SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
This error means the intermediate CA certificate in your site's chain has expired, even though your own leaf certificate is still valid. The browser cannot verify the signature and shows "Secure connection failed". The fix is to refresh the intermediate in your web server bundle (Let's Encrypt fullchain.pem, Sectigo / DigiCert bundle, etc.).
Below: details, example, related terms, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
Details
- Different from SEC_ERROR_EXPIRED_CERTIFICATE: there YOUR cert expired, here a CA in the chain did
- Often happens after a server migration where only cert.pem was copied, not fullchain.pem
- Inspect chain: openssl s_client -connect host:443 -servername host -showcerts
- Each block in the output is a separate certificate; for each, openssl x509 -noout -dates shows notBefore/notAfter
- Let's Encrypt: the right file is fullchain.pem (cert + intermediate), not cert.pem
Example
# Inspect the chain and dates
echo | openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | \
awk '/BEGIN CERT/,/END CERT/' | csplit -z -f cert- - '/BEGIN CERT/' '{*}' >/dev/null
for f in cert-*; do
echo "--- $f ---"
openssl x509 -noout -subject -dates -issuer < "$f"
done
# If intermediate notAfter < today — refresh the bundle.
# nginx: ssl_certificate /path/to/fullchain.pem (NOT cert.pem)
# Apache:
# SSLCertificateFile /path/to/cert.pem
# SSLCertificateChainFile /path/to/chain.pem (or fullchain in a single file)Related
TL;DR: Fixing SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE in Firefox
The SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE error in Firefox indicates that the certificate issuer's certificate is no longer valid. To resolve this issue, ensure that your server's SSL/TLS certificate is up to date and that the certificate chain is correctly configured. You can check the certificate's validity using the command openssl s_client -connect yourdomain.com:443 -showcerts and replace any expired certificates with valid ones.
Understanding SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
The SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE error occurs when a web browser, such as Firefox, encounters an SSL/TLS certificate that is issued by a Certificate Authority (CA) whose own certificate has expired. This can lead to security warnings, preventing users from accessing your site. The issue can stem from an outdated root certificate or an intermediate certificate that has expired.
To better understand the error, consider the following factors:
- Certificate Chain: SSL/TLS certificates are often part of a chain, where your server's certificate is linked to an intermediate certificate, which in turn is linked to a root certificate. If any of these certificates in the chain are expired, the browser will flag the entire chain as untrusted.
- Root Certificates: Browsers and operating systems maintain a list of trusted root certificates. If your issuer's root certificate is not present or is expired, users will encounter the SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE error.
- Intermediate Certificates: It is crucial to ensure that all intermediate certificates are properly installed on your server. Missing or expired intermediates can cause the browser to fail to validate your SSL/TLS certificate.
As a best practice, regularly check the certificate chain and update any expired certificates to maintain a secure connection for users.
Steps to Resolve SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
To fix the SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE error in Firefox, follow these steps:
- Check Your Certificate Chain: Use the following command to inspect your SSL/TLS certificate chain:
openssl s_client -connect yourdomain.com:443 -showcertsThis command will display the entire certificate chain. Look for any certificates marked as 'not valid' or 'expired'.
- Update Expired Certificates: If you find any expired certificates, obtain updated versions from your CA. Ensure that you receive the complete certificate chain, including the intermediate certificates.
- Install the Updated Certificates: Replace the expired certificates on your server. If you're using Apache, update your configuration file (e.g.,
httpd.conforssl.conf) with the paths to the new certificate files:
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_domain.key
SSLCertificateChainFile /path/to/intermediate.crtRestart your web server to apply the changes:
sudo systemctl restart apache2- Verify the Installation: After updating, verify that the new certificates are correctly installed by running the
opensslcommand again. Ensure there are no errors in the certificate chain.
- Clear Browser Cache: Sometimes, cached data may cause Firefox to continue displaying the error. Clear your browser cache and cookies by navigating to Settings > Privacy & Security > Cookies and Site Data > Clear Data.
By following these steps, you should successfully resolve the SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE error and restore secure access to your website for Firefox users.
Why teams trust us
How it works
Enter domain
TLS chain verified
Expiry date & vulnerabilities
What Does the SSL Check Cover?
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Certificate Details
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Chain of Trust
Full chain verification: from leaf certificate through intermediates to root CA.
TLS Analysis
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Expiry Alerts
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
DV vs OV vs EV Certificates
- Confirms domain ownership only
- Issued in minutes automatically
- Free via Let's Encrypt
- Suitable for most websites
- Most common certificate type
- Organization (OV) or Extended Validation (EV)
- Issued in 1-5 business days
- Costs $50 to $500/year
- For finance, e-commerce, government sites
- Increases user trust
Who uses this
DevOps
SSL certificate monitoring
Security
TLS config audit
SEO
HTTPS as ranking factor
E-commerce
customer trust
Common Mistakes
www and subdomains.Best Practices
Strict-Transport-Security header forces browsers to always use HTTPS.Get more with a free account
SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeLearn more
Frequently Asked Questions
Can users "fix" this in the browser?
No — this is a server-side issue, "accept the risk" buttons do not appear (Firefox blocks hard). Only refreshing the bundle on the server works.
How long is the Let's Encrypt intermediate valid?
Current R3 intermediate (since 2024-09): valid until 2029-09. Before that, X3 since 2021-09. certbot auto-renew refreshes both leaf and intermediate.
Why does Chrome not show the error?
Chrome may have the intermediate in its own CRLite cache and complete the chain itself. Firefox strictly requires the full bundle from the server.
Try the live tool that powered this guide
Free plan — 20 monitors, 5-minute checks, no card required. Upgrade for 1-minute interval and multi-region monitoring.