How to Fix OpenClaw SSL Certificate Errors
SSL certificate errors prevent secure HTTPS access to your OpenClaw instance and can break integrations that require valid certificates. Common issues include expired certificates, incomplete certificate chains, self-signed certificates being rejected by clients, and auto-renewal failures. This guide walks through diagnosis and fixes for all SSL scenarios.
Why This Is Hard to Do Yourself
These are the common pitfalls that trip people up.
Certificate expired without renewal
Let's Encrypt certs expire after 90 days, auto-renewal failed silently
Incomplete certificate chain
Missing intermediate certificates causing "unable to verify" errors in some clients
Self-signed certificate warnings
Browsers and tools rejecting self-signed certs, breaking API integrations
Auto-renewal not configured
Certbot or acme.sh not set up with cron, requiring manual renewal every 3 months
Step-by-Step Guide
Check certificate expiration date
Verify when your current certificate expires and if it's still valid.
# Check expiry for your domain:
openssl s_client -connect your-domain.com:443 -servername your-domain.com < /dev/null 2>/dev/null | \
openssl x509 -noout -dates
# Output shows:
# notBefore=Jan 15 00:00:00 2025 GMT
# notAfter=Apr 15 23:59:59 2025 GMT
# Or check certificate file directly:
openssl x509 -in /etc/letsencrypt/live/your-domain.com/fullchain.pem -noout -enddate
# Quick check (shows days until expiry):
echo | openssl s_client -connect your-domain.com:443 2>/dev/null | \
openssl x509 -noout -checkend 0 && echo "Valid" || echo "Expired"Verify certificate chain completeness
Ensure the full certificate chain is configured, including intermediate certificates.
# Test certificate chain:
openssl s_client -connect your-domain.com:443 -servername your-domain.com < /dev/null 2>/dev/null | \
openssl x509 -noout -text | \
grep -A2 "Issuer:"
# Check chain validation:
curl -vI https://your-domain.com 2>&1 | grep -i "certificate verify"
# Should NOT show "certificate verify failed"
# Verify nginx/Caddy is using fullchain:
# Nginx:
grep ssl_certificate /etc/nginx/sites-available/openclaw
# Should point to fullchain.pem, NOT cert.pem
# Caddy (auto-manages chains):
sudo caddy list-certificates | grep your-domain.comConfigure Let's Encrypt auto-renewal
Set up certbot to automatically renew certificates before expiration.
# Install certbot if not present:
sudo apt install certbot python3-certbot-nginx # For nginx
# Or:
sudo apt install certbot python3-certbot-apache # For Apache
# Obtain certificate:
sudo certbot --nginx -d your-domain.com -d www.your-domain.com
# Or manually:
sudo certbot certonly --standalone -d your-domain.com
# Test auto-renewal:
sudo certbot renew --dry-run
# Certbot auto-renewal is set up via systemd timer:
sudo systemctl status certbot.timer
# Or check cron:
crontab -l | grep certbot
# Manual renewal if needed:
sudo certbot renewFix mixed content warnings
Ensure all resources load over HTTPS to avoid browser security warnings.
# Check for mixed content in nginx:
grep -r "http://" /etc/nginx/sites-available/openclaw
# Replace with https:// or use protocol-relative URLs
# Update OpenClaw config to use HTTPS:
nano ~/.openclaw/.env
SITE_URL=https://your-domain.com # NOT http://
FORCE_HTTPS=true
# For reverse proxy, set headers:
# Nginx:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
# Test for mixed content:
curl -s https://your-domain.com | grep -i "http://"Test SSL configuration quality
Verify your SSL setup follows best practices and has no vulnerabilities.
# Test SSL with ssllabs (authoritative):
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com
# Aim for A+ rating
# Or use testssl.sh locally:
git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh https://your-domain.com
# Check supported protocols (should be TLS 1.2+):
openssl s_client -connect your-domain.com:443 -tls1_2
# Should succeed
openssl s_client -connect your-domain.com:443 -ssl3
# Should fail (SSL 3.0 is insecure)
# Review nginx SSL config:
# Should include:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;Set up certificate monitoring and alerts
Get notified before certificates expire to prevent outages.
# Create cert monitoring script:
cat > check-cert-expiry.sh << 'EOF'
#!/bin/bash
DOMAIN="your-domain.com"
EXPIRY=$(echo | openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null | \
openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW) / 86400 ))
if [ $DAYS_LEFT -lt 14 ]; then
echo "SSL cert expires in $DAYS_LEFT days!" | \
mail -s "Certificate Expiry Warning: $DOMAIN" admin@example.com
fi
EOF
chmod +x check-cert-expiry.sh
# Run daily:
(crontab -l ; echo "0 9 * * * /path/to/check-cert-expiry.sh") | crontab -
# Or use monitoring service:
# - UptimeRobot (free SSL monitoring)
# - StatusCake
# - CronitorSSL Issues Blocking Your Users?
Our security experts configure production-grade SSL/TLS with auto-renewal, perfect forward secrecy, and A+ SSL Labs ratings. Get bulletproof HTTPS without certificate expiry surprises.
Get matched with a specialist who can help.
Sign Up for Expert Help โ