Your connection is not private

1. About the error
2. Why do I see this error
3. Solution
4. Renew an expired certificate
5. Cover every domain the site answers on
6. Serve the full chain

#About the error

Chrome shows a full-page "Your connection is not private" warning with a code such as NET::ERR_CERT_*. The browser couldn't validate the site's SSL certificate, so it blocks access to protect the visitor. If it's your own site, it means visitors are being turned away, so it's worth fixing fast.

#Why do I see this error

The specific code under the warning tells you which problem it is:

• NET::ERR_CERT_DATE_INVALID the certificate has expired (the most common).
• NET::ERR_CERT_AUTHORITY_INVALID untrusted issuer or missing chain, see NET::ERR_CERT_AUTHORITY_INVALID.
• NET::ERR_CERT_COMMON_NAME_INVALID the certificate doesn't cover the domain being visited (e.g. www missing).
• A wrong system clock on the visitor's device (the one cause that isn't your fault).

#Solution

#Renew an expired certificate

Expiry is the number one cause. With Certbot, renew and make sure auto-renewal is active so it never lapses again:

sudo certbot renew
sudo systemctl reload nginx

Check the expiry date directly:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

#Cover every domain the site answers on

A COMMON_NAME_INVALID error means the certificate is missing a name. Issue it for both the apex and www (and any subdomains you serve):

sudo certbot --nginx -d example.com -d www.example.com

#Serve the full chain

If the code is AUTHORITY_INVALID, point nginx at fullchain.pem, not the leaf-only cert.pem, so the browser can build the trust chain:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

Then validate and reload:

nginx -t && systemctl reload nginx

For the underlying TLS negotiation failures behind these warnings, see SSL handshake failed in nginx, and for a hardened setup, an A+ grade SSL using Cloudflare.