SSL Certificate Errors: Troubleshooting

TL;DR

This guide helps you fix common “Begin Certificate – End Certificate” errors when installing or using SSL certificates on your web server. We’ll cover checking the certificate files, configuring your server (Apache and Nginx examples), and verifying the installation.

Troubleshooting SSL Certificate Errors

1. Check Your Certificate Files
   • You should have at least two files: a certificate file (.crt or .pem) containing your website’s certificate, and a private key file (.key). Sometimes you’ll also have an intermediate certificate bundle (.ca-bundle or similar).
   • Make sure these files are present in the correct location on your server. Common locations include /etc/ssl/certs/ and /etc/ssl/private/.
   • Verify file permissions: The private key should be readable only by root (or the user running your web server). Use

     chmod 600 /path/to/your/private.key

     . Certificates can generally be world-readable (

     chmod 644 /path/to/your/certificate.crt

     ).

2. Apache Configuration
   • Edit your Apache virtual host configuration file (usually in /etc/apache2/sites-available/).
   • Ensure the correct paths are specified for SSLCertificateFile, SSLCertificateKeyFile and potentially SSLCertificateChainFile. Example:

     
     <VirtualHost *:443>
         ServerName yourdomain.com
         DocumentRoot /var/www/yourdomain
         ...
         SSLEngine on
         SSLCertificateFile /etc/ssl/certs/yourdomain.crt
         SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
         SSLCertificateChainFile /etc/ssl/certs/ca-bundle.pem <-- if applicable
     </VirtualHost>
     

   • Restart Apache:

     sudo systemctl restart apache2

3. Nginx Configuration
   • Edit your Nginx server block configuration file (usually in /etc/nginx/sites-available/).
   • Ensure the correct paths are specified for ssl_certificate and ssl_certificate_key. Example:

     
     server {
         listen 443 ssl;
         server_name yourdomain.com;
         ...
         ssl_certificate /etc/ssl/certs/yourdomain.crt;
         ssl_certificate_key /etc/ssl/private/yourdomain.key;
     }

   • Restart Nginx:

     sudo systemctl restart nginx

4. Combine Certificate and Intermediate Certificates (if needed)
   • Some certificate authorities require you to combine your website's certificate with an intermediate certificate bundle.
   • Open both files in a text editor and append the contents of the intermediate certificate file after your website’s certificate.

     cat yourdomain.crt ca-bundle.pem > combined_certificate.pem

   • Use the combined file in your server configuration instead of the individual certificate file.
5. Verify Installation
   • Use an online SSL checker tool (e.g., SSL Shopper) to verify that your certificate is installed correctly and trusted by browsers.
   • Check the browser's developer tools (usually F12) for any certificate errors when visiting your website over HTTPS.