Common SSL Configuration Errors and How to Fix Them
The SSL configuration mistakes that bite teams in production, in plain English.
Getting a certificate is the easy part. Configuring SSL correctly is where most teams trip. Here are the configuration errors we see most often, in plain English, with the fix for each one.
Why configuration matters as much as the certificate
Think of a house with a strong front door (the certificate) but unlocked windows everywhere else (the configuration). The thief still walks in. SSL works the same way: a perfect certificate over a weak configuration is a false sense of security.
1. Incomplete certificate chain
What it is: your server sends only the leaf certificate, not the intermediates.
Why it breaks: browsers need the full chain to verify your site’s identity. Desktop browsers sometimes cache intermediates and still work; mobile and command-line tools do not. The result is the classic “works for me but not in production.”
The fix: install the full chain bundle from your CA. Most CAs provide a single fullchain.pem file. Use that one - not the leaf-only file.
2. Outdated TLS protocols (SSL 3.0, TLS 1.0, TLS 1.1)
What it is: your server still accepts very old protocol versions.
Why it breaks: these protocols have known weaknesses. PCI DSS, HIPAA, and most other compliance frameworks no longer allow them. Auditors will fail you.
The fix: disable everything below TLS 1.2. Modern config should support TLS 1.2 and TLS 1.3 only.
3. Weak ciphers
What it is: your server still negotiates encryption with old, weak algorithms (RC4, 3DES, export-grade ciphers).
Why it breaks: a strong protocol with weak ciphers is like a vault door with a paper lock. Modern attacks can break them.
The fix: use modern cipher suites only. The Mozilla SSL Configuration Generator is a good starting point - pick “intermediate” for most sites, “modern” if you can drop older clients.
4. Wrong hostname on certificate
What it is: the certificate covers example.com but not www.example.com (or vice versa).
Why it breaks: visitors get a hostname-mismatch warning on the variant that is missing. Half your traffic could be hitting the broken one.
The fix: reissue the certificate with all hostnames listed. Wildcard certificates (*.example.com) cover all subdomains at one level.
5. No HTTP-to-HTTPS redirect
What it is: your site is reachable on both http:// and https:// and serves the same content.
Why it breaks: visitors who type the URL or follow an old link land on plain HTTP. No encryption. Also, Google treats the two as separate URLs and may split your SEO authority.
The fix: 301 redirect every HTTP request to HTTPS. Set the HSTS header so browsers remember.
6. Mixed content
What it is: the page loads over HTTPS but pulls images, fonts, scripts, or CSS from http://.
Why it breaks: browsers block the insecure resources. Scripts silently fail. Images do not load. Layout breaks.
The fix: find any hard-coded http:// URLs in your codebase and change them to protocol-relative (//) or https://.
How to test all of this in one shot
Going through this checklist manually takes an hour. A scanner does it in 15 seconds and gives you a grade: Run a free SSL scan.
Keep it good
A correct configuration today drifts tomorrow - a load balancer change, a fresh server, a library update. Schedule recurring scans on your important domains so a regression is caught the day it happens, not the week of the audit.
Frequently asked questions
- What is an “incomplete certificate chain”?
- Your server is only sending the leaf certificate without the intermediate ones. Some clients cannot verify the chain on their own and reject the connection. Install the full chain on the server.
- Is TLS 1.0 still safe to support?
- No. TLS 1.0 and 1.1 are formally deprecated. Disable them and offer TLS 1.2 and TLS 1.3 only. PCI DSS and most compliance frameworks require this.
- How do I test my SSL configuration?
- Use a free scanner (like the TLS Radar free SSL scanner). Within seconds it shows your grade, weak ciphers, protocol support, and chain issues.
Check any site in seconds
Scan a domain with our free SSL tool and see the certificate, grade, and any issues - no signup needed.
Related guides
-
HTTPS Not Working? A Plain-English Troubleshooting Guide
Why HTTPS suddenly stops working and how to diagnose it in under 10 minutes.
-
SSL/TLS Vulnerabilities - A Quick Guide for Non-Experts
A non-expert tour of well-known SSL/TLS vulnerabilities and how to check yours.
-
“This Website Cannot Be Trusted”: What It Means and How to Fix It
What the “this website cannot be trusted” error really means, and how to fix it fast.
From the blog
-
Let's Encrypt vs Paid SSL Certificates: Which One Should You Use?
A clear, practical comparison of Let's Encrypt and paid SSL certificates - what each one is best at, where they fall short, and how to choose.
-
SSL Certificate Outages - 4 Real Incidents and What They Teach Us
Four real-world certificate outages from major companies, in plain English. What broke, how it broke, and the simple monitoring step that would have caught it.