sfw/fix
HSTS — no override high

HSTS Error: “You cannot visit this site right now” (no Proceed button)

The domain previously sent an HSTS header, so the browser hard-blocks the cert error and strips the usual Proceed-anyway escape hatch.

What you see

Your connection is not private
You cannot visit example.com right now because the website uses HSTS.
NET::ERR_CERT_AUTHORITY_INVALID

What’s actually happening

Same warning page as a normal cert error, but the "Proceed to example.com (unsafe)" link is gone and there's no way through. The site sent Strict-Transport-Security on an earlier visit, so the browser cached a promise to only ever connect securely — and HSTS explicitly forbids click-through on a bad cert. The block is a downstream symptom; the real fault is the certificate. On Chrome you can sometimes type the literal phrase "thisisunsafe" on the warning page, but that's a debugging hack, not a fix.

Common causes

  • The origin cert is broken (expired, self-signed, untrusted CA, or hostname mismatch) and HSTS removes the override that would normally let you past
  • HSTS was sent with a long max-age (often 31536000) and/or includeSubDomains, locking the policy in on every visitor's browser
  • The apex is preloaded in the HSTS preload list, so the lock applies even on a browser that never visited before
  • A redirect or proxy in front of the site is serving the wrong cert while the HSTS policy is still in force

How to fix it

  1. Fix the certificate — that's the only real exitHSTS isn't the bug; it's refusing to let you ignore the cert. Identify the underlying error: openssl s_client -connect example.com:443 -servername example.com -showcerts then openssl x509 -noout -dates -subject -issuer. Renew expired certs, add the missing intermediate chain, or reissue for the correct hostname, then reload the server.
  2. Confirm it's resolved before reaching for cache tricksTest from a browser that never hit the domain, or with curl -v https://example.com (curl ignores browser HSTS state). If the cert is good there, the block is purely local cached HSTS and clearing it is safe — if the cert is still bad, clearing changes nothing.
  3. Clear the local HSTS entry (only after the cert is fixed)Chrome: open chrome://net-internals/#hsts, under "Delete domain security policies" enter example.com and Delete. Firefox: History > Clear Recent History, or remove the siteSecurityServiceState.txt entry. This only resets your machine's cache; it does nothing to the server and won't help if the cert is still broken.
  4. If you control the site and want HSTS off, age it out deliberatelyYou cannot retract HSTS instantly — browsers honor the cached max-age. Serve Strict-Transport-Security: max-age=0 (still over valid HTTPS) so browsers expire the policy on next visit. If you're on the preload list, submit removal at hstspreload.org and expect weeks, not minutes.

Stop it recurring

Before sending HSTS — and especially before preloading — make sure auto-renewal and the full cert chain are rock solid, because HSTS turns any future cert slip into a hard outage with no click-through.

Related errors

SEC_ERROR_EXPIRED_CERTIFICATE (Firefox)

critical

Firefox blocks the site because the certificate's validity end date has passed, or the local clock is wrong enough to make a valid cert look expired.

SSL_ERROR_BAD_CERT_DOMAIN (Firefox)

high

Firefox rejects the cert because the hostname you visited isn't listed in its Common Name or Subject Alternative Names.

Cloudflare Error 526: Invalid SSL Certificate

high

Cloudflare connected over HTTPS but rejected your origin's certificate while running Full (Strict) SSL.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.