What an SSL warning actually means

Every browser shows roughly the same message: “Your connection is not private”, “This site can’t provide a secure connection”, or a red padlock with an exclamation mark. Most small-business owners see it on their own website at least once. Most assume it’s a “renew the certificate” job and panic-call their web developer. Sometimes it is. Often it isn’t.

This article explains what an SSL warning actually means, the four most common types, and how to fix each one without making it worse.

What does an SSL warning actually mean?

When your browser sees a website, it does three checks before it shows the padlock:

1. Does the site present a certificate? The certificate is the digital ID card the website hands the browser.
2. Is the certificate valid — right name, right dates, signed by a trusted authority? A certificate for dentist-smith.com doesn’t work for dentistsmith.com. A certificate that expired yesterday doesn’t work today.
3. Is the connection actually using strong encryption? The encryption standards from the 1990s have long been retired. If the server still offers them, modern browsers complain.

If any one of those checks fails, the browser shows a warning. Different failures look almost identical to a non-technical user, which is why “SSL warning” is a vague term that hides four very different problems.

What are the most common SSL warning types?

Four show up in nearly every small-business website incident.

1. The certificate has expired.

Almost every certificate today is valid for 90 days or 1 year. Auto-renewal jobs are supposed to renew them automatically. When the auto-renew job stops working — the server changed, a credential rotated, the script silently failed — the certificate expires. The next visitor sees a red warning.

How to tell: open the warning, click “Advanced”, and read the date. If today is past the certificate’s “Valid to” date, this is your problem.

How to fix: log in to your hosting provider, web server, or CDN (Cloudflare, AWS, Netlify, etc.) and trigger a fresh issuance. Most providers have a button. If you use Let’s Encrypt, run certbot renew on the server.

2. The certificate name doesn’t match the URL.

The certificate was issued for www.example.com but the visitor is on example.com. Or it was issued for shop.example.com and the booking subdomain book.example.com is using the same one.

How to tell: open the warning, click “Advanced”, and read the “issued to” line. If the name in the certificate doesn’t include the domain you’re visiting, this is your problem.

How to fix: issue a certificate that covers both names (a SAN certificate or a wildcard certificate), or issue separate certificates for each subdomain.

3. The certificate is self-signed or signed by an authority the browser doesn’t trust.

This usually shows up on internal admin pages, dev/staging environments, or older office equipment. A self-signed certificate is a certificate the website signed itself — no public authority vouches for it. Browsers refuse to trust those by default.

How to tell: the warning says something like “Your connection is not private — the issuer is not trusted” or “self-signed”. Click Advanced and you’ll see “self-signed” or an unfamiliar issuer.

How to fix: replace it with a real certificate from a public authority (Let’s Encrypt is free; most hosts include one automatically). Self-signed certs are fine on internal-only systems — they’re not fine on a public-facing site.

4. Mixed content: the page loads over HTTPS but pulls in resources over HTTP.

The page itself is on https://, but the page references an image, a script, an iframe, or a stylesheet from http:// somewhere. Browsers either show a warning or silently block the resource. Pages with blocked content often look broken or fail to submit forms.

How to tell: open developer tools (F12), reload the page, and look in the Console tab for “Mixed Content” warnings. They list the exact URLs that were loaded over HTTP.

How to fix: change every http:// reference on the page to https:// (most resources are available over both, you just need to update the markup or the CMS setting). On WordPress, the Really Simple SSL plugin does this automatically; on Squarespace and most modern hosts, mixed content rarely happens because they default to HTTPS-only.

How can I check my SSL configuration?

Three good free tools:

• SSLLabs Server Test — the industry-standard SSL grader. Aim for a B or higher; A or A+ is best.
• Why No Padlock — tells you exactly which mixed-content URL is breaking the padlock.
• crt.sh — lets you see every public certificate ever issued for your domain. Useful for spotting unauthorised certs.

For continuous monitoring, AuraWatch checks your encryption configuration on a schedule, much more thoroughly than the public one-off testers do.

How long do SSL certificates last?

In 2024 and 2025, browsers and certificate authorities have been pushing certificate lifetimes shorter and shorter. Most public certificates today are valid for 90 days. By 2027, the industry is moving to 47-day certificates as the default. The shorter the certificate, the more it matters that your auto-renewal job is reliable.

The lesson: nobody can issue a certificate, paste it on a server, and forget about it any more. Either your hosting provider auto-renews for you (most modern hosts and CDNs do), or you set up your own automation, or you set a calendar reminder. Manual renewal is no longer a viable strategy.

Should I worry if a customer reports an SSL warning?

Yes — treat it as a P1 incident.

Customers who see SSL warnings on a small business site usually do one of two things: they leave, or they call to tell you. The ones who call are the lucky case. The ones who leave never come back.

Continuous monitoring catches these the moment they appear. A weekly automated encryption check would flag the typical “auto-renew job stopped working” failure within hours of the certificate expiring — usually before the first customer calls.

Helpful follow-on reading:

• How to tell if your website has been hacked
• Website security checklist 2026

For continuous encryption monitoring on your sites, see how AuraWatch works.