as a Visitor

If you trust the site and believe it's a false positive:

• Check your system clock is correct
• Try a different browser or device
• If on a work network, contact IT — the corporate SSL inspection tool might need reconfiguring
• Do not click "Proceed anyway" on sites where you'll enter sensitive information (passwords, payment details)

The Best Fix: Don't Let It Happen

Most NET::ERR_CERT_INVALID incidents are preventable with a simple SSL monitoring setup. Domain Monitor checks your SSL certificate and alerts you well before it expires, so you can renew it while it's still valid and your visitors never see a warning.

Related Articles

• ERR_SSL_PROTOCOL_ERROR - What It Means and How to Fix It
• SSL Handshake Failed - What It Means and How to Fix It
• Mixed Content Error - What It Is and How to Fix It