SSL Certificate Errors on Your Hosting Account

Overview

SSL certificate errors cause visitors to see a warning page instead of your website, which can drive away traffic and hurt trust. This article covers the most common SSL errors, what they look like in the browser, and how to resolve them yourself using the self-service SSL tools built into cPanel and DirectAdmin.

Most SSL issues on our platform can be fixed in under five minutes without contacting support.

Common SSL Errors and What They Mean

1. Certificate Expired

What visitors see:

• Chrome: "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID
• Firefox: "Warning: Potential Security Risk Ahead" — SEC_ERROR_EXPIRED_CERTIFICATE
• Safari: "This Connection Is Not Private"

What's happening: Your SSL certificate had a valid lifespan (typically 90 days for Let's Encrypt/AutoSSL certificates, 1 year for paid certificates) and that period has ended. The certificate itself is still in place but browsers refuse to trust it.

Why it happens:

• AutoSSL failed to renew, usually because DNS pointed elsewhere, a redirect was blocking the validation check, or the domain was temporarily unreachable.
• A paid certificate wasn't renewed before its expiry date.
• The domain was recently moved to our servers and the old certificate came with it.

2. Wrong Domain Served (Common Name Mismatch)

What visitors see:

• Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
• Firefox: SSL_ERROR_BAD_CERT_DOMAIN
• The warning mentions the certificate is valid for a different domain (often the server's hostname or a different customer's domain).

What's happening: The browser is receiving an SSL certificate that doesn't match the domain the visitor typed. The server is serving some certificate, but not the right one for that specific site.

Why it happens:

• The domain was added to the account but SSL hasn't been issued for it yet.
• DNS for the domain is pointing to the server, but the domain isn't actually configured in your hosting account.
• A shared IP is serving the default server certificate as a fallback because no matching certificate exists.
• The certificate was issued for yourdomain.com but the visitor is accessing www.yourdomain.com (or vice versa) and only one is covered.

3. Subdomain Not Covered

What visitors see: Same browser errors as "Wrong Domain Served" — usually NET::ERR_CERT_COMMON_NAME_INVALID. The warning specifically notes the certificate is valid for example.com but not blog.example.com (or whichever subdomain).

What's happening: You have a valid SSL certificate for your main domain, but a subdomain was added later and wasn't included when the certificate was issued.

Why it happens:

• AutoSSL runs on a schedule (typically daily) and hasn't yet picked up the new subdomain.
• The subdomain's DNS isn't pointing to the server yet, so AutoSSL can't validate it.
• A wildcard certificate wasn't used, and each subdomain needs its own entry.

4. Self-Signed or Untrusted Certificate

What visitors see:

• Chrome: NET::ERR_CERT_AUTHORITY_INVALID
• Firefox: SEC_ERROR_UNKNOWN_ISSUER

What's happening: The certificate being served isn't signed by a trusted certificate authority. This is often the server's fallback self-signed certificate, served when no proper SSL exists for the domain.

Why it happens:

• Same root causes as "Wrong Domain Served" — usually that no valid certificate has been issued for the domain yet.

5. Mixed Content Warning (Not an Error, But Related)

What visitors see: The padlock in the address bar shows a warning icon, or the site loads but some images/scripts are broken. No full block page.

What's happening: Your SSL certificate is valid and working, but the site is loading some resources (images, scripts, stylesheets) over http:// instead of https://.

Why it happens:

• Hardcoded HTTP URLs in the site content (common after migrating from HTTP to HTTPS).
• A theme or plugin (on WordPress especially) referencing HTTP resources.

This is fixed inside your application (WordPress, etc.), not at the SSL level. Search for a "Better Search Replace" plugin or similar tool to update http://yourdomain.com to https://yourdomain.com throughout your database.

How to Fix SSL Errors Yourself

On cPanel

cPanel installations on our servers run AutoSSL (powered by Let's Encrypt or Sectigo), which automatically issues and renews certificates for all domains on your account.

Check Current SSL Status

1. Log in to cPanel.
2. In the search bar at the top, type SSL/TLS Status and click the result.
3. You'll see a list of every domain and subdomain on your account, along with the status of its certificate (valid, expired, or not present).

Domains with valid certificates show a green lock icon. Domains missing SSL or with expired certificates are flagged clearly.

Run AutoSSL Manually

If a domain is missing SSL or recently added:

1. Still on the SSL/TLS Status page, check the box next to the affected domain(s).
2. Click Run AutoSSL.
3. Wait 1–5 minutes. The page will refresh with the new status.

AutoSSL will attempt to issue a certificate. If it succeeds, the domain is now secured. If it fails, the page shows the reason (common reasons below).

Common AutoSSL Failure Reasons in cPanel

• "The domain's DNS does not resolve to this server" — Your domain isn't pointing to our server yet. Update your DNS A record to the IP shown in your welcome email.
• "The DCV check failed" — Something on your site (often a redirect rule in .htaccess) is blocking the validation URL. Temporarily remove any catch-all redirects and retry.
• "The domain is not in the user's feature list" — Contact support; your package may not include SSL for this domain type.

On DirectAdmin

DirectAdmin uses Let's Encrypt integration for free SSL, managed per-domain.

Check and Issue SSL

1. Log in to DirectAdmin.
2. From the main dashboard, click Domain Setup (or Account Manager → Domain Setup depending on your skin).
3. Click the domain you want to manage.
4. Scroll to SSL Certificates or click the SSL Certificates link.
5. Select Free & automatic certificate from Let's Encrypt.
6. Under "Certificate Entries", check the boxes for all hostnames you want covered:
   • yourdomain.com
   • www.yourdomain.com
   • mail.yourdomain.com
   • Any subdomains
7. Set the Key Size (2048 is standard; 4096 is stronger but slower).
8. Click Save.

DirectAdmin will request the certificate from Let's Encrypt. Success or failure is reported at the top of the next page.

Force HTTPS

After SSL is issued, enable HTTPS enforcement:

1. Go back to Domain Setup and click your domain.
2. Find the Force SSL with HTTPS Redirect option.
3. Toggle it on and save.

Visitors arriving via http:// will now be redirected to https:// automatically.

Common Let's Encrypt Failure Reasons in DirectAdmin

• "DNS problem: NXDOMAIN looking up A for yourdomain.com" — DNS isn't pointing to the server. Fix your A record and retry.
• "Invalid response from http://yourdomain.com/.well-known/acme-challenge/..." — A redirect or firewall rule is blocking Let's Encrypt's validation. Remove any forced HTTPS rules temporarily, clear .htaccess redirects, and retry.
• "Too many certificates already issued" — Let's Encrypt rate limit. Wait 1 hour and try again, or contact support if urgent.

Prevention Tips

• Don't disable AutoSSL. It runs automatically and handles renewals. As long as DNS is correct and no redirects block validation, it just works.
• Add subdomains before you need them live. This gives AutoSSL a cycle or two to pick them up.
• Avoid catch-all HTTPS redirects in .htaccess without exceptions for /.well-known/. This path is used for SSL validation. A blanket redirect to HTTPS is fine, but a redirect that rewrites or blocks /.well-known/ will break renewals.
• Keep DNS pointed to your hosting server. If you move DNS to another provider, AutoSSL can still work as long as the A record points to us, but any delays or misconfigurations will break renewal.

When to Contact Support

Try the self-service steps above first — they resolve the vast majority of SSL issues. Open a ticket if:

• AutoSSL or Let's Encrypt consistently fails and the error message isn't clear.
• You suspect the issue is with our server configuration rather than your domain or DNS.
• You've confirmed DNS is correct, no redirects are interfering, and the certificate still won't issue.

When you open a ticket, include:

• The domain name affected.
• A screenshot of the browser error (if applicable).
• The exact error message shown by AutoSSL or Let's Encrypt after you tried to issue the certificate.
• Any recent changes (new subdomain, DNS migration, plugin added).

This context lets us diagnose quickly without a back-and-forth.