It can be frustrating when visitors to your site see a “Could not establish trust relationship for the SSL/TLS secure channel with authority” error. Plus, it creates a poor User Experience (UX).
While there are ways to bypass this message, such as setting new system-wide settings, these methods can expose your website to security risks. Fortunately, you can solve the error message quickly and make your pages accessible to all visitors.
Typically, the solution to the issue depends on the root cause. For instance, you might need to add your website’s SSL certificate to the trusted store on your computer. Other times, it can be as simple as updating your browser.
In this post, we’ll introduce you to the error message: “Could not establish trust relationship for the SSL/TLS secure channel with authority”. Then, we’ll discuss some common causes of the issue and show you how to fix them. Let’s get started!
An Introduction to the “Could Not Establish Trust Relationship” Error
You might see many errors on your website, some more problematic than others. For instance, a “Connection is not private” error is pretty simple to resolve. However, database connection errors and secure connection errors typically require more troubleshooting.
The “Could not establish trust relationship for the SSL/TLS secure channel with authority” error means your browser doesn’t trust the website. The most common reason is that the browser cannot verify the site’s SSL certificate, meaning that it can’t confirm its identity.
With this error, a secure, encrypted connection can’t be established with the server. Therefore, your browser may warn you against visiting the site.
As a visitor, it can be frustrating when you see this error because you can’t access the content you require. On the flip side, the error message on your own site can hurt your business’s reputation by making it look untrustworthy and unreliable. Visitors might even think that you don’t value their security.
An Overview of SSL and TLS
SSL (Secure Sockets Layers) and TLS (Transport Layer Security) are cryptographic protocols that encrypt data and authenticate secure connections.
However, there are differences between SSL and TLS. Most significantly, TLS is a more recent version of SSL. All this means is that TLS fixes some vulnerabilities in the earlier SSL protocols.
As we mentioned earlier, SSL is necessary to secure data on your website. When a visitor tries to access your site, their browser will verify whether your SSL certificate is valid. If so, an encrypted connection is created between the website and your server, enabling the safe transmission of data such as personal or payment details:
Furthermore, there are different types of SSL certificates you can install. For instance, a single-domain certificate will cover one website.
Meanwhile, a wildcard certificate secures a single domain and any related subdomains. However, a multi-domain wildcard certificate is the better choice if you have various websites with numerous subdomains.
Most quality hosting providers will offer free SSL certificates with their plans. You might simply need to contact your provider and ask them to activate SSL for you.
For example, you can get a free SSL certificate with Kinsta thanks to our Cloudflare integration, which even supports wildcard domains. All you need to do is purchase a hosting package, such as managed WordPress hosting.
Your site can then benefit from our speed-oriented infrastructure, firewall protection, and our free APM tool, built straight into the MyKinsta dashboard.
Otherwise, you can purchase a custom SSL certificate from a trusted certificate authority such as Comodo or DigiCert:
Then, you’ll need to install your SSL certificate and verify that it’s working correctly. If you’ve obtained your certificate from anywhere other than your hosting provider, you can also transfer your certificate from another server.
Common Causes of the “Could Not Establish Trust Relationship for the SSL/TLS Secure Channel with Authority” Error Message
Here are the main causes of the “Could not establish trust relationship for the SSL/TLS Secure Channel with Authority” message:
- Self-signed certificates: These certificates are often generated for free. However, they don’t provide as much trust as commercial certificates.
- Expired certificates: Most SSL certificates are only valid for a year. Therefore, you’ll need to renew your certificate as it nears its expiration date.
- Certificates not signed by a trusted Certificate Authority (CA): Like self-signed certificates, a lesser-known certificate provider might not be trusted by every browser.
- Free SSL certificates: There are a few free CAs, but sometimes their root certificates must be manually imported into your browser to clear the error.
- Certificates that are missing a chain/intermediate certificate: Most trusted certificates ask you to install at least one other chain/intermediate certificate to link your SSL certificate to a trusted source. However, this process depends on the browser you use. For example, Internet Explorer can automatically download intermediate certificates, but Mozilla Firefox can’t.
The “Could not establish trust relationship” error often signifies that your SSL certificate is invalid. Therefore, you might consider conducting a quick SSL check.
Qualys SSL Labs is completely free and enables you to verify your certificate easily. Simply enter your domain name into the Hostname field and click on Submit:
Qualys will take a moment to scan your site’s SSL/TLS configuration on your web server. Then, you’ll be given a server rating between A and F. What’s more, you can view an explanation of errors and warnings and find out how to fix them.
Usually, you can find ways to bypass the “Could not establish trust relationship for the SSL/TLS secure channel with authority” error. However, this isn’t always the safest option for your site since it can expose you to security threats. That’s why we recommend learning how to solve the issue by addressing the root cause.
How To Fix the Could Not Establish Trust Relationship Error (In 3 Steps)
Now that you know the common causes of the “Could not establish trust relationship for the SSL/TLS Secure Channel with Authority” error, let’s discuss three steps to solve it!
Step 1: Check the Certificate Errors
Firstly, you’ll need to find the cause of the error. This process will differ depending on the browser you’re using to access the website.
For instance, in Safari, you can click on Show Details to find out what’s behind the warning message. Then, you can proceed to the website or view its certificate:
If you select the latter option, you will sometimes see the root cause of the issue. In the example below, you can see that the website is using a self-signed certificate that hasn’t been verified by a third party:
However, in Chrome, this process is slightly different. Instead, you’ll head to the Not Secure warning in the search bar:
Click on the warning message to identify the general issue (although you likely won’t find the root cause at this stage). Here, you can simply see that the website’s certificate is not valid:
If you click on Certificate is not valid, a popup will appear where you can find out more details about the error. For instance, you can see the issue and expiry dates, as well as find the CA that verified the certificate.
Below, you can see that the SSL certificate has expired:
If you switch to the Details tab, you can view the certificate’s serial number, the signature algorithm, and the public key information.
Whichever browser you’re using, it’s essential to identify the error’s root cause before moving on to the next step. Otherwise, you might waste your time on ineffective troubleshooting methods.
Step 2: Try General Troubleshooting Tips
Before tackling the error with more specific measures, we recommend trying some general troubleshooting tips first. It’s easy to overlook simple things that you might not realize are affecting your browser or system. In fact, there are some easy ways to fix error messages on various browsers and platforms.
For example, you can check that the date and time on your system are correct. If your settings aren’t right, they could cause a perfectly valid SSL certificate to be rendered invalid on your device.
On Mac, you’ll need to head to your System Preferences and then select Date & Time:
To make any changes, you can hit the lock icon at the bottom of the popup:
You can either select your time zone using a map or manually input the correct information on this page.
Another common issue is that your browser or system has not been updated. Running old software can cause glitches. Plus, it can make your site more vulnerable to security breaches.
To check whether your Mac is up-to-date, visit System Preferences. Then, click on Software Update:
You can also check that your browser is up-to-date. You can find this information in Google Chrome by clicking on the three dots within your browser. Then, hover over Help to access the dropdown menu and click on About Google Chrome:
Chrome will automatically start checking for updates:
Then, relaunch the browser to conclude the update. Remember that this process will be slightly different if you’re working with a browser other than Chrome.
Step 3: Identify the Best Solution for Your Error
The resolution to your error will depend on the cause you identified in the first step of this tutorial. Here are four common scenarios!
Your Domain Name Doesn’t Match the Name on the Certificate
Typically, this occurs when the common name on the SSL certificate doesn’t match the domain/URL in your browser’s search bar. You can find the common name (hostname) of the certificate by viewing the certificate and expanding the Details section:
Under Common Name, verify that the name matches the URL that you use to visit the website. Sometimes, it can be as simple as missing the “www”.
Many websites include their domain names both with and without “www” so that browsers don’t penalize users who type the address differently. However, you’ll need a certificate that accommodates multiple domains.
If you find a disparity between the names and currently have a single-domain SSL certificate, you’ll need to get a new certificate issued. However, if you have a multi-domain certificate, you can add/remove Subject Alternative Names (SANs) to your certificate.
Your Certificate Has Expired
If you’re using an expired certificate, your visitors and website are more vulnerable to attacks. In fact, a hacker can take advantage of this situation by impersonating your site and stealing from visitors who land on it.
Therefore, if you find that your SSL certificate has expired, you’ll need to install a valid certificate to preserve authenticity and trust on your site. We also recommend setting up a future reminder to renew the certificate before it expires.
Your Certificate Root Authority Can’t Be Trusted
If the certificate authority can’t be trusted, you’ll need to add the certificate to the trusted store in your browser.
In Safari, you can do this for each website by clicking on View the certificate. Then expand the Trust section in the popup and scroll down to the part that reads When using this certificate:
Here, use the dropdown box to select Always Trust.
You can also modify all the certificates on your Mac system by clicking on the question mark icon in this popup. Then, hit Open Keychain Access for me:
Under System Roots, navigate to Certificates:
Here, you can view your certificates and manage the trust settings by right-clicking on the relevant certificate and selecting Get Info.
If you’re using Windows, head to the search menu and type in “mmc” to open Microsoft Management Control. Next, head to File > Add/Remove Snap-in:
Select Certificates and then click on Add:
Check the box for Computer account and then hit Next. In the following popup, choose Local computer and then click on Finish:
On the next screen, click on OK to exit.
Now, double-click on Certificates and find Trusted Root Certification Authorities. Right-click here, then hover over All Tasks and select Import:
This will open the Certificate Import Wizard. Click on Next, and then you can type in the filename you want to import or find the certificate on your computer:
To finish adding an SSL certificate to the trusted root certification authorities on your computer, simply hit Next.
You’re Using a Self-Signed Certificate
A self-signed certificate is not signed by a CA. There are certain scenarios when it makes sense to use a self-signed certificate, such as during the software development phases.
However, it can also cause security and trust issues with browsers since it hasn’t been verified by a trusted authority. Additionally, self-signed certificates can’t be revoked, which puts your website and users at greater risk. When a CA-signed certificate is compromised, the certificate can be revoked by the CA to prevent further use.
If you’re using a self-signed certificate (not for testing or internal purposes), you’re likely blocking at least some traffic from accessing your website. The only way to make your site available and safe to all internet users is to get a new certificate issued from a trusted CA.
It can be frustrating to see the “Could not establish trust relationship for the SSL/TLS secure channel with authority” error. It blocks you from accessing the content you want since an encrypted connection can’t be established. Furthermore, as a website owner, this message can make your site look untrustworthy to visitors.
However, identifying the root cause of the error is the first step to fixing it. Perhaps your SSL certificate has expired, or maybe you’re using one that hasn’t been signed by a trusted CA. Then, you can fix the issue by getting a new certificate issued, or you might be able to add the SSL certificate to the trusted store on your computer.
One of the easiest ways to identify and resolve issues on your site is with performance monitoring tools like Kinsta APM. Our custom-designed tool captures data about your PHP processes, database queries, HTTP calls, and more. Better yet, our APM comes free with all of our plans. Check out our hosting packages today to find the right option for your website!
Get all your applications, databases and WordPress sites online and under one roof. Our feature-packed, high-performance cloud platform includes:
- Easy setup and management in the MyKinsta dashboard
- 24/7 expert support
- The best Google Cloud Platform hardware and network, powered by Kubernetes for maximum scalability
- An enterprise-level Cloudflare integration for speed and security
- Global audience reach with up to 35 data centers and 275 PoPs worldwide
Get started with a free trial of our Application Hosting or Database Hosting. Explore our plans or talk to sales to find your best fit.