SSL Monitoring – Common Issues

The following article contains an overview of common errors that are seen
with SSL monitoring, as well as information on how to resolve them.

If you see an issue with your certificate, but can’t find it in this list,
please do get in touch with our support and we’ll assist you in resolving
the issue.

General certificate chain structure / Chain of Trust

SSL Certificates usually consist of at least 3 certificates in a chain, this may
be more, depending on your setup.

Root Certificate

You have the root certificate, which identifies the Certificate Authority (CA).
These are usually provided by the client devices that connect to your website. If
the root certificate is missing, or self-signed, this will throw errors in the browser.

A missing root certificate can not be solved, unless your server has a certificate from
a trusted CA.

Intermediary Certificate

This is a stand-in for the root certificate, to ensure that multiple layers of security are
kept intact. The intermediary certificate is signed by the root certificate to ensure its

End certificate

This is the certificate for your domain/website. It contains information about validity,
the domains it’s allowed to be served on and information about the owner. In case of an
extended validation (EV) certificate, it will contain information about your company as

Common Issues and how to resolve them

Unable to verify root certificate (Broken chain)

This is usually caused by a missing intermediary certificate. It can be resolved by installing the
intermediary certificate on your server. Please find links for the most common CAs below.

Note: Whilst your website may work fine in desktop browsers, it can fail on mobile browsers, and CLI
tools like `curl` and `wget`.

Note 2: If you have an intermediary certificate defined, it may not be used during the handshake process. If this is the case, check your configuration, or try to create a CA bundle. (Please refer to the documentation of your server software for more information)

Intermediate Certificate – Download & Instructions

Hostname/IP doesn’t match certificate’s altnames / ERR_TLS_CERT_ALTNAME_INVALID

This error shows up when the certificate is served on a domain that it’s not intended for. Please contact
your certificate authority for information on how to add that domain to your certificate.


The provided SSL certificate is self-signed, and not trusted by a trusted certificate authority. Whilst this
is fine for development environments, it should never be used on live environments.

Related Articles