A reader reported receiving a message in Google Search Console about a self-signed SSL certificate. Google has been sending warnings about this for years. A self-signed SSL certificate is one that is issued by a server and not by a certificate authority (Comodo, Digicert, etc.). Such certificates can trigger security warnings in browsers, potentially affecting site traffic.
How to Check SSL Certificate Status
You can monitor and check your SSL certificate through Google’s Certificate Transparency Project tool. The Qualys SSL Labs page is also a comprehensive tool for checking SSL certificate status.
If your certificate is indeed self-signed, consider obtaining a trusted SSL certificate. For more information, read about the types of SSL certificates your website may need and how to move a WordPress website from HTTP to HTTPS.
Some Warnings are False Positives
Some publishers have received messages in error, known as false positives. An example from Google’s Webmaster Central Help Forum illustrates this. A member received a self-signed certificate message even though his site was not self-signed. This happened due to a timing issue when switching certificate providers, causing Google to scan his site at the wrong moment.
Here is what the publisher who received the notice stated:
“When I updated the certificate and rebooted the AWS VM, I had a grub error, and the VM did not restart. This is a known random quirk of this particular VM, and the recovery process is to launch a new VM and restore from backup. For a 5-minute period before I remembered to block the public firewall while I rebuilt the server, the nascent VM was live using the VM’s default self-signed certificate. When I opened up the firewall again, the server was operating with an up-to-date Comodo certificate. It is possible that, during that brief window, Googlebot might have polled the site… a coincidence but possible…”
In another false positive report from June 20th, 2018, a member reported receiving the self-signed certificate message even though their site had a valid certificate from GoDaddy.
A member responded that it was likely an error and recommended ignoring Google’s warning.
Here is the explanation of why it was a false positive:
“This is due to the fact the server setup requires a browser to support SNI (Server Name Indication) to get the right certificate. Pretty much all modern browsers do, although there might be a small number of users with outdated versions that don’t. The automated test doesn’t support it, so it gets the wrong, generic cert for the server. The main googlebot supports it just fine though, so you are fine to disregard this if you are not worried about those few users.”
Misconfigured SSL Certificates
Diagnosing SSL certificate issues can be challenging. For one of my own websites, I encountered certificate issues due to a secondary certificate not being properly installed.
There are instances of Let’s Encrypt certificates triggering self-signed warnings. I found one in a closed and private Facebook Group. Other members were unable to diagnose the reason, so a different certificate was purchased.
In another case discussed on Let’s Encrypt’s forums, a technical issue related to how a dedicated server assigns certificates to multiple sites hosted on the same server was to blame for the self-signed certificate message.
Takeaway on Self-Signed SSL Certificate Warnings
If you are relying on a self-signed SSL certificate, consider obtaining an SSL certificate from a trusted certificate authority. If you are using a trusted certificate authority and receive a warning from Google about a self-signed SSL certificate, you may wish to troubleshoot why you received this error. In some cases, the error message is received because of a misconfiguration; in others, it is a false positive.
More Resources
Images by Shutterstock, modified by Author
Screenshots by author
