sfw/fix
ERR_CERT_SYMANTEC_LEGACY critical

NET::ERR_CERT_SYMANTEC_LEGACY

The cert chains to a distrusted Symantec-era root, so Chrome rejects it entirely — replacing the certificate is the only fix.

What you see

Your connection is not private

Attackers might be trying to steal your information from example.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_SYMANTEC_LEGACY

What’s actually happening

Chrome throws the full interstitial and there's no real way around it for visitors. The certificate descends from the old Symantec PKI — which includes the Thawte, VeriSign, GeoTrust, RapidSSL, and Equifax brands — that Chrome distrusted after a series of mis-issuance findings. Chrome 66 dropped trust for Symantec certs issued before June 1, 2016; Chrome 70, in October 2018, distrusted all of them. The cert may still be years from expiry and still look fine in older tooling, but every current Chrome and Chromium browser blocks it.

Common causes

  • The active cert was issued by Symantec, Thawte, VeriSign, GeoTrust, RapidSSL, or Equifax before the distrust cutoffs and never replaced.
  • A reseller-issued cert that quietly chained to a legacy Symantec intermediate root.
  • An old multi-year cert (back when 3-year certs existed) that was bought pre-2018 and is still installed.
  • A long-lived intermediate from the Symantec hierarchy is still in the chain even after the leaf was changed.
  • A forgotten subdomain or internal host still serving a stale Symantec-era cert.

How to fix it

  1. Confirm the issuerRun `echo | openssl s_client -connect example.com:443 | openssl x509 -noout -issuer`. If the issuer names Symantec, Thawte, VeriSign, GeoTrust, RapidSSL, or Equifax, the cert is in the distrusted set and must be replaced — there's no config toggle that restores trust.
  2. Get a new cert from a current CAReissue from any presently-trusted CA. DigiCert acquired the Symantec CA business and reissues on its own modern roots, but Let's Encrypt, Sectigo, or any other mainstream CA works equally well. Free options are fine.
  3. Install the full new chain and reloadDeploy the new leaf plus the new intermediate(s), making sure no leftover Symantec-era intermediate is still referenced in the cert chain file. Reload Nginx/Apache and verify with SSL Labs that the whole chain is on the new root.
  4. Sweep every host and subdomainThese certs were often bought in bulk. Inventory all hostnames (apex, www, app, mail, staging) and reissue any that still chain to the old PKI, not just the one that surfaced the error.

Stop it recurring

Keep a certificate inventory with issuer and expiry, and migrate anything chaining to a distrusted CA immediately rather than waiting for the browser block to find it for you.

Related errors

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

high

The certificate is signed with SHA-1, a hash browsers stopped trusting, so Chrome blocks the page outright.

NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

high

Chrome blocks the cert because it can't prove the cert was publicly logged — there are no valid SCTs attached.

NET::ERR_CERT_COMMON_NAME_INVALID

high

Chrome blocks the page because the hostname you typed isn't in the certificate's Subject Alternative Name list.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.