CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SSL & SECURITY

Jun 24, 2026

How to Fix “Your Connection Is Not Private” SSL Errors

9 min read

CloudStick Team

DevOps Engineer

Share this article

How to Fix Your Connection Is Not Private SSL Errors

Diagnose and fix SSL errors

What Actually Causes This Error

Chrome's “Your connection is not private” (error code NET::ERR_CERT_*) and Firefox's “Warning: Potential Security Risk Ahead” both mean the browser could not verify the site's SSL certificate. There are four root causes, each with a different fix:

ERR_CERT_DATE_INVALID — Certificate expired (most common). Fix: renew the certificate.
ERR_CERT_COMMON_NAME_INVALID — Domain name mismatch. Fix: issue cert for the correct domain.
ERR_CERT_AUTHORITY_INVALID — Untrusted or self-signed CA. Fix: use a public CA or install the full chain.
ERR_CERT_WEAK_SIGNATURE_ALGORITHM — SHA-1 cert (legacy). Fix: reissue with SHA-256.

Check Your Certificate from the Command Line

Before attempting any fix, check what certificate is actually being served. This tells you the exact error type, expiry date, and whether the full chain is present:

# Check cert details and expiry
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates
# Output tells you:
# subject: CN = yourdomain.com     ← domain the cert covers
# issuer:  O = Let's Encrypt       ← certificate authority
# notBefore: May 10 00:00:00 2026  ← valid from
# notAfter:  Aug  8 23:59:59 2026  ← expires on
# Check if the full chain is included
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
  | openssl x509 -noout -text | grep -A2 "Issuer"

Fix an Expired Certificate

An expired certificate is the most common cause. For Let's Encrypt certificates managed by Certbot, renewal is a single command:

# Force-renew a specific certificate immediately
sudo certbot renew --force-renewal --cert-name yourdomain.com
# Reload Nginx to pick up the new certificate
sudo systemctl reload nginx
# Verify the new expiry date
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
  | openssl x509 -noout -dates

WARNING

Certbot has rate limits: 5 certificates per domain per week. Use --dry-run to test without consuming a rate limit slot. The --force-renewal flag bypasses Certbot's 30-day renewal window but still counts against the rate limit.

Fix a Hostname Mismatch

A hostname mismatch (ERR_CERT_COMMON_NAME_INVALID) means the certificate was issued for a different domain than the one being visited. Common triggers: visiting with www. when the cert only covers the apex, or the reverse. Check whether the cert covers both variants:

# List all domains (SANs) covered by the certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
  | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
# Re-issue to include both apex and www
sudo certbot certonly --webroot -w /var/www/html \
  -d yourdomain.com -d www.yourdomain.com --force-renewal

Fix an Untrusted CA or Incomplete Chain

If the error is ERR_CERT_AUTHORITY_INVALID and you're using Let's Encrypt (a trusted CA), the most likely cause is a missing intermediate certificate in your Nginx config. Your Nginx ssl_certificate directive should point to fullchain.pem, not just cert.pem:

# WRONG — missing intermediate certificate
ssl_certificate /etc/letsencrypt/live/yourdomain.com/cert.pem;
# CORRECT — includes full chain (leaf + intermediates)
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Reload after fixing the path
sudo nginx -t && sudo systemctl reload nginx

CloudStick SSL Troubleshooting

When you provision or renew SSL through CloudStick, the platform always writes fullchain.pem to the Nginx configuration, so incomplete-chain errors don't occur. If you're seeing a certificate error on a CloudStick-managed site, the most likely causes are: the certificate was issued while DNS was pointing elsewhere (causing the ACME challenge to fail silently), or the domain was added to the site after the certificate was issued and doesn't appear in the SAN list. In both cases, navigate to the SSL section of the website in your CloudStick dashboard and click “Re-issue Certificate” to trigger a fresh issuance.