Fix Browser Certificate Errors (OpenSSL Works)

TL;DR

Your browser doesn’t trust a certificate that OpenSSL s_client accepts. This usually means the browser’s root store is outdated or there’s an issue with how the certificate chain is presented to the browser. Here’s how to fix it.

1. Understand the Problem

When a browser connects to a website using HTTPS, it checks if the website’s certificate is valid and trusted. This involves verifying:

• The certificate hasn’t expired
• The certificate is issued by a Certificate Authority (CA) the browser trusts
• The certificate matches the website’s domain name

openssl s_client often works because it uses its own root store, which may be more up-to-date or include different CAs than your browser. The browser is being stricter.

2. Update Your Browser

The simplest solution is to ensure you’re using the latest version of your browser (Chrome, Firefox, Edge, Safari). Updates often include new root certificates and security fixes.

3. Clear Browser Cache & SSL State

Cached data can sometimes interfere with certificate validation. Clearing it forces the browser to re-download everything:

• Chrome: Settings > Privacy and Security > Clear browsing data. Select ‘Cookies and other site data’ and ‘Cached images and files’.
• Firefox: Preferences > Privacy & Security > Clear Data… Check ‘Cached Web Content’ and ‘SSL Certificates’.
• Edge: Settings > Privacy, search, and services > Clear browsing data. Select ‘Cookies and other site data’ and ‘Cached images and files’.

Restart your browser after clearing the cache.

4. Check Certificate Chain

The certificate chain is a series of certificates that link the website’s certificate back to a trusted root CA. If it’s incomplete or in the wrong order, browsers will reject it.

• Use an Online Checker: Tools like SSL Shopper can analyze your certificate chain and identify issues.
• Verify Chain Order: The website’s certificate should be first, followed by intermediate certificates (if any), and finally the root CA certificate.

If you’re managing the server yourself, ensure your webserver configuration includes all necessary intermediate certificates.

5. Check Server Configuration

Incorrect server configuration can also cause problems. Common issues include:

• Missing Intermediate Certificates: The server isn’t sending the complete certificate chain to the browser.
• Incorrect Certificate File Path: The webserver is pointing to the wrong certificate file.
• HTTP/2 Issues: Sometimes, HTTP/2 can cause problems with certificate presentation. Try temporarily disabling it for testing (consult your server documentation).

For Apache:

sudo a2enmod ssl

Ensure the SSLCertificateChainFile directive in your virtual host configuration points to the correct intermediate certificate file.

6. Browser Root Store Issues (Advanced)

Rarely, the browser’s root store itself can be corrupted or missing important CAs. This is more common on older operating systems or after software conflicts.

• Operating System Updates: Ensure your operating system is up-to-date, as updates often include root certificate updates.
• Reinstall Browser: A complete reinstall of the browser can sometimes fix corrupted root stores.

7. Check for DNS Issues

Although less common, incorrect DNS settings could lead to a mismatch between the domain name in the certificate and the actual website being accessed.

• Verify DNS Records: Use tools like nslookup or online DNS checkers to ensure your DNS records are correct.