惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
Scott Helme
Scott Helme
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Schneier on Security
I
Intezer
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
Cloudbric
Cloudbric
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
L
Lohrmann on Cybersecurity
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
LINUX DO - 热门话题
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
K
Kaspersky official blog
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
Latest news
Latest news
B
Blog
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
博客园 - 叶小钗
L
LangChain Blog
GbyAI
GbyAI
Last Week in AI
Last Week in AI
S
Security Affairs
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
Security Latest
Security Latest
Vercel News
Vercel News
Y
Y Combinator Blog
G
GRAHAM CLULEY
S
Securelist
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
雷峰网
雷峰网

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
What SSL Error Means and How to Fix It
DevHelm · 2026-05-17 · via DEV Community

An SSL error means your browser or HTTP client could not complete the TLS handshake with the server. The connection was dropped before any data was exchanged. Instead of your page, your users see a full-screen warning — and most of them leave.

The term "SSL error" is a holdover. SSL (Secure Sockets Layer) was deprecated in 2015 when RFC 7568 declared SSL 3.0 obsolete. Every modern HTTPS connection uses TLS (Transport Layer Security) — versions 1.2 or 1.3. Browsers still display "SSL" in error codes because the names stuck, but the protocol under the hood is always TLS. Throughout this article, "SSL error" refers to any TLS handshake failure your browser surfaces.

What happens during a TLS handshake

When a browser connects to an HTTPS server, the TLS handshake negotiates a shared encryption key. The server presents its certificate, the browser verifies the chain of trust back to a root CA, checks the hostname, and confirms the certificate has not expired. If any step fails, the browser aborts and shows an error page.

The three most common failure points:

  1. Certificate validity — the cert is expired, not yet valid, or revoked
  2. Hostname mismatch — the cert was issued for api.example.com but the browser hit www.example.com
  3. Chain of trust — an intermediate certificate is missing, or the cert is self-signed

Understanding which step failed tells you exactly where to look.

Decode the error message — Chrome, Firefox, and Safari

Different browsers surface different error codes for the same underlying TLS failure. This table maps the most common ones:

Problem Chrome Firefox Safari
Expired certificate NET::ERR_CERT_DATE_INVALID SEC_ERROR_EXPIRED_CERTIFICATE "This certificate has expired"
Wrong hostname NET::ERR_CERT_COMMON_NAME_INVALID SSL_ERROR_BAD_CERT_DOMAIN "This certificate is not valid for the requested site"
Self-signed cert NET::ERR_CERT_AUTHORITY_INVALID SEC_ERROR_UNKNOWN_ISSUER "This certificate was signed by an unknown authority"
Incomplete chain NET::ERR_CERT_AUTHORITY_INVALID SEC_ERROR_UNKNOWN_ISSUER "This certificate is not trusted"
TLS version too old ERR_SSL_VERSION_OR_CIPHER_MISMATCH SSL_ERROR_UNSUPPORTED_VERSION Connection refused (no specific code)
Revoked certificate NET::ERR_CERT_REVOKED SEC_ERROR_REVOKED_CERTIFICATE "This certificate has been revoked"

If you see ERR_SSL_PROTOCOL_ERROR in Chrome, the server likely rejected the handshake outright — possibly because it only supports TLS 1.0/1.1 (both deprecated) or has a misconfigured cipher suite.

Fix 1 — Expired or not-yet-valid certificate

An expired certificate is the single most common cause of SSL errors. Certificates have a fixed validity window — typically 90 days for Let's Encrypt and up to 398 days for paid CAs.

Diagnose it with openssl:

openssl s_client -connect yoursite.com:443 -servername yoursite.com 2>/dev/null | openssl x509 -noout -dates

Enter fullscreen mode Exit fullscreen mode

Example output:

notBefore=Feb 15 00:00:00 2026 GMT
notAfter=May 16 23:59:59 2026 GMT

Enter fullscreen mode Exit fullscreen mode

If notAfter is in the past, the cert has expired.

Fix it:

  1. Renew the certificate through your CA or ACME client (certbot renew, for example)
  2. Reload your web server — sudo systemctl reload nginx or sudo systemctl reload apache2
  3. Verify the new cert is live: re-run the openssl command above and confirm the dates

If your cert is not yet valid (notBefore is in the future), either the cert was issued early and installed before activation, or your server clock is wrong. Check with date -u and sync via NTP if needed.

Fix 2 — Wrong hostname or missing SAN

Your certificate must cover the exact hostname the client connects to. A cert issued for example.com does not automatically cover www.example.com — that requires a Subject Alternative Name (SAN) entry.

Diagnose it:

openssl s_client -connect yoursite.com:443 -servername yoursite.com 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

Enter fullscreen mode Exit fullscreen mode

Example output:

X509v3 Subject Alternative Name:
    DNS:example.com, DNS:www.example.com

Enter fullscreen mode Exit fullscreen mode

If the hostname your users hit is not listed, you need to reissue the certificate with the correct SANs — or use a wildcard cert (*.example.com). Wildcard certs cover one level of subdomains only; *.example.com matches api.example.com but not v2.api.example.com.

A common mistake: deploying behind a load balancer or CDN and forgetting that the cert on the edge must match the public hostname, not the origin hostname.

Fix 3 — Incomplete chain or self-signed certificate

Browsers verify certificates by walking the chain from your server cert through intermediate CAs to a trusted root. If an intermediate is missing, the chain breaks and the browser shows ERR_CERT_AUTHORITY_INVALID.

Diagnose the chain:

openssl s_client -connect yoursite.com:443 -servername yoursite.com -showcerts 2>/dev/null | grep "s:" | head -5

Enter fullscreen mode Exit fullscreen mode

A healthy chain shows your cert, then one or two intermediates, ending at the root:

s:CN = yoursite.com
s:CN = R11, O = Let's Encrypt
s:CN = ISRG Root X1, O = Internet Security Research Group

Enter fullscreen mode Exit fullscreen mode

If you see only your cert with no intermediates, your server is not sending the full chain. Fix it by concatenating the intermediate cert(s) with your server cert. For Nginx:

cat server.crt intermediate.crt > bundle.crt

Enter fullscreen mode Exit fullscreen mode

Then reference bundle.crt in your Nginx config's ssl_certificate directive and reload.

Self-signed certificates fail on public-facing sites because they are not issued by a trusted CA. Replace them with a cert from Let's Encrypt (free) or any recognized CA. Self-signed certs are fine for internal services — but add them to your internal trust store explicitly rather than telling users to "click through the warning."

Fix 4 — Mixed content and HSTS issues

Mixed content errors happen when an HTTPS page loads a resource (image, script, stylesheet) over plain HTTP. Modern browsers block mixed active content (scripts, iframes) entirely and show a broken padlock for mixed passive content (images).

Find mixed content using your browser's developer console (F12 → Console tab). The browser logs every blocked resource with its URL.

Fix it by updating hardcoded http:// URLs to https:// or using protocol-relative paths. If you use a CMS, update the site URL in settings.

HSTS (HTTP Strict Transport Security) adds another layer: once a browser has seen an HSTS header, it refuses to connect over HTTP at all — even if the cert is temporarily broken. If you deployed a broken cert and HSTS is active, users cannot click through the warning. The only fix is deploying a valid cert. You can inspect cached HSTS policies in Chrome at chrome://net-internals/#hsts.

Fix 5 — Client-side false positives

Not every SSL error is a server problem. Three common client-side causes:

  • System clock skew. Certificates are time-sensitive. If a laptop's clock is set to 2024, a cert valid from 2026 appears "not yet valid." Fix: enable automatic time sync in the OS.
  • Antivirus TLS inspection. Some antivirus software intercepts HTTPS connections by inserting its own root certificate. If the AV root is not trusted by the browser — or if the AV botches the re-encryption — the browser shows an SSL error. Temporarily disabling the AV's "web shield" or "HTTPS scanning" confirms this as the cause.
  • Corporate proxy. Transparent HTTPS proxies (common in enterprise networks) perform the same kind of TLS interception. The corporate root CA must be installed on the client machine. If it is not, every HTTPS site shows a certificate warning.

These are real scenarios, not edge cases. If users report SSL errors that you cannot reproduce, ask about their local environment first.

Prevent SSL errors with certificate monitoring

You have seen how certificates break: expiry, hostname mismatches, incomplete chains, mixed content, client-side false positives. Every one of these failures is predictable. Certificates do not expire by surprise — they have a fixed lifetime printed right in the X.509 data. The problem is never that the failure was unknowable. The problem is that nobody was watching.

The fix-then-forget cycle is the real trap. You renew the cert, confirm it works, and move on. Ninety days later, the same NET::ERR_CERT_DATE_INVALID reappears because the auto-renewal cron broke silently two weeks ago and nobody noticed until a customer opened a support ticket at 2 AM.

Here is how to build a monitor that catches every failure mode we covered — before your users do.

Set up two expiry thresholds, not one

Most monitoring setups check whether the certificate expires within some number of days and call it done. That is not enough. You need two thresholds: an early warning and a hard deadline.

Let's Encrypt certificates last 90 days. If auto-renewal is working, you will never think about expiry. But if it breaks — a DNS validation failure, a misconfigured certbot hook, a container rebuild that lost the renewal cron — you want to know at 30 days remaining, not the day it expires. A WARN-severity assertion at 30 days gives your team two full weeks to investigate and fix the renewal pipeline without any urgency. A FAIL-severity assertion at 14 days is the hard deadline: drop everything and renew manually, because you are two weeks from a full outage.

Validate the endpoint, not just the certificate

A valid certificate does not mean your site works. The cert could be fine while your origin returns 502s, or while a misconfigured cipher suite causes 15-second handshakes that make the page feel broken. Adding a status code check (expected: 200) and a response time threshold (thresholdMs: 2000) catches the class of problems where TLS technically succeeds but the user experience is degraded. Slow TLS handshakes often point to missing OCSP stapling, oversized certificate chains, or a server negotiating an expensive cipher when a faster one is available.

Monitor from multiple regions

This is the one most teams skip, and it is the one that bites hardest. If you run behind a CDN — Cloudflare, AWS CloudFront, Fastly — your certificates are managed per edge location. A cert that is perfectly valid on the us-east edge node might already be expired on an ap-south node because the edge cert rotation did not propagate uniformly. Checking from a single region gives you a false sense of security. Checking from us-east, eu-west, and ap-south catches regional cert failures before the affected users report them.

Pick the right check frequency

Certificates change slowly. Unlike an API endpoint that might go down and recover in seconds, certificate state transitions happen once every 90 days (or 398 days for paid CAs). Running SSL checks every 30 seconds is wasteful — you are burning check quota on a signal that changes a handful of times per year. A 5-minute interval (frequencySeconds: 300) gives you more than enough visibility. If a cert expires, you will know within 5 minutes. The trade-off is worth it: save the high-frequency checks for your API health endpoints where seconds matter.

The full config

Here is a DevHelm monitor that covers everything above — expiry thresholds, endpoint validation, multi-region checks, and a sensible frequency:

{
  "name": "production-ssl-health",
  "type": "HTTP",
  "frequencySeconds": 300,
  "regions": ["us-east", "eu-west", "ap-south"],
  "config": {
    "url": "https://yourapp.com",
    "method": "GET"
  },
  "assertions": [
    { "config": { "type": "status_code", "operator": "equals", "expected": 200 } },
    { "config": { "type": "response_time", "thresholdMs": 2000 } },
    { "config": { "type": "ssl_expiry", "minDaysRemaining": 14 } },
    { "config": { "type": "ssl_expiry", "minDaysRemaining": 30 }, "severity": "WARN" }
  ]
}

Enter fullscreen mode Exit fullscreen mode

The first two assertions confirm the endpoint is healthy and responsive. The third fires a critical alert at 14 days before expiry — your hard deadline. The fourth fires a warning at 30 days — your early warning that gives you time to fix the renewal pipeline without scrambling.

You can create this monitor from the CLI in one command:

devhelm monitor create --type http

Enter fullscreen mode Exit fullscreen mode

Or configure it through the dashboard. 50 monitors free, no credit card required.

Start monitoring free


Originally published on DevHelm.