How do I fix SSL_ERROR_BAD_CERT_DOMAIN error for my email click tracking domain?

Summary

The SSL_ERROR_BAD_CERT_DOMAIN error for email click tracking domains stems from various causes related to SSL certificate configuration and domain setup. Common issues include a mismatch between the domain name on the certificate and the actual domain, often due to missing subdomains in the Subject Alternative Name (SAN) list, expired certificates, or the absence of SSL altogether on the click tracking domain. Problems with the certificate chain, CDN configurations, shared hosting limitations, DNS propagation delays, mixed content (HTTP resources on an HTTPS site), and incorrect entries in the hosts file can also trigger the error. Cloudflare's Flexible SSL setting may contribute, as it only encrypts traffic between the visitor and Cloudflare. Additionally, incorrect redirect configurations, and Server Name Indication (SNI) issues can be the cause. While the error doesn't directly impact email deliverability, it lowers click-through rates (CTR). To resolve the issue, it is best to ensure SSL is properly implemented, checking certificate details, verifying the CDN and server configuration, and that all resources are loaded over HTTPS. Contacting the ESP or hosting provider, or switching to a different hosting provider may be necessary.

Key findings

  • SSL Missing or Misconfigured: The click tracking domain either lacks SSL entirely, or SSL is misconfigured, causing a mismatch between the certificate and the domain.
  • Certificate Problems: Expired certificates, missing subdomains in SAN, and incomplete certificate chains are frequent causes.
  • Infrastructure Issues: CDN configurations, shared hosting limitations, DNS propagation delays, and incorrect hosts file entries can lead to the error.
  • Cloudflare Incompatibilities: Cloudflare's Flexible SSL setting can lead to SSL errors due to incomplete encryption.
  • SNI Configuration: Incorrect SNI configuration, which may be presenting the wrong certificate, can cause the error.
  • Browser caching: Clearing the browser cache may resolve the issue

Key considerations

  • Implement/Verify SSL: Ensure SSL is properly implemented for the click tracking domain and that the certificate is valid and up-to-date.
  • Check Certificate Details: Use online SSL checker tools to verify the certificate's validity, covered domain names, and issuer.
  • Review ESP/Hosting Support: Consult the ESP's or hosting provider's documentation or support to understand SSL support and potential limitations.
  • Correct Infrastructure Configuration: Properly configure CDNs, DNS settings, and ensure that all resources are loaded over HTTPS.
  • Use Appropriate Cloudflare Setting: If using Cloudflare, opt for Full or Strict SSL settings for end-to-end encryption.
  • Address Mixed Content: Ensure all resources load over HTTPS, as loading resources over HTTP can cause issues.
  • Address SNI Configuration: Ensure SNI is properly configured on the server.
  • Inspect the local hosts file: Check the hosts file to ensure there are no incorrect or outdated entries for the domain.

What email marketers say
11Marketer opinions

The SSL_ERROR_BAD_CERT_DOMAIN error for email click tracking domains arises from various SSL certificate and domain configuration issues. Common causes include expired certificates, domain name mismatches in the certificate, missing subdomains in the Subject Alternative Name (SAN) list, and incorrect certificate chains. Problems with Content Delivery Networks (CDNs), shared hosting SSL limitations, DNS propagation delays after certificate installation, mixed content (HTTP resources on an HTTPS site), and incorrect entries in the hosts file can also trigger this error. Additionally, misconfigured redirects, and Server Name Indication (SNI) issues can contribute to the problem. Troubleshooting involves checking certificate details, ensuring proper CDN and server configuration, verifying DNS settings, and confirming that all resources are loaded over HTTPS. Consulting the ESP's support resources or getting a dedicated SSL certificate might also be required.

Key opinions

  • Certificate Mismatch: The SSL certificate doesn't match the domain name or subdomain of the click tracking link.
  • Expired Certificate: The SSL certificate for the click tracking domain has expired.
  • CDN Issues: Incorrect CDN configuration, particularly regarding SSL settings and origin server setup, can cause the error.
  • Shared Hosting Limitations: Shared hosting SSL certificates may not cover specific subdomains used for click tracking.
  • Mixed Content: Loading resources over HTTP on an HTTPS site can trigger the error.
  • DNS Propagation: DNS propagation delays after installing a new certificate can cause temporary errors.
  • SNI Configuration: Incorrect SNI configuration, which may be presenting the wrong certificate, can cause the error.

Key considerations

  • Check Certificate Details: Use online SSL checker tools to verify the certificate's validity, covered domain names, and issuer.
  • Review ESP Support: Consult the ESP's support documentation or contact their support team to understand their SSL support for click tracking domains.
  • Ensure Proper CDN Setup: If using a CDN, verify that it's correctly configured to handle SSL certificates and forward requests to the origin server.
  • Update all links to HTTPS: Check that all links within an email use HTTPS instead of HTTP.
  • Examine Redirects: Incorrect redirect configurations can trigger this error.
  • Verify DNS settings: That all DNS settings are configured correctly and have propagated correctly.
  • Host file check: Check the hosts file to ensure there are no incorrect or outdated entries for the domain.
Marketer view

Email marketer from Namecheap Forum explains that on shared hosting, the SSL certificate may not cover the specific subdomain. This can lead to a mismatch error. He recommends contacting the hosting provider to get a dedicated SSL certificate for the subdomain or using a wildcard certificate.

December 2023 - Namecheap Forum
Marketer view

Email marketer from Email Geeks suggests checking the ESP's support articles to determine if they support SSL on tracking domains. If not, a reroute through a domain host that supports SSL may be necessary.

November 2022 - Email Geeks
Marketer view

Email marketer from Webmaster World Forum suggests that the error may arise if a Content Delivery Network (CDN) is used. Ensure the CDN configuration matches SSL certificate and the origin server is correctly configured.

September 2024 - Webmaster World Forum
Marketer view

Email marketer from Quora suggests that if a new SSL certificate has been installed, DNS propagation delays might cause the error temporarily. It takes time for DNS changes to propagate across the internet. They advise waiting for the DNS changes to fully propagate before accessing the site.

March 2022 - Quora
Marketer view

Email marketer from Stack Overflow responds that an SSL_ERROR_BAD_CERT_DOMAIN error could be caused by an expired SSL Certificate. It is best to check the certificate details (expiration date) and if expired renew with certificate authority.

May 2023 - Stack Overflow
Marketer view

Email marketer from Super User explains If the hosts file has incorrect entries that point the domain to the wrong IP address, it can result in an SSL_ERROR_BAD_CERT_DOMAIN error. The hosts file is a local file on your computer that maps domain names to IP addresses. Check the hosts file to ensure there are no incorrect or outdated entries for the domain.

February 2024 - Super User
Marketer view

Email marketer from SitePoint Forums states that incorrect redirect configurations can sometimes lead to this error, especially if there's a loop between HTTP and HTTPS. Examine the .htaccess file or server configuration for any redirect rules that might be causing the issue.

January 2025 - SitePoint Forums
Marketer view

Email marketer from Medium shares that the SSL_ERROR_BAD_CERT_DOMAIN can occur if the website is loading resources over HTTP instead of HTTPS (mixed content). Browsers may block these resources and display the error. Ensure all resources (images, scripts, etc.) are loaded over HTTPS.

September 2022 - Medium
Marketer view

Email marketer from Let's Encrypt Community Support explains that Server Name Indication (SNI) allows multiple SSL certificates to be hosted on a single server. If SNI is not configured correctly, the wrong certificate may be presented, causing a domain mismatch error. Verify that SNI is properly configured on the server.

September 2021 - Let's Encrypt Community Support
Marketer view

Email marketer from Email Geeks shares that if the click tracking domain is a subdomain of the company's domain, they would typically acquire and renew the SSL certificate and host it, sometimes purchasing the SSL as well. The ESP will ultimately provide the process, but they likely host the certificate if the user is CNAMEing to their system.

August 2022 - Email Geeks
Marketer view

Email marketer from Reddit suggests using online SSL checker tools to inspect the SSL certificate of the click tracking domain. These tools can reveal the domain names covered by the certificate, the issuer, and the expiration date, helping to identify the source of the mismatch.

March 2023 - Reddit

What the experts say
3Expert opinions

The SSL_ERROR_BAD_CERT_DOMAIN error for email click tracking domains often stems from the domain lacking SSL setup, leading browsers to attempt secure connections with mismatched default certificates. SSL configuration problems linked to hosting services that don't fully support SSL certificates for click-tracking domains are also a factor. While this error typically won't cause emails to be blocked by ISPs, it can significantly reduce click-through rates due to users encountering the security warning.

Key opinions

  • Missing SSL: The click tracking domain likely does not have SSL (HTTPS) enabled.
  • Hosting Limitations: The hosting service may not fully support SSL certificates for click-tracking domains.
  • CTR Impact: While not affecting deliverability directly, the error lowers the click-through rate (CTR).

Key considerations

  • Implement SSL: Ensure SSL is fully implemented for the click tracking domain.
  • Review Hosting: Check if the hosting provider fully supports SSL certificates for click-tracking domains or consider switching providers.
  • Monitor CTR: Monitor click-through rates and address SSL errors promptly to minimize negative impact.
Expert view

Expert from Email Geeks explains that the SSL error won't cause ISPs to block emails, but it will lower the successful click-through rate (CTR) because some users will encounter the error.

December 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that the SSL error is likely caused by the click tracking domain not having SSL set up, which leads to the browser trying to force a secure connection (HTTPS) and getting a default SSL certificate that doesn't match the domain name, the fix is to implement SSL for the domain and fully implement SSL.

November 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that one cause could be SSL configuration problems that are often hosting related and that they often see this with clients who have set up a new click-tracking domain with a hosting service that does not support SSL certificates.

April 2024 - Word to the Wise

What the documentation says
5Technical articles

The SSL_ERROR_BAD_CERT_DOMAIN error arises from several SSL configuration issues. Key causes include a mismatch between the domain name on the certificate and the website's domain, often due to the certificate being for a different domain or lacking the specific subdomain in its Subject Alternative Name (SAN) list. Incomplete or incorrectly configured certificate chains, where intermediate certificates are missing, can also cause this error. Browser-specific caching can sometimes contribute. If using Cloudflare, Flexible SSL settings may be problematic, as encryption only occurs between the visitor and Cloudflare, not between Cloudflare and the origin server; Full or Strict SSL settings are recommended for end-to-end encryption.

Key findings

  • Domain Mismatch: The certificate's domain doesn't match the website's domain or subdomain.
  • Missing SAN: The certificate lacks the specific subdomain in its Subject Alternative Name (SAN) list.
  • Incomplete Chain: The certificate chain is incomplete or incorrectly configured.
  • Cloudflare Flexible SSL: Cloudflare's Flexible SSL setting can cause issues due to encryption only occurring between the visitor and Cloudflare.
  • Browser Caching: Browser caching can sometimes contribute.

Key considerations

  • Verify Domain Names: Ensure the certificate covers the website's domain and all relevant subdomains.
  • Check SAN List: Confirm that the certificate includes all necessary subdomains in the Subject Alternative Name (SAN) list.
  • Complete Certificate Chain: Ensure the server provides the complete certificate chain, including intermediate certificates.
  • Cloudflare SSL Setting: Use Full or Strict SSL settings in Cloudflare for end-to-end encryption.
  • Clear cache: The error is browser specific and clears out any caching
Technical article

Documentation from Mozilla Support explains the error is browser specific and clears out any caching.

December 2021 - Mozilla Support
Technical article

Documentation from Cloudflare explains when using Cloudflare's flexible SSL setting, it can cause issues. Cloudflare only encrypts the connection between the visitor and Cloudflare, not between Cloudflare and the origin server. This can lead to SSL errors if the origin server doesn't have a valid certificate. They recommend using Full or Strict SSL settings for end-to-end encryption.

February 2024 - Cloudflare Support
Technical article

Documentation from Google Chrome Help explains that the SSL_ERROR_BAD_CERT_DOMAIN error indicates a mismatch between the domain name on the certificate and the domain name of the website. This can occur if the certificate is for a different domain, or if the certificate doesn't include the subdomain being visited. They recommend contacting the website administrator to resolve the issue.

November 2021 - Google Chrome Help
Technical article

Documentation from DigiCert Knowledge Base explains that the SSL_ERROR_BAD_CERT_DOMAIN error can happen if the certificate doesn't include the specific subdomain being accessed in its Subject Alternative Name (SAN) list. The SAN list specifies all the domain names and subdomains that the certificate is valid for. They advise ensuring that the certificate includes all the necessary subdomains in the SAN list when it's issued.

February 2024 - DigiCert Knowledge Base
Technical article

Documentation from SSL Labs explains that an incomplete or incorrectly configured certificate chain can cause SSL errors. The server needs to provide not only its own certificate but also the intermediate certificates that link it back to a trusted root certificate authority. They advise checking the certificate chain configuration to ensure all necessary certificates are included.

July 2022 - SSL Labs Documentation