SSL Certificate Not Working After Server Migration — Complete Fix Guide

Priya

Content Writer & Researcher

Last Updated: 9 June 2026

SSL Certificate Not Working After Server Migration — Complete Fix Guide

🖥️

Migrating Servers? Keep HTTPS Working Throughout the Move

SSL failures after a server migration can cost you hours of downtime and SEO rankings. CloudHouse's server migration specialists pre-validate SSL configuration on the new server before DNS cutover — so HTTPS never drops.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Moving a website to a new server should be straightforward — until you discover that HTTPS stops working the moment DNS flips. Browsers throw ERR_CERT_COMMON_NAME_INVALID, NET::ERR_CERT_AUTHORITY_INVALID, or the dreaded padlock turns red. This guide covers every root cause behind SSL certificates not working after server migration and gives you the exact commands to diagnose and fix each one.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

1. Diagnose the Exact SSL Error First

Before touching any configuration, identify which specific SSL error you are dealing with. The error code tells you exactly what is broken.

1Test with OpenSSL from the command line

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>&1 | head -50

Look for these key lines in the output:

verify error:num=20:unable to get local issuer certificate — missing intermediate certificate in the chain
verify error:num=21:unable to verify the first certificate — incomplete certificate chain
SSL_ERROR_RX_RECORD_TOO_LONG — web server is serving HTTP on port 443 (SSL not configured)
certificate has expired — the cert on the new server is outdated

2Check what certificate the new server is presenting

openssl s_client -showcerts -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -E "Subject:|Issuer:|Not After"

Confirm the Subject matches your domain, the Issuer is your CA, and the expiry date is in the future.

3Check if port 443 is even open on the new server

ss -tlnp | grep 443
# or:
netstat -tlnp | grep 443

If nothing is listening on 443, your web server's SSL VirtualHost is not configured or the service has not been restarted after migration.

1Find certificate locations on the old server

For cPanel-managed certificates:

ls /etc/ssl/certs/
ls /var/cpanel/ssl/installed/certs/
ls /etc/letsencrypt/live/yourdomain.com/

For Apache:

grep -r "SSLCertificateFile\|SSLCertificateKeyFile\|SSLCACertificateFile" /etc/apache2/ /etc/httpd/ 2>/dev/null

For Nginx:

grep -r "ssl_certificate\|ssl_certificate_key" /etc/nginx/ 2>/dev/null

2Transfer the certificate files securely

scp -r /etc/letsencrypt/live/yourdomain.com/ root@NEW_SERVER_IP:/etc/letsencrypt/live/
scp /etc/letsencrypt/renewal/yourdomain.com.conf root@NEW_SERVER_IP:/etc/letsencrypt/renewal/

You need four files: the certificate (cert.pem), the private key (privkey.pem), the full chain (fullchain.pem), and the certificate chain (chain.pem).

3Set correct permissions on the new server

chmod 644 /etc/letsencrypt/live/yourdomain.com/cert.pem
chmod 644 /etc/letsencrypt/live/yourdomain.com/fullchain.pem
chmod 600 /etc/letsencrypt/live/yourdomain.com/privkey.pem
chown -R root:root /etc/letsencrypt/live/yourdomain.com/

1Verify the certificate and private key are a matched pair

# Get the modulus of the certificate
openssl x509 -noout -modulus -in /path/to/cert.pem | md5sum

# Get the modulus of the private key
openssl rsa -noout -modulus -in /path/to/privkey.pem | md5sum

Both MD5 hashes must match exactly. If they differ, you have the wrong private key for this certificate.

2If the private key is missing

Private keys generated on the old server cannot be regenerated — they are unique. If you did not transfer the private key, you must reissue a new certificate after DNS has propagated to the new server:

certbot certonly --webroot -w /var/www/html -d yourdomain.com -d www.yourdomain.com

3For cPanel: reinstall the certificate via WHM

Go to WHM > SSL/TLS > Install an SSL Certificate on a Domain. Paste the certificate content and private key content separately, then click Install.

1Verify the full chain using OpenSSL

openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted /path/to/chain.pem /path/to/cert.pem

A successful result shows cert.pem: OK. Any other output indicates a broken chain.

2Build the correct fullchain.pem manually

The fullchain file must contain the certificate first, then the intermediate certificates in order:

cat /path/to/cert.pem /path/to/chain.pem > /path/to/fullchain.pem

3Configure Nginx to use fullchain.pem

Always use fullchain.pem, never cert.pem alone:

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

4Configure Apache to use the full chain

SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

For Apache 2.4.8+, you can use fullchain.pem in SSLCertificateFile and omit SSLCertificateChainFile.

1Test configuration before restarting

# Nginx
nginx -t

# Apache
apache2ctl configtest
# or:
apachectl configtest

Never restart without testing first — a configuration error will take your site offline.

2Restart the web server

# Nginx
systemctl restart nginx

# Apache
systemctl restart apache2
# or:
systemctl restart httpd

3Verify the fix with an external SSL checker

Run a final check using OpenSSL to confirm the complete chain is presented correctly:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>&1 | grep -E "Verify return code|depth|subject"

A clean output should show Verify return code: 0 (ok).

1Check your Cloudflare SSL/TLS mode

Log in to Cloudflare > your domain > SSL/TLS > Overview. The recommended setting after migration is Full (Strict) — this verifies the certificate on your origin server is valid.

2Temporarily set to Flexible to confirm it is a Cloudflare issue

If setting to Flexible resolves the HTTPS error, the problem is with the origin certificate, not Cloudflare configuration. Go back and fix the origin certificate using the steps above, then switch back to Full (Strict).

3Bypass Cloudflare cache during SSL debugging

Test your origin server's SSL directly by temporarily setting DNS to grey-cloud (DNS-only) mode, which bypasses Cloudflare entirely during debugging.

For managed server migrations where SSL, DNS, and CDN settings all need to be coordinated, CloudHouse's server migration team handles the full transition — including SSL re-installation and validation — so HTTPS never drops during your move.

1Confirm DNS is pointing to the new server

dig +short yourdomain.com A
# Should return the new server's IP address

2Issue a new certificate with Certbot

certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

Or if your web server is running:

certbot --nginx -d yourdomain.com -d www.yourdomain.com
# or for Apache:
certbot --apache -d yourdomain.com -d www.yourdomain.com

3Test auto-renewal

certbot renew --dry-run

Confirm the renewal cron job is installed:

crontab -l | grep certbot
systemctl status certbot.timer

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Desktop Chrome caches intermediate SSL certificates from previous visits, which can make an incomplete chain appear to work in Chrome while failing on mobile browsers and API clients that do not have cached intermediates. Use 'openssl s_client -showcerts -connect yourdomain.com:443' to check the full chain being served by your new server.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...