SSL/TLS errors explained

What each error means and how to fix it — with the exact commands to diagnose it.

CERT_HAS_EXPIRED
The certificate the server presented is past its `notAfter` date — its validity period has ended, so clients refuse to trust it.
NET::ERR_CERT_DATE_INVALID
Chrome shows this when the certificate is outside its validity window — either expired, or its `notBefore` date is in the future.
UNABLE_TO_VERIFY_LEAF_SIGNATURE
The client could not build a complete chain of trust from the server’s certificate up to a trusted root — usually because the server is not sending the intermediate certificate.
SELF_SIGNED_CERT_IN_CHAIN
A self-signed certificate appears in the presented chain and the client doesn’t trust it. With npm, Node.js, or git this is almost always a corporate TLS-intercepting proxy or a private/internal CA — not a problem with the package registry itself.
ERR_TLS_CERT_ALTNAME_INVALID
The certificate is otherwise valid, but the hostname you requested isn’t listed in its Subject Alternative Names (SANs) — so the client rejects it as a possible misdirection.
NET::ERR_CERT_AUTHORITY_INVALID
The browser doesn’t trust the certificate’s issuer — either the chain is incomplete, the CA is private, or the certificate is self-signed.
unable to get local issuer certificate
The client found the server’s certificate but couldn’t find the issuer that signed it, so it can’t reach a trusted root. Almost always either the server isn’t sending its intermediate certificate, or the client’s CA bundle is missing or out of date. curl reports it as “curl: (60) SSL certificate problem: unable to get local issuer certificate”.
x509: certificate signed by unknown authority
A Go-based program — the Docker daemon, kubelet, or your own app — couldn’t trace the server’s certificate to a CA it trusts. Either an intermediate is missing, the CA is private, or the container has no CA bundle.
ERR_SSL_PROTOCOL_ERROR
Chrome couldn’t complete the TLS handshake with the site. `ERR_SSL_PROTOCOL_ERROR` is the broad “handshake aborted or malformed” code; the related `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` means specifically that the browser and server share no protocol version or cipher. Both render the same “This site can’t provide a secure connection” page.
Secure Connection Failed
Firefox couldn’t establish a trusted TLS connection. The sub-code under “Advanced” tells you why — no shared protocol or cipher, an untrusted issuer, or an interfering proxy or antivirus. (Cipher/protocol errors show “Secure Connection Failed”; trust errors like `SEC_ERROR_UNKNOWN_ISSUER` show “Potential Security Risk Ahead”.)