sfw/fix
HSTS — no bypass high

HSTS block: "You cannot visit … right now because the website uses HSTS"

On an HSTS domain a cert error has no "Proceed anyway" link — the policy forbids the override, so you must fix the certificate.

What you see

You cannot visit example.com right now because the website uses HSTS.
Network errors and attacks are usually temporary, so this page will probably work later.

What’s actually happening

Chrome throws a cert error on a domain that previously sent an HSTS header, and the usual "Proceed to example.com (unsafe)" escape hatch is gone. You're stuck. Underneath is a real cert problem — often NET::ERR_CERT_AUTHORITY_INVALID, NET::ERR_CERT_DATE_INVALID, or NET::ERR_CERT_COMMON_NAME_INVALID. HSTS is doing exactly its job: it tells the browser to refuse any non-perfect TLS connection with no opt-out.

Common causes

  • The certificate expired and auto-renewal (certbot, ACME) silently failed, so the served cert is now invalid on an HSTS-pinned host.
  • An incomplete chain — the server sends the leaf cert but omits the intermediate, which Chrome rejects even though some other clients tolerate it.
  • Cert common name / SAN doesn't cover the hostname (e.g. cert for www but you hit the apex, or a wildcard that doesn't match the subdomain).
  • A self-signed or internal-CA cert on a host that previously sent Strict-Transport-Security, so the untrusted issuer can't be bypassed.
  • Clock skew on the client machine making a valid cert look not-yet-valid or expired.

How to fix it

  1. Fix the certificate, not the browserThis is server-side 95% of the time. Inspect the live chain: openssl s_client -connect example.com:443 -servername example.com. Check expiry, issuer, and whether the intermediate is present. Renew (certbot renew) or reissue, install the full chain (leaf + intermediate), and reload the web server.
  2. Verify the chain externallyRun the host through SSL Labs or whatsmychaincert.com. "Chain issues: Incomplete" means you're missing the intermediate — concatenate it after the leaf in your fullchain.pem (or ssl_certificate file) and reload nginx/Apache.
  3. Clear HSTS locally only to testIf you've fixed the server and want to retest a machine that cached the policy, go to chrome://net-internals/#hsts, enter the host under "Delete domain security policies," and Delete. This is a local-only workaround — if the server still sends the HSTS header, Chrome re-pins it on the next visit.
  4. Check the client clock if the cert looks fineA correct, unexpired cert that still errors usually means the device clock is wrong. Set time to automatic and reload.

Stop it recurring

Monitor cert expiry with an external check that alerts a week out, since on an HSTS domain an expired cert locks users out with no proceed link.

Related errors

"CAA record for example.com prevents issuance" (SSL)

high

A DNS CAA record authorizes only certain CAs, so your CA is refused and the certificate won't issue or renew.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.

Microsoft Defender SmartScreen "This site has been reported as unsafe"

high

Your URL matched Microsoft's reported-sites list, so Edge blocks the page with a SmartScreen interstitial before it loads.