SSL Error Pages: User Reaction Fixes

TL;DR

Users get scared by SSL certificate errors and often leave your site. This guide shows you how to make those error pages less alarming, provide clear instructions, and log what’s happening so you can fix the underlying problem.

Improving User Reaction to SSL Certificate Errors

1. Understand the Problem: When a user sees an SSL certificate error (like ‘Your connection is not private’), they’re seeing a warning that the secure connection between their browser and your server can’t be verified. This breaks trust.
   There are several reasons this happens:
   • Expired Certificate: The certificate has run out of date.
   • Incorrect Configuration: The SSL certificate isn’t installed correctly on the server.
   • Missing Intermediate Certificates: Your server is missing certificates needed to build a ‘chain of trust’.
   • Domain Mismatch: The certificate doesn’t cover the domain name being used (e.g., using www when the certificate is only for example.com).
2. Customise Error Pages: Don’t rely on the browser’s default error pages – they are often very technical and frightening.
   Create your own, friendly error pages.
   • Clear Explanation: Explain in plain English what’s happening. Avoid terms like ‘SSL’, ‘TLS’, or ‘certificate’. Instead say something like “There’s a problem with the security of this website.”
   • Reassurance: Tell users it’s not their fault.
   • Contact Information: Provide an email address or phone number for support.
   • Alternative Actions: Suggest they try again later, or contact you if the problem persists. Avoid directing them to proceed anyway unless absolutely necessary and with a very clear warning about the risks.
3. Server Configuration (Apache Example):
   You can configure Apache to display custom error pages for SSL errors.

   ErrorDocument 403 /ssl_error.html

   This tells Apache to show the file ssl_error.html when a 403 (Forbidden) error occurs, which is common with SSL issues. You’ll need to create this ssl_error.html file.

4. Server Configuration (Nginx Example):
   For Nginx, you can use similar configuration.

   server { ... error_page 403 /ssl_error.html; ... }

   This directs Nginx to display the ssl_error.html file for 403 errors.

5. Logging: It’s crucial to log SSL certificate errors so you can identify and fix them quickly.
   • Server Logs: Check your web server’s error logs (Apache or Nginx) for clues about the problem. Look for messages related to SSL, certificates, or chain validation.
   • Certificate Monitoring Services: Use a service like SSL Labs (https://www.ssllabs.com/ssltest/) to regularly scan your site for certificate issues and provide detailed reports.
6. Automatic Renewal: Set up automatic renewal of your SSL certificates using Let’s Encrypt or a similar service.
   This prevents expiry-related errors.
   • Certbot: A popular tool for automating Let’s Encrypt certificate management.
7. Intermediate Certificates (Important): Ensure your server is configured with the full chain of intermediate certificates.
   Often, you’ll need to combine your main certificate with the intermediate(s) provided by your Certificate Authority into a single file.

   cat your_domain.crt intermediate1.crt intermediate2.crt > combined.crt

   Then configure your server to use combined.crt instead of just your_domain.crt.

8. Domain Name Consistency: Double-check that the domain name on your certificate matches the domain name users are entering in their browser (including www vs non-www).