Oh Dear reports an invalid certificate, but my site loads fine. Why?
When the certificate health check reports a problem but your browser opens the site without warnings, it's almost always one of a handful of causes. (New to certificates? What are SSL/TLS certificates and why do I need them? gives the background.)
1. Incomplete certificate chain
Browsers often have the issuing intermediate certificate cached from another site you visited earlier. When they see an incomplete chain on yours, they reuse the cached intermediate and everything looks fine. But a fresh TLS client (including ours, and crucially, including mobile apps and cloud APIs that don't cache) fails.
How to check: paste your URL into SSL Labs' Server Test and look at "Chain issues". If it says "Incomplete", fix your server's TLS configuration to serve the full chain (leaf + intermediate certificates).
2. Self-signed or internal CA certificate
Internal tools, staging servers, or IoT devices sometimes use self-signed certs or certs from an internal CA. Your browser trusts them because your machine has the internal root cert installed. Oh Dear's checker is a clean machine and doesn't.
How to handle it: if the cert genuinely is supposed to be self-signed, disable the Certificate Health check for that monitor, since it'll never pass.
3. Expired intermediate certificate
Even if your leaf certificate is valid, an expired intermediate in the chain will break the trust path. Some browsers handle this gracefully (they use their own cache of newer intermediates); strict clients don't.
How to check: SSL Labs highlights expired chain elements in red.
4. Wrong certificate for the hostname
If your server serves multiple sites and picks the wrong certificate for a specific Host header, we'll get a cert for a different domain. This happens with misconfigured SNI or when a wildcard cert isn't applied to a specific subdomain.
How to check: use openssl s_client -connect yoursite.com:443 -servername yoursite.com and look at the returned certificate's Common Name and Subject Alternative Names.
5. Revoked certificate
Rare but possible. A revoked cert may still be served but no longer trusted by validators. SSL Labs or your browser's certificate viewer will mention revocation status.
6. TLS version or cipher mismatch
Very old servers still on TLS 1.0 / 1.1 don't connect cleanly to modern clients. Oh Dear uses modern TLS defaults and rejects insecure protocols.
How to fix: upgrade to TLS 1.2 at minimum, ideally 1.3.
Still unclear?
If none of the above apply, contact support with the monitor URL and the exact error message from the Oh Dear report. We can pull the TLS handshake details from our checker and usually identify the cause within a minute or two.
