SSL certificate — installation, renewal and troubleshooting
Expired SSL certificate, "Not Secure" warning, mixed content or HTTPS redirect issues? We fix your SSL certificate problems and secure your website with TLS encryption that actually works.
What is an SSL certificate and why do you need one?
An SSL certificate (technically TLS — Transport Layer Security) is a small data file installed on your web server. It encrypts the connection between the browser and the server, so that passwords, payment data and personal information cannot be intercepted by third parties on the network.
Without a valid SSL certificate, Chrome, Firefox and Safari display a full-screen "Not Secure" warning that scares away most visitors. Google has also confirmed HTTPS as a ranking signal since 2014, so an SSL certificate is now a baseline requirement for both security and SEO.
All our web hosting packages include free SSL certificates with auto-renewal. We also help fix SSL on external hosting providers and migrate domains to HTTPS without breaking links or rankings.
- SSL certificate installation
- HTTPS redirect configuration
- Mixed content fixes
- Certificate renewal & monitoring
- Let's Encrypt & commercial certificates
- HSTS hardening & TLS 1.3
- Wildcard & SAN certificates
Common SSL errors and how to solve them
These are the SSL certificate errors we see most often. Click the matching error code in your browser to identify which problem you have.
NET::ERR_CERT_AUTHORITY_INVALID
The browser does not trust the certificate authority. Usually caused by a self-signed certificate or a missing intermediate chain. We re-install the full chain so the SSL certificate validates correctly.
NET::ERR_CERT_DATE_INVALID
The SSL certificate has expired or the system clock on the visitor's device is wrong. We renew expired certificates and set up automated renewal so it never happens again.
NET::ERR_CERT_COMMON_NAME_INVALID
Certificate is issued for the wrong domain. Common when migrating between providers or adding subdomains. We re-issue the SSL certificate with all correct domain names included as SAN.
SEC_ERROR_UNKNOWN_ISSUER
Firefox-specific variant of the unknown CA error. Often caused by missing intermediate certificates or antivirus software intercepting HTTPS traffic. We diagnose both server and client side.
Mixed Content Warning
HTTPS page loads scripts, images or CSS over HTTP — padlock disappears or shows yellow warning. We hunt down every plain-HTTP resource and convert it to HTTPS.
"Connection is not secure"
Generic browser warning shown when no SSL certificate is installed at all. Solution: install Let's Encrypt (free) or a commercial SSL certificate and force HTTPS via 301 redirects.
Types of SSL certificates
Not all SSL certificates are equal. The validation level decides how the certificate is issued, what guarantees come with it and what shows up in the browser. Here are the five main types we work with daily:
- DV — Domain Validation (Let's Encrypt, basic)
- OV — Organization Validation (verified company)
- EV — Extended Validation (banking-grade)
- Wildcard — Covers all subdomains (*.example.com)
- SAN — Multi-domain (up to 100 domains in one cert)
DV (Domain Validation)
Cheapest and fastest. The CA only verifies that you control the domain (via DNS or HTTP challenge). Let's Encrypt is the dominant DV provider — free, automated and re-issued every 90 days. Suitable for blogs, brochure sites, SaaS apps and most e-commerce.
OV (Organization Validation)
Mid-tier validation. The CA manually verifies the organization's legal existence (registry lookup, callback to a published number). Pricing typically 1 000–3 000 SEK/year. Recommended for B2B sites and organizations that want extra trust signals.
EV (Extended Validation)
Strictest validation. CA verifies legal existence, physical address, operational status and authority of the requester. Used to display the green company name in the address bar (deprecated in modern browsers but still required by some banking standards).
Wildcard
A single certificate that covers all first-level subdomains under a domain (*.example.com matches shop.example.com, blog.example.com, app.example.com etc.). Available as DV, OV or EV. Useful when you have many subdomains or spin up new ones frequently.
Multi-domain (SAN)
Subject Alternative Name certificate covering up to 100 different domain names in a single SSL certificate. Useful for businesses owning multiple branded domains (example.com, example.se, example.co.uk) that should all serve the same site.
Which one fits you?
For 95% of websites a free Let's Encrypt SSL certificate is perfectly adequate. We use commercial DV/OV/EV mainly for banks, fintech, public sector and customers who explicitly require warranty coverage above 1 MSEK.
How Webbfabriken installs your SSL certificate
Our standard SSL installation procedure — we follow this checklist on every domain to make sure HTTPS works permanently, not just on launch day.
1. DNS validation
We verify domain ownership via a DNS TXT record or HTTP-01 challenge. DNS validation works even if the site is not yet live, so we can issue the SSL certificate before launch.
2. Auto-renewal via Certbot
Let's Encrypt certificates are valid for 90 days. We configure Certbot or acme.sh to renew automatically every 60 days, with email alerts if a renewal ever fails. No manual work after launch.
3. HSTS
We add the HTTP Strict Transport Security header so browsers refuse to load the site over plain HTTP, even before the user types https://. Protects against downgrade attacks and SSL stripping.
4. HTTP→HTTPS redirect
Permanent 301 redirects from every http://-URL to its https:// equivalent via .htaccess or nginx config. Preserves SEO, prevents duplicate content and ensures the SSL certificate is always used.
5. SSL Labs verification
Final step: we run the domain through SSL Labs (Qualys SSL Test) and tune cipher suites and TLS protocols until the rating is at minimum A, often A+. This catches subtle configuration errors before users do.
6. Expiry monitoring
We add the SSL certificate to our 24/7 monitoring dashboard. Alerts trigger 30, 14 and 7 days before expiry, so even if auto-renewal fails we have plenty of margin to react.
Price for SSL installation and support
Pricing depends on which type of SSL certificate you need and whether you're hosting with us. Free Let's Encrypt covers the vast majority of needs — we charge only for the installation work on external hosting.
All hosting customers get free SSL certificates with auto-renewal included — no setup fees, no annual cost.
- Let's Encrypt + installation: from 995 SEK one-time
- Commercial DV: 500–1 500 SEK/year
- OV (Organization): 1 500–3 000 SEK/year
- EV (Extended): from 4 000 SEK/year
- Wildcard DV: from 2 000 SEK/year
- Auto-renewal: included on our hosting
- Emergency installation (within 4h): from 1 995 SEK
Common Let's Encrypt problems and how to fix them
Let's Encrypt is brilliant when it works — but ACME automation has well-known failure modes. Here are the four problems we troubleshoot most often.
Rate limit hit
Let's Encrypt allows max 50 certificates per registered domain per week and 5 duplicates per week. Repeated failed attempts during testing can lock you out for up to 168 hours. Solution: use the staging environment until your config works, then switch to production.
DNS validation failed
The required _acme-challenge TXT record is missing, has not propagated yet, or DNS provider returned a wrong answer. Verify with dig TXT _acme-challenge.example.com before retrying. Some DNS providers need 5–30 minutes for propagation.
HTTP-01 challenge timeout
Let's Encrypt servers can't reach http://example.com/.well-known/acme-challenge/<token>. Usual causes: a firewall blocks port 80, an existing 301 redirect to HTTPS rewrites the challenge, or the web root is wrong. Allow port 80 from Let's Encrypt IPs and add a .well-known exception in your redirects.
fullchain.pem missing
Apache/Nginx config points to cert.pem instead of fullchain.pem — result is the well-known "incomplete chain" error in SSL Labs. Always reference fullchain.pem (which includes both server cert and intermediate) and privkey.pem in the SSL config.
Mixed content — how to find and fix insecure resources
Mixed content is the most common reason a freshly installed SSL certificate still does not show a padlock. The HTTPS page works, but it loads at least one image, script or stylesheet over plain HTTP — and modern browsers either block the resource or downgrade the security indicator.
Three reliable ways to find every insecure resource:
- Browser DevTools — F12 → Console tab. Mixed content warnings show the exact URL.
- WhyNoPadlock.com — Free online tool that scans every URL on a page and lists insecure ones.
- Better Search Replace — WordPress plugin to mass-replace http://yoursite.com → https://yoursite.com in the database (handles serialized data correctly).
- CSP report-only — Set Content-Security-Policy: upgrade-insecure-requests as a temporary safety net while cleaning up.
Frequently asked questions about SSL certificates
How much does an SSL certificate cost?
A Let's Encrypt SSL certificate is free and included on all our hosting plans. Commercial DV certificates start around 500 SEK/year, OV around 1 500 SEK/year and EV from 4 000 SEK/year. Installation from us starts at 995 SEK as a one-time fee for external hosting.
Why does my browser show "Not secure" even with an SSL certificate installed?
The most common causes are: an expired certificate, a domain mismatch, a missing intermediate chain, or mixed content (the page loads at least one resource over plain HTTP). Run your domain through SSL Labs to identify the exact cause.
How long does it take to install an SSL certificate?
Let's Encrypt with DNS validation usually takes 5–15 minutes. A commercial DV certificate takes 1–4 hours including domain validation. OV/EV certificates can take 1–5 business days because the issuing CA verifies the organization manually.
Will switching to HTTPS hurt my SEO?
No — quite the opposite. Google has confirmed HTTPS as a ranking signal since 2014. The only short-term risk is forgetting 301 redirects from http:// to https://, which we always set up as part of the SSL installation.
Do I need a wildcard SSL certificate?
You need a wildcard (*.example.com) if you have many subdomains (shop., blog., app., api. etc.) and want a single certificate covering all of them. For 1–3 subdomains a Multi-domain (SAN) certificate or separate Let's Encrypt certificates are usually cheaper.
What happens if my SSL certificate expires?
Browsers immediately show a full-screen warning ("Your connection is not private") and block visitors from reaching the site. E-commerce sites stop converting, login forms break and email clients refuse to connect. We monitor expiry dates and renew automatically before that happens.
SSL certificate problems? We fix it.
Contact us for fast SSL troubleshooting, installation and migration. Swedish IT experts since 2002.
Describe the issue and we will get back quickly
Send what happened, what is affected and how urgent the situation is.