I'm facing an issue with an SSL/TLS security warning that only one user is experiencing when they access my project from their desktop. This problem isn't occurring on mobile or for any other users. Here are some details:
- The browser prevented the connection due to a "secure connection" requirement.
- The certificate viewer displayed two certificates: a valid Let's Encrypt certificate for my project (valid until February 19, 2026) and an unexpected localhost self-signed certificate.
- The certificate signing was handled automatically through Vercel.
I've already resolved a few issues, such as finding three files that made HTTP requests from an HTTPS context and an incorrect Google OAuth redirect URI to localhost. Even after these fixes, the user continues to see the same warning on multiple browsers in incognito mode. Has anyone dealt with similar situations? What else can I check or do to resolve this? Thanks!
4 Answers
The presence of the "localhost self-signed certificate" is a clear sign that the request is being routed to the user's local machine rather than the real internet. This usually means there’s an old entry in their hosts file mapping your project’s domain to `127.0.0.1`, or they might have a local proxy like Charles intercepting the traffic. At my agency, we frequently see developers running into this issue when switching between local and production environments. Recommend they check their hosts file and flush their DNS to resolve this issue quickly.
It's definitely not normal for a user to see the localhost certificate. Also, is the user accessing from a specific corporate network? It's possible that the root CA that issued your certificates has been deliberately removed from their setup. If it's feasible, try to assist them remotely to observe the error firsthand and view the certificate details.
Not entirely sure about their work setup, but they are a tester who accessed the URL for the first time. From our chat, it seems they were checking from both their machine and phone. They shared a message indicating a security issue, but since it's a Let’s Encrypt cert, it shouldn’t come back as self-signed.
First, make sure the user's computer has the correct date and time set. It’s helpful if the machine syncs with a reliable time source.
Next, check for any proxies or configurations on the user's machine that may be causing the localhost certificate to appear. Sometimes, virus scanners or browser plugins can mess things up and mimic a certificate issue. If the user is also using the machine for development, there might be a local proxy set up that’s interfering. Any of these issues could cause connection problems with other sites, not just yours.
Great suggestions, I'll check with the user to see if any of these apply.
I’ve seen something similar where the intermediate certificate chain was broken, which only affects certain devices. It’s best to run your site through an SSL certificate checker online; just search for one. You’ll ideally want to provide your public URL, and if everything checks out as green, you're good to go. But if there are issues, address those right away!
I just checked a bunch of the top SSL checkers, and everything looks green. So hopefully that’s not the problem.
That sounds like a strong lead! Thanks for the insight.