The browser cannot establish a secure SSL/TLS connection because the server and browser cannot agree on a protocol version or cipher suite.
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
Configure modern TLS protocols. TLS 1.0/1.1 are deprecated and rejected by all major browsers.
openssl s_client -connect example.com:443 -servername example.com
A completed handshake prints the certificate and negotiated protocol. An immediate failure or plaintext response means 443 is serving HTTP; in nginx the listener needs 'listen 443 ssl;'.
# Loads in incognito / on another device? The cause is local: # check the system clock, clear the SSL state and cache, # disable antivirus HTTPS scanning or interfering extensions.
If the site loads elsewhere, the server is fine; fix the local clock, cached SSL state, or interception software instead.
An ObserveOne uptime check makes a full HTTPS request from outside, so a handshake that starts failing after a config change triggers an alert instead of waiting for user reports.
Start Monitoring FreeServer and browser cannot agree on SSL/TLS protocol version or cipher suite.
SSL certificate is not signed by a trusted Certificate Authority.
SSL certificate has expired or is not yet valid.
Domain name doesn't match any domain in the SSL certificate.
SSL/TLS handshake between client and server failed to complete.