sfw/fix
ERR_SSL_SERVER_CERT_BAD_FORMAT high

NET::ERR_SSL_SERVER_CERT_BAD_FORMAT

Chrome received a certificate during the TLS handshake but couldn't parse it as a valid X.509 structure.

What you see

Your connection is not private
NET::ERR_SSL_SERVER_CERT_BAD_FORMAT
Attackers might be trying to steal your information from example.com

What’s actually happening

The page fails before it loads and Chrome shows a full-screen interstitial. Unlike most cert warnings, there's no "Proceed anyway" link on many builds because the cert can't even be decoded enough to evaluate it. curl against the same host usually throws something like 'error:0908F066:PEM routines' or 'unable to load certificate'. The handshake gets far enough to receive bytes, then the parser rejects them.

Common causes

  • The PEM file got truncated or has the wrong delimiters — missing -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- lines, or extra blank lines and BOM characters inside the block.
  • A private key, CSR, or a DER-encoded file was pasted into the certificate field instead of the PEM public cert.
  • The leaf cert and intermediates were concatenated in the wrong order or with no newline between blocks, so the second block starts mid-line.
  • A control panel (cPanel, Plesk, a load balancer UI) re-encoded the cert and mangled base64 line wrapping or doubled the headers.
  • Binary corruption from copy-paste through a chat client or editor that smart-quoted or re-wrapped the base64.

How to fix it

  1. Confirm Chrome is the only thing that's brokenRun `openssl s_client -connect example.com:443 -servername example.com </dev/null`. If OpenSSL also complains it can't parse the cert, the problem is server-side, not your browser. This tells you whether to keep debugging the machine or the install.
  2. Dump and inspect the installed certOn the server run `openssl x509 -in /path/to/your.crt -text -noout`. A valid cert prints Subject, Issuer, Validity. An error like 'unable to load certificate' or 'expecting: TRUSTED CERTIFICATE' confirms the file isn't a clean PEM. `file your.crt` and `head -1 your.crt` also tell you fast if it's DER or has junk first lines.
  3. Verify you pasted the cert, not the keyThe public cert block is the one that decodes with `openssl x509`. If `openssl x509` fails but `openssl rsa -in file -check` or `openssl pkey` succeeds, you put the private key in the cert slot. Swap them. The private key never goes in the certificate field.
  4. Rebuild the chain cleanlyRecreate the file as leaf cert first, then each intermediate, each as its own complete -----BEGIN/END----- block with a newline between them. `cat leaf.crt intermediate.crt > fullchain.crt` in that order. Re-issue from the CA if the original download was corrupted — a fresh PEM from the issuer beats trying to repair line wrapping by hand.
  5. Reload the server and re-testReload nginx/Apache/your terminator (`nginx -t && systemctl reload nginx`). Then re-run the openssl s_client check before reloading Chrome, since browser caching of the failed state can mislead you. Hard-reload or test in Incognito.

Stop it recurring

Always validate a cert with `openssl x509 -text -noout` before deploying it, and store certs as files rather than pasting base64 through chat or rich-text editors.

Related errors

ERR_BAD_SSL_CLIENT_AUTH_CERT

high

The server demanded a client certificate during mutual TLS and the browser presented none, an expired one, or one the server doesn't trust.

Safari Can’t Establish a Secure Connection to the Server

high

Safari or iOS rejected the TLS handshake, usually over an untrusted, expired, hostname-mismatched, or incomplete certificate chain.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.