How to fix ssl cert invalid on WooCommerce

Steps for WooCommerce

1. WooCommerce runs on WordPress, so SSL is managed at your web host, not inside WooCommerce itself.
2. Log in to your hosting control panel (cPanel, Plesk, or host-specific dashboard). Look for 'SSL/TLS', 'Let's Encrypt', or 'SSL Certificates' section.
3. In cPanel: Security → SSL/TLS → Manage SSL Sites. Check which domain the installed certificate covers. If it is the wrong domain, use 'Let's Encrypt SSL' (AutoSSL) or install a new certificate for the correct domain.
4. For hosts that offer AutoSSL (e.g. cPanel AutoSSL with Let's Encrypt): Security → SSL/TLS Status → run AutoSSL for your domain.
5. After installing the correct certificate, in WordPress Admin go to Settings → General and confirm both WordPress Address and Site Address begin with https:// and use the exact domain the certificate covers.
6. Install the 'Really Simple SSL' plugin (WordPress Admin → Plugins → Add New → search 'Really Simple SSL') to automatically redirect HTTP to HTTPS and fix mixed-content issues site-wide.
7. Verify with your browser padlock or SSL Labs.

What is ssl cert invalid?

Every website served over HTTPS needs an SSL/TLS certificate issued by a trusted Certificate Authority (CA). That certificate must list the exact domain name (or a wildcard that covers it) your visitors use to reach your store. A "hostname mismatch" error means the certificate installed on your server was issued for a *different* domain — for example, it covers `www.example.com` but your store is accessed at `example.com`, or the certificate belongs to a completely different domain altogether. Browsers check this match every time someone loads your site; if it fails, they show a full-screen warning and refuse to complete the connection.

A certificate hostname mismatch is one of the most damaging trust failures an online store can have. Browsers (Chrome, Firefox, Safari, Edge) display a red "Your connection is not private" warning that blocks visitors before they ever see your store — most users immediately leave and never return, costing you sales directly. Google treats HTTPS as a ranking signal and may demote or de-index pages that cannot be loaded securely, reducing your organic traffic. From a legal and compliance perspective, payment card industry (PCI-DSS) rules require that cardholder data be encrypted with a valid certificate; a mismatch means you are technically non-compliant and could face fines or lose the ability to accept cards. Under OWASP's A02:2021 Cryptographic Failures, an invalid certificate is classified as a critical security vulnerability because it leaves all data exchanged between your customers and your store potentially exposed to interception.

See the complete Ssl cert invalid guide for every platform and the full background.