GlobalSign Blog

16 Sep 2016

Common SSL Certificate Errors and How to Fix Them

Sometimes, even the most effective webmaster has problems with SSL/TLS Certificates. Ordering the right certificate, creating a CSR, downloading it, installing it and testing it to make sure there are no problems are all areas where a webmaster can encounter problems.

We want to help you make the process as simple as possible from start to finish. For that reason, we have collated our top 10 queries and issues that our customers find during the ordering to installation process. We hope this blog will help you avoid those pitfalls and streamline your time to completion, but if you have a problem that you cannot solve using this blog you can still contact our support team or submit a support ticket on our website.

Choosing the Right Approval Method

There are three ways to have your domain verified with us: approver email, approver URL and DNS TXT records.

Note: when ordering an SSL Certificate from our system, approval methods cannot be changed once chosen.

Approver Email

When placing an order, you can choose from the following email addresses to allow us to verify your domain:

  • admin@domain.com
  • administrator@domain.com
  • hostmaster@domain.com
  • postmaster@domain.com
  • webmaster@domain.com

An email will be sent to this address and upon receipt of the email you can click a link to verify the domain is yours.

Note: Make sure you choose the right one, or you will have to cancel the order and start a new order.

If you cannot set up an email from the above list, you will need to contact support who will guide you through other possible options. These are:

  • Updating the WHOIS records with an email address (an example of a website GlobalSign uses to check Who is records is networksolutions.com).
  • Creating a page on the website of the domain using instructions from our support team. This will indicate control of the domain and allow the vetting team to send the approval email to ANY alternative email address.

Approver URL

Using the Approval URL method, where you can insert a meta tag on the root page of your domain. Our verification system will be able to detect the meta tag on the page and verify the domain ownership.

Note: the meta tag must be included on the root page on the domain. Our system cannot verify the domain if it redirects to another page.

DNS TXT records entails implementing a code into the DNS TXT of the website. Use this link for checking if a DNS TXT record is present on a domain. Alternatively you can run a command in command prompt to see if there is a txt entry: nslookup -type=txt www.domain.com.

Private Key Missing

A private key and CSR must always be generated on the same server you’re installing the certificate on in order for the certificate to install correctly. If the private key is no longer stored on the server (lost) then the certificate will need to be reissued with a new CSR.

Examples of error messages/situations which would indicate there is no private key:

  • ‘Private key missing’ error message appears during installation.
  • ‘Bad tag value’ error message appears during installation.
  • After importing the certificate into IIS, the certificate disappears from the list when refreshed.
  • When going onto your website, the site does not load in https://

SAN Compatibility

With a subject alternative name or SAN certificate, there are a number of things to note before ordering.

  • Domain Validated (DV) SSL Certificates only secure sub-domains and not the Common Name.
  • Organization Validated (OV) and Extended Validation (EV) SSL Certificates secure multi-domain names (FQDNs).
  • Up to 100 SANs can be secured on one certificate at a time; more can be added post issuance.
  • Wildcard SSL Certificates can secure unlimited sub-domains represented by the asterick.

For more information regarding SAN compatibility, see the below image.

SAN Compatability

If you wish to remove a SAN after your certificate has been issued then follow the steps in that link.

Invalid CSR

If you are creating a renewal CSR, then you will need to ensure the information in it is the same as your original CSR. The new CSR will not look exactly the same since the private key is different.

Another reason why it may not work in the renewal process is when you create a CSR function in the IIS7 server. There is a known bug which will make the CSR too long. The best way to defeat this is to create a new certificate request instead of a renewal request.

You can test a CSR by using a decoder from one of the websites listed below. If there are any extra spaces or too many or too few dashes at the beginning/end of the certificate request, it will invalidate the CSR.

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

The Common Name You Have Entered Does Not Match the Base Option

This error appears when you are ordering a Wildcard SSL Certificate but have not included the asterisk in the Common Name e.g. *.domain.com. Or if conversely, you have entered *.domain.com and not entered that your certificate is a Wildcard.

The [*] represents all sub-domains you can secure with this type of certificate. For example, if you want to secure www.domain.com, mail.domain.com and secure.domain.com, you will need to enter *.domain.com as the Common Name in the CSR.

Note: You cannot create a Wildcard with a sub-domain before the asterisk, e.g. mail.*.domain.com, or double Wildcards, such as *.*.domain.com.

Key Duplicate Error

This error appears when you are using a private key which has already been used. A private key and CSR can only be used ONCE.

You should generate a new private key and CSR on their server and re-submit the new CSR.

Order State Has Already Been Changed

Order state has already been changed SSL

This error message generally appears when your order has timed out. You should start the ordering process from scratch and to let us know if the issue persists. If it does, we need to run further checks on your account.

NOTE: this error message can also be caused by wrongly specified (entered) SANs. For example, if the CN is "www.domain.com" and you specified sub-domain as "domain.domain2.com" which actually specifies FQDN.

The SANs Options You Have Entered Do Not Match the SAN Options on the Original Certificate

This problem can occur for a number of reasons:

  • You have simply added a space after the SAN which our system is rejecting.
  • There is a typo in the information you have input.
  • You are entering the Common Name (CN) of the certificate as a SAN so the system cannot recognize if it already secured by the certificate.
  • You incorrectly enter the SAN as a sub-domain, multi-domain name, internal SAN or IP. You need to choose the correct type of SAN which applies to the SAN.

Certificate Not Trusted in Web Browser

After installing the certificate, you may still receive untrusted errors in certain browsers. This happens when the intermediate certificate has not been installed.

Running a health check on the domain will show this.

If the intermediate certificate is missing, use the following link to determine which intermediate is needed based on product type (DomainSSL, OrganisationSSL, ExtendedSSL, AlphaSSL etc).

To find out more about intermediate certificates and why we use them, visit this article.

‘Switch From Competitor’ Error Message

When choosing the ‘switch from competitor’ option in our certificate ordering system, you may see the following error message:

The server hosting your existing certificate cannot be reached to confirm its validity. Please obtain a copy of your existing certificate and paste it in the box below. All competitive switches are subject to review by GlobalSign's vetting team against the trusted issuers in the browser trust stores. If your certificate is not issued by a valid root CA Certificate, it will be subject to cancellation and/or revocation.

This error message occurs when your current certificate is no longer valid. You should only choose this option if you are switching before your certificate with another company expires.

This error message could also occur if your current certificate is not installed on the domain. Our system will not be able to detect the validity in this case so you should untick this option and go through the normal ordering process.

If you have a valid certificate from a competitor that is not installed on the server then you can paste your CSR into the text box using the ‘Switch from Competitor’ option. See the below image.

Switch from competitor

Finally, this error message could show when you have installed a certificate onto your server but the CN name is not the same as the domain name, as an example, this can happen with a SAN certificate. In this case, simply untick ‘switch from a competitor’ and go through the normal ordering process.

For more help with general SSL Certificate queries then visit the General SSL page on our support site.

Share this Post

Subscribe to our Blog