Browser shows a
security warning.
The padlock is broken or the browser blocks the page entirely. This is almost always one of three things: expired cert, mixed HTTP/HTTPS content, or a new custom domain where the cert hasn't issued yet.
Identify the exact error first
Click the lock icon (or warning) in the browser address bar โ Certificate. It'll show the expiry date and issuer. F12 โ Console will show mixed content warnings as yellow or red alerts.
Common causes & fixes
Check the expiry date in the cert details. For GitHub Pages, delete and re-add your custom domain in Settings โ Pages to trigger a cert reissue.
Your HTTPS page is loading something over HTTP. F12 โ Console shows these as warnings. Change all resource URLs to https:// or //.
After pointing a custom domain to GitHub Pages, the cert takes 10โ30 minutes to issue. Wait, then check Settings โ Pages for the HTTPS checkbox.
If you're testing locally with a self-signed cert, browsers will warn. Use localhost or a tool like mkcert for local HTTPS.
Check your cert expiry from terminal:
# Check SSL cert from terminal: curl -vI https://yourdomain.com 2>&1 | grep -E 'expire|subject|issuer' # Or test with openssl: echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates