Free SSL Certificate Checker
An expired or misconfigured SSL certificate breaks your website, triggers browser security warnings, and tanks your Google rankings. Worse, users see a red "Not Secure" warning and leave. Use masoSec to check your SSL certificate, TLS version and HTTPS configuration in seconds.
→ Check Your SSL Certificate FreeWhat does an SSL check look at?
| Check | What it verifies | Risk if it fails |
|---|---|---|
| Certificate expiry | Days until the certificate expires | Browser blocks access with hard security error |
| Certificate chain | Intermediate CAs correctly installed | "Certificate not trusted" warnings in some browsers |
| TLS version | TLS 1.2 or 1.3 (not 1.0/1.1) | Outdated protocol, fails PCI DSS compliance |
| HTTPS redirect | HTTP redirects to HTTPS | Users on HTTP see no encryption, data exposed |
| HSTS header | HTTP Strict Transport Security present | SSL stripping attacks possible |
| Mixed content | All resources loaded over HTTPS | Partial security warning, blocked resources |
What a healthy SSL check looks like
example.com — SSL / HTTPS
PASS Certificate valid — expires in 87 days (Let's Encrypt)
PASS Certificate chain complete — all intermediates installed
PASS TLS 1.3 supported — TLS 1.0/1.1 disabled
PASS HTTP redirects to HTTPS (301)
PASS HSTS header present — max-age=31536000
Common SSL failures and how to fix them
FAIL Certificate expired
Your SSL certificate has passed its expiry date. Browsers block access entirely with a hard error page — users cannot proceed. This is the most visible SSL failure.
Fix: renew your certificate immediately. With Let's Encrypt, run:
certbot renew --force-renewal
Set up auto-renewal with a cron job or use Caddy which renews automatically. masoSec will alert you 30 days and 7 days before expiry.
WARNING Certificate expires in less than 14 days
Your certificate is still valid but very close to expiry. Renew now — don't wait. Auto-renewal failures are common if your webserver wasn't running during the renewal attempt.
FAIL Incomplete certificate chain
Your server isn't sending the intermediate certificate(s) required to build trust to a root CA. Most browsers cache intermediates and won't show an error — but some environments (server-to-server, mobile apps, older clients) will reject the connection.
Fix: include the full chain in your certificate file. With Let's Encrypt, always use fullchain.pem, not cert.pem.
FAIL TLS 1.0 or 1.1 still enabled
TLS 1.0 and 1.1 are deprecated and vulnerable to attacks like POODLE and BEAST. Major browsers removed support in 2020. Enabling them fails PCI DSS compliance and exposes older clients to downgrade attacks.
Fix: configure your webserver to only allow TLS 1.2 and 1.3. In Nginx:
ssl_protocols TLSv1.2 TLSv1.3;
WARNING No HSTS header
Without HTTP Strict Transport Security, a network attacker can intercept the first HTTP request and strip the HTTPS redirect (SSL stripping). HSTS tells browsers to always use HTTPS for your domain.
Add this response header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
FAIL HTTP does not redirect to HTTPS
Users accessing http://yourdomain.com are not being redirected to HTTPS. Their traffic is unencrypted. This also causes duplicate content SEO issues.
In Caddy, HTTPS redirect is automatic. In Nginx:
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
SSL certificate types explained
| Type | What it covers | Best for |
|---|---|---|
| DV (Domain Validated) | Domain ownership only | Most websites — Let's Encrypt is free DV |
| OV (Organization Validated) | Domain + organization identity checked | Business sites, SaaS |
| EV (Extended Validation) | Full legal identity verification | Banks, payment pages (green bar is deprecated in Chrome) |
| Wildcard | Domain + all subdomains (*.example.com) | Multi-subdomain setups |
| Multi-domain (SAN) | Multiple different domains in one cert | Multiple sites on one server |
Monitor SSL expiry automatically
The most common cause of SSL outages is auto-renewal failing silently — you don't notice until the certificate expires and your website goes down. masoSec monitors your SSL certificate daily and alerts you 30 days, 14 days and 7 days before expiry.
→ Start Free SSL MonitoringFrequently asked questions
How do I get a free SSL certificate?
Let's Encrypt issues free 90-day DV certificates. Use Certbot with your webserver, or use Caddy which handles Let's Encrypt automatically with zero configuration.
Does HTTPS affect SEO?
Yes. Google confirmed HTTPS as a ranking signal in 2014 and has since strengthened this. Sites without HTTPS or with mixed content receive a ranking penalty. Chrome also marks HTTP sites as "Not Secure" which increases bounce rate.
What is certificate transparency?
All publicly-trusted certificates are logged to public Certificate Transparency (CT) logs. This allows you to monitor whether any unauthorized certificates have been issued for your domain.