Chrome / Firefox / Safari SSL Errors Reference

"Trust anchor for certification path not found"

Key idea: Android throws this (java.security.cert.CertPathValidatorException) when the server certificate is signed by a CA missing from the Android system truststore. Three causes…

Read →

SSL_ERROR_BAD_CERT_DOMAIN: Firefox Equivalent of CN_INVALID

TL;DR: SSL_ERROR_BAD_CERT_DOMAIN is a Firefox error, the equivalent of Chrome's ERR_CERT_COMMON_NAME_INVALID. The SSL certificate does not cover the current domain. Fix: reiss…

Read →

curl (77) problem with the SSL CA cert

Key idea: curl exits with 77 (CURLE_SSL_CACERT_BADFILE) when the CA bundle file it was pointed at is missing or unreadable. Three causes: (1) /etc/ssl/certs/ca-certificates.crt mis…

Read →

ERR_ADDRESS_UNREACHABLE: Diagnosis

Key idea: ERR_ADDRESS_UNREACHABLE — Chrome could not establish a TCP connection to the IP. Below the TLS layer. Causes: DNS returned wrong IP, routing issue (server down/no interne…

Read →

ERR_BLOCKED_BY_RESPONSE: Causes & Fix

Key idea: ERR_BLOCKED_BY_RESPONSE — Chrome blocks a resource due to mismatched Cross-Origin-* headers. Usually COEP (Cross-Origin-Embedder-Policy), COOP (Cross-Origin-Opener-Policy…

Read →

NET::ERR_CERT_AUTHORITY_INVALID Error: Causes and Solution

TL;DR: NET::ERR_CERT_AUTHORITY_INVALID means Chrome/Edge does not trust the site's SSL certificate — the certificate chain does not lead to a trusted root CA. 90% of cases are caus…

Read →

ERR_CERT_COMMON_NAME_INVALID: Domain Mismatch

TL;DR: ERR_CERT_COMMON_NAME_INVALID (NET::ERR_CERT_COMMON_NAME_INVALID) means the requested domain is not listed in the certificate's SAN field. Example: cert issued for examp…

Read →

ERR_CERT_DATE_INVALID: Expired SSL and How to Renew

TL;DR: ERR_CERT_DATE_INVALID means the site's SSL certificate expired or isn't yet valid. 95% of cases: missed Let's Encrypt renewal or forgotten auto-renew cron. Fi…

Read →

NET::ERR_CERT_INVALID: Details

Key idea: NET::ERR_CERT_INVALID — Chrome's generic category for any cert validation failure (more specific: AUTHORITY_INVALID, DATE_INVALID, COMMON_NAME_INVALID). If you only see g…

Read →

CAA Violation: Certificate Not Authorized

Key idea: CAA (Certificate Authority Authorization) violation — the domain's DNS CAA record does not permit the specified CA to issue a cert. Let's Encrypt, DigiCert and others che…

Read →

NET::ERR_CERT_REVOKED: What Happened

Key idea: NET::ERR_CERT_REVOKED — your CA (Let's Encrypt, DigiCert) revoked the SSL certificate. Serious: clients can't connect at all. Causes: compromised private key, mis-issuanc…

Read →

ERR_CERT_SYMANTEC_LEGACY: Legacy Certificate

Key idea: NET::ERR_CERT_SYMANTEC_LEGACY — Chrome 70+ (October 2018) automatically distrusts certificates from Symantec, VeriSign, Thawte, GeoTrust and RapidSSL issued before Decemb…

Read →

NET::ERR_CERT_VALIDITY_TOO_LONG: Fix Guide

Key idea: NET::ERR_CERT_VALIDITY_TOO_LONG appears when an SSL certificate is issued for > 398 days. Since September 2020, Apple, Google and Mozilla reject certs longer than that — …

Read →

ERR_CERT_WEAK_SIGNATURE_ALGORITHM: Obsolete SHA-1/MD5

TL;DR: ERR_CERT_WEAK_SIGNATURE_ALGORITHM means the SSL certificate is signed with an obsolete algorithm (SHA-1, MD5, MD2). Chrome blocks such certificates since 2017. Fix: reissue …

Read →

ERR_CONNECTION_RESET: Causes & Fix

Key idea: ERR_CONNECTION_RESET means Chrome received TCP RST during TLS handshake or active session. Causes: firewall (local or ISP) drops a packet, antivirus with TLS inspection m…

Read →

ERR_DNS_MALFORMED_RESPONSE

Key idea: ERR_DNS_MALFORMED_RESPONSE — Chrome DNS resolver received a response that does not conform to DNS wire format. Causes: upstream resolver bug (rare), DNSSEC validation fai…

Read →

ERR_ECH_REQUIRED

Key idea: ERR_ECH_REQUIRED — rare error (Chrome 123+): server signals it requires ECH (Encrypted Client Hello, RFC 9460) for the connection, but client either does not support it o…

Read →

ERR_EMPTY_RESPONSE: The Server Sent Nothing

Key idea: ERR_EMPTY_RESPONSE means the server accepted the TCP connection but closed it without sending an HTTP response. Typical for PHP-FPM/Apache crashes, nginx timeouts toward …

Read →

ERR_HPACK_DECODING_FAILED

Key idea: ERR_HPACK_DECODING_FAILED — HTTP/2 client could not decompress HPACK-encoded headers. HPACK — Huffman-based header compression for HTTP/2 (RFC 7541). Error: server sent m…

Read →

ERR_HTTP_RESPONSE_CODE_FAILURE: What It Means

Key idea: NET::ERR_HTTP_RESPONSE_CODE_FAILURE — Chrome expected HTTP 2xx/3xx when loading a subresource (stylesheet, script, image) but got 4xx/5xx. Often appears on preload links,…

Read →

ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

Key idea: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — Chrome refused an HTTP/2 connection because the TLS setup does not meet RFC 7540 requirements: TLS 1.2 minimum, AEAD cipher (GCM…

Read →

ERR_HTTP2_PROTOCOL_ERROR: Causes & Fixes

Key idea: ERR_HTTP2_PROTOCOL_ERROR — Chrome/Firefox got an RST_STREAM frame from an HTTP/2 server. Causes: max_header_list_size exceeded (usually 8KB), flow control broken, bug in …

Read →

ERR_ICANN_NAME_COLLISION

Key idea: ERR_ICANN_NAME_COLLISION — ICANN-level warning. Your internal network uses a domain (.corp, .home, .lan) that became a public TLD after ICANN gTLD expansion (2013+). Now …

Read →

ERR_INCOMPLETE_CHUNKED_ENCODING

Key idea: ERR_INCOMPLETE_CHUNKED_ENCODING — HTTP/1.1 Transfer-Encoding: chunked response not completed (missing final "0\r\n\r\n" chunk). Causes: backend crash mid-stream, nginx pr…

Read →

ERR_QUIC_HANDSHAKE_FAILED

Key idea: ERR_QUIC_HANDSHAKE_FAILED — initial cryptographic handshake in QUIC failed. QUIC uses TLS 1.3 (mandatory), so all TLS 1.3 handshake errors can manifest. Usually: server c…

Read →

ERR_QUIC_PROTOCOL_ERROR

Key idea: ERR_QUIC_PROTOCOL_ERROR — Chrome detected a violation of QUIC protocol at TLS/transport layer. Causes: CDN Alt-Svc header points to a broken QUIC endpoint, middlebox (ent…

Read →

ERR_QUIC_TIMEOUT

Key idea: ERR_QUIC_TIMEOUT — QUIC session did not complete handshake or idle timeout exceeded. Causes: significant packet loss (>5% UDP drop), slow network (

Read →

ERR_SSL_BAD_HANDSHAKE_HASH_VALUE

Key idea: ERR_SSL_BAD_HANDSHAKE_HASH_VALUE — client detected a hash mismatch in the TLS handshake. May indicate MITM or packet corruption. More often: legacy cipher suite with SHA-…

Read →

ERR_SSL_BAD_RECORD_MAC_ALERT: Causes & Fix

Key idea: ERR_SSL_BAD_RECORD_MAC_ALERT means the client or server received a TLS record with an invalid MAC (Message Authentication Code). The data was corrupted in transit: networ…

Read →

ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: Fix

Key idea: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED appears in mTLS (mutual TLS) when the server requests a client cert but the client cannot sign the challenge. Causes: smart card/eTok…

Read →

ERR_SSL_DECOMPRESSION_FAILURE_ALERT: What It Is

Key idea: ERR_SSL_DECOMPRESSION_FAILURE_ALERT — TLS alert 30. Historically appeared when client and server failed to agree on compression. Rarely seen in 2026: TLS compression is o…

Read →

ERR_SSL_KEY_USAGE_INCOMPATIBLE: Fix Guide

Key idea: ERR_SSL_KEY_USAGE_INCOMPATIBLE means the certificate does not include TLS Web Server Authentication (OID 1.3.6.1.5.5.7.3.1) in extKeyUsage. Chrome considers such a cert u…

Read →

ERR_SSL_OBSOLETE_VERSION: Fix

Key idea: ERR_SSL_OBSOLETE_VERSION — Chrome 84+ (July 2020) blocks HTTPS connections to servers supporting only TLS 1.0 or 1.1. Causes: old nginx/Apache, legacy IIS 7, embedded dev…

Read →

ERR_SSL_OCSP_INVALID_RESPONSE

Key idea: ERR_SSL_OCSP_INVALID_RESPONSE — Chrome received an OCSP response but it is corrupted, expired (> 7 days), or signed by the wrong responder cert. Fix: disable ssl_stapling…

Read →

ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: Fix

Key idea: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN means the browser expected a specific public key (HPKP or Certificate Transparency static pin) in the cert chain but it is missi…

Read →

ERR_SSL_PROTOCOL_ERROR: TLS Incompatibility Causes and Fix

TL;DR: ERR_SSL_PROTOCOL_ERROR means the browser and server cannot agree on a TLS version or cipher. Common causes: server only supports TLS 1.0/1.1 (deprecated in Chrome 90+), inco…

Read →

ERR_SSL_RENEGOTIATION_NOT_SUPPORTED

Key idea: ERR_SSL_RENEGOTIATION_NOT_SUPPORTED — server requested renegotiation (rekey), but the client (or protocol) does not support it. TLS 1.3 removed renegotiation entirely (se…

Read →

ERR_SSL_SERVER_CERT_BAD_FORMAT

Key idea: ERR_SSL_SERVER_CERT_BAD_FORMAT — browser could not parse the server certificate. ASN.1/DER encoding error, truncated cert, base64 issue, or non-standard extensions. Fix: …

Read →

ERR_SSL_UNRECOGNIZED_NAME_ALERT

Key idea: ERR_SSL_UNRECOGNIZED_NAME_ALERT — TLS alert 112: server has no cert for the requested SNI hostname. Causes: misconfigured nginx (missing server_name), Cloudflare Workers …

Read →

ERR_SSL_UNRECOGNIZED_NAME_ALERT: What It Means

Key idea: ERR_SSL_UNRECOGNIZED_NAME_ALERT means the server returned TLS alert 112 (unrecognized_name) because the domain requested via SNI is not configured. Causes: domain missing…

Read →

ERR_SSL_VERSION_OR_CIPHER_MISMATCH: Causes & Fix

Key idea: ERR_SSL_VERSION_OR_CIPHER_MISMATCH means the browser could not negotiate a TLS version or cipher with the server. Causes: server on outdated TLS 1.0/1.1 (Chrome 84+ disab…

Read →

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Key idea: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY — Chrome detected the server using a Diffie-Hellman ephemeral key below 1024 bits (Logjam attack, 2015). Precomputation lets an attac…

Read →

ERR_TLS_CERT_VALIDATION_TIMED_OUT

Key idea: ERR_TLS_CERT_VALIDATION_TIMED_OUT — Chrome could not check cert revocation status via OCSP/CRL in reasonable time. Usually happens when CA OCSP responder is down or slow.…

Read →

ERR_TOO_MANY_REDIRECTS: Fixing the Loop

Key idea: ERR_TOO_MANY_REDIRECTS (Chrome) / "Too many redirects" (Firefox) — browser stopped following redirects after 10+ hops. Causes: server block A redirects to HTTPS, server b…

Read →

SEC_ERROR_OCSP_OLD_RESPONSE

Key idea: Firefox/NSS throws this when the server returned an OCSP Stapling response with nextUpdate in the past (stale). Usual cause — the server's OCSP cache expired and nginx/ap…

Read →

HSTS Error: Browser Blocked by HSTS Policy

TL;DR: HSTS Error means the site is on the HSTS preload list but currently has a broken SSL. Chrome won't allow bypassing the warning (security feature). Owner fix: repair the…

Read →

PKIX path building failed (Java)

Key idea: Java SSLException "PKIX path building failed: unable to find valid certification path to requested target" — Java cannot build the trust chain. JVM truststore ($JAVA_HOME…

Read →

Mixed Content: HTTPS Page Loading HTTP Resources

TL;DR: Mixed Content means an HTTPS page loads resources (JS, CSS, images, iframes) over HTTP. Chrome blocks active mixed content entirely; passive triggers a warning. Fix: replace…

Read →

MOZILLA_PKIX_ERROR_MITM_DETECTED in Firefox

Key idea: MOZILLA_PKIX_ERROR_MITM_DETECTED — Firefox saw a suspicious certificate on a domain with pinned keys (google.com, facebook.com, etc). Not a baseline SSL warning — Firefox…

Read →

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Key idea: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING — cert carries the tlsfeature extension (RFC 7633) with OCSP Must-Staple flag, but the server is not stapling an OCSP resp…

Read →

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Key idea: The certificate is signed by itself, not by a trusted CA chain. Firefox cannot verify authenticity and blocks the page. For production: get a real cert (Let's Encrypt is …

Read →

ERR_CERTIFICATE_TRANSPARENCY_REQUIRED: Fix

Key idea: NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED — since October 2017 Chrome requires every public SSL cert to be logged in Certificate Transparency (CT). Cert without an SCT (…

Read →

NET::ERR_INVALID_HTTP_RESPONSE

Key idea: NET::ERR_INVALID_HTTP_RESPONSE — Chrome received a response from server that does not parse as valid HTTP. Causes: Content-Length does not match body size, invalid header…

Read →

NSURLErrorServerCertificateUntrusted: iOS Fix

Key idea: NSURLErrorServerCertificateUntrusted (code -1202) — the iOS/macOS Foundation Network layer rejected the server SSL cert. Cause: self-signed, expired, untrusted CA, empty …

Read →

Python ssl.SSLCertVerificationError

Key idea: Python requests/urllib3 fails with ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate. Python takes its CA bundle from …

Read →

SSL_ERROR_RX_RECORD_TOO_LONG: Non-TLS Response

TL;DR: SSL_ERROR_RX_RECORD_TOO_LONG means Firefox expected TLS but received HTTP or other plain text. 90% of cases: server is listening on port 443 as HTTP (not HTTPS). Check your …

Read →

Schannel 0x80072f7d

Key idea: HRESULT 0x80072F7D = WININET_E_SECURITY_CHANNEL_ERROR — Windows Schannel (TLS stack) failed to establish the connection. Four causes: (1) server requires TLS 1.2/1.3, Win…

Read →

SEC_ERROR_CA_CERT_INVALID

Key idea: SEC_ERROR_CA_CERT_INVALID — Firefox treats the intermediate/root CA cert as invalid. Causes: expired CA cert, malformed DER encoding, deprecated CA (Symantec 2018), root …

Read →

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE

Key idea: This error means the intermediate CA certificate in your site's chain has expired, even though your own leaf certificate is still valid. The browser cannot verify the sig…

Read →

SEC_ERROR_INADEQUATE_KEY_USAGE

Key idea: SEC_ERROR_INADEQUATE_KEY_USAGE — Firefox: cert carries a Key Usage extension (keyUsage) but lacks the required bits for server auth. Needed: digitalSignature + keyEnciphe…

Read →

SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION

Key idea: SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION — cert carries an X.509 extension marked critical=TRUE, but Firefox does not recognise the OID. Per RFC 5280, a client MUST reject ce…

Read →

SEC_ERROR_UNKNOWN_ISSUER in Firefox: Fix Guide

Key idea: SEC_ERROR_UNKNOWN_ISSUER means Firefox does not trust the SSL certificate issuer. Firefox ships its own Mozilla trust store (≠ system store), so regional or corporate CAs…

Read →

SSL_ERROR_NO_CIPHER_OVERLAP

Key idea: Firefox could not find a common cipher suite with your server during the TLS handshake. In 2026 this error usually means the server supports only TLS 1.0/1.1 (Firefox dis…

Read →

SSL_ERROR_NO_CYPHER_OVERLAP in Firefox

Key idea: SSL_ERROR_NO_CYPHER_OVERLAP — Firefox (same as ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome) could not agree on a TLS cipher suite with the server. Both sides have allowe…

Read →

SSL_ERROR_NO_RENEGOTIATION

Key idea: SSL_ERROR_NO_RENEGOTIATION — Firefox tried to renegotiate the TLS session (e.g. for client cert auth on a specific path), but the server refused. Renegotiation is depreca…

Read →

SSL_ERROR_PROTOCOL_VERSION_ALERT: Causes

Key idea: SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS alert 70 (protocol_version). Server does not support the requested TLS version. Typically happens when the browser tries TLS 1.3 bu…

Read →

SSL_ERROR_RX_UNKNOWN_RECORD_TYPE

Key idea: SSL_ERROR_RX_UNKNOWN_RECORD_TYPE — Firefox received a TLS record with unknown content type (not 20, 21, 22, 23, 24). Frequent: MITM proxy inserting garbage, HTTP error pa…

Read →

SSL Handshake Failed: TLS Connection Setup Failure

TL;DR: SSL Handshake Failed means the TLS handshake between client and server did not complete. Causes: outdated SNI, TLS version mismatch, client certificate required, time skew &…

Read →