Your server is presenting a self-signed certificate. Browsers and clients will show certificate warnings or refuse to connect because the certificate isn't signed by a trusted Certificate Authority.
Replace the self-signed certificate with one issued by a trusted CA. Free options include Let's Encrypt and ZeroSSL; paid options include DigiCert, Sectigo, and others.
A self-signed certificate is one that's signed with its own private key rather than by a Certificate Authority that browsers trust. Browsers can't verify the chain to a trusted root, so they treat the connection as untrusted. This is appropriate only for internal testing, not production.
Self-signed certs cause "Your connection is not private" warnings in browsers, blocking visitors. They cause TLS handshake failures in API clients, mobile apps, and email servers. They make your site appear suspicious to security tools and crawlers, hurting SEO and trust. They also fail compliance checks (PCI DSS, SOC 2, HIPAA all require trusted certificates).
A self-signed cert's subject and issuer fields are identical.
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -issuerFor most websites, Let's Encrypt is the right choice — free, automated, and trusted everywhere. For wildcards or stricter validation, DigiCert/Sectigo offer paid options. Cloudflare provides free certificates if your DNS is on Cloudflare.
On a Linux server, certbot automates the issuance and renewal.
# Ubuntu/Debian:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Auto-renew is set up automatically via systemd timer or cron.Update Nginx, Apache, or your load balancer to point to the new certificate and key.
ssl_certificate /etc/ssl/self-signed.crt;
ssl_certificate_key /etc/ssl/self-signed.key;ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;Visit your site in an incognito window — no warning should appear. Then run an SSL test to confirm the grade.
After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
Browsers and clients only trust certificates signed by a Certificate Authority in their trust store. A self-signed cert is signed by itself, so there's no way to verify trust without manually adding it to every client.
Only for internal tools where you control all clients (and can install the cert in their trust stores). For any public-facing service, use a CA-issued certificate — Let's Encrypt is free.
Yes. Let's Encrypt issues 90-day domain-validated certificates that are technically equivalent to paid DV certificates from Sectigo, DigiCert, etc. The shorter lifetime is intentional and secure (forces automated renewal).
More SSL/TLS resources — tools to verify, setup guides, deeper reading, and compliance context.