I wonder how they made the mistake? In order for them to check the cert I would have expected the site to present an https URL at some point, otherwise there is no reason to check it. Personally, I do not allow any SE on an SSL section of a site.

There are two points to remember when deciding whether or not to add a cert to a site, apart from it being ecommerce...

An SSL site can more or less circumvent broadband ISPs who intercept your pages for "security" reasons (read, "we want to discover what adverts to send you").

The downside is that the server and client browser have to manage page encryption. Data transfer levels are higher and hence slower. If you want to avoid warning messages being displayed in the browser you have to also serve images, javascript, css etc securely, which can increase the loadings and time dramatically in some cases.

This issue can be caused by someone linking to your site with https. Do a site: search using site:https://www.example.com for your site and see if any pages from your site appear. If so, you may want to take some corrective action like setting up 301 redirects or using the rel="canonical" tag.

This issue can be caused by someone linking to your site with https. Do a site: search using site:https://www.example.com for your site and see if any pages from your site appear. If so, you may want to take some corrective action like setting up 301 redirects or using the rel="canonical" tag.

I have checked to see if anyone has linked to the https:// version and i cannot find anything

I also know i have never had any kind SSL on the site i just don't have any need for it, so i don't understand why Google Visited and left that message but they did and that concerns me as i have a bunch of home page keywords i cannot budge for love nor money, anything is moving and responding to the links i am building, i really dont know if that has an impact or not on that but to be safe, i am going to add the SSL certificate to the site and redirect to the non SSL, as i don't have any traffic for https: but if the bots go there they can see its secure and should solve the issue

or maybe just 301 anything that lands on the Https versions of the site

Ostensibly, they left the message because they discovered an https URL, tried to crawl it, and encountered the certificate issue. How or where they discovered the https URL really doesn't matter. Do the 301 redirect. If the page they first crawled with https had any relative links on it, the problem can continue to cascade through your site.

I installed an SSL certificate on a pandalised site some months ago. Result: a lot of work and zero extra business.

When I try to visit my site using https, I get this message in Firefox: "This Connection is Untrusted"

That's correct. The site is on shared hosting, and the server's certificate is a generic one that applies to all the sites on the server. Because it applies only to the server's name, and not to any of the individual sites on it, it will be reported as untrusted for all those sites.

That's not a problem for me because I have no https content and there is no reason for anyone ever to visit the site with https.

Under those circumstances, if I got an SSL warning from Google about that issue, I would ignore it. Not just because it's irrelevant to my site's operation, but because getting a trusted certificate is expensive and would require moving to dedicated hosting (or maybe VPS would allow it, too?).

Not sure how much of that might be applicable to your situation.

However, maybe this quote actually identifies the problem...

To correct this problem, please get a new SSL certificate from a Certificate Authority (CA) that is trusted by web browsers."

Is there any chance that your certificate was issued by DigiNotar? It's a CA (certifying authority) that was hacked. Many fraudulent digital certificates were created by the hack, and the trust in DigiNotar has been nearly universally revoked in the past month.

If you're on a shared server, perhaps the reason the Google warning went away is that your host got another certificate from a different company, one that is trusted.

When this situation arises, the primary issue for most websites isn't the trustworthiness of the certificate. It's the potential for duplicate content/canonicalization problems. Most sites don't want any search engine accessing their site via HTTPS at all. When they do, they generally get it right, but if your site falls into a corner case where they don't, it can disrupt your rankings for some time. If one search engine encountered an HTTPS link, they all might. That's why I recommended the 301 redirect.

If your hosting service provides SSL on all of its sites from a single certificate, run away! I had this done to one of my sites in the late '90's - very embarassing.

In order to provide proper SSL on a site you need your own unique IP. There is no reason why you cannot have your SSL site on a virtual server that runs loads of sites with separate domains, SSL or not, but you do need an unique IP for each SSL cert and an unique cert per domain or part of a domain. Using YOUR cert on a virtual server alongside lots of other sites with only a single IP is a killer.

Ill revert back to the opening post, the site has never ever had any kind of SSL, its my own server with unique I.P

I think as mentioned above someone must have linked to it somewhere, i have now put a 301 on the root of the folder as mentioned above, this i hope stops any more messages, if the problem does come back ill just add an SSL certificate to the site, but i have no need for one so hopefully with the advice above i have resolved a potential problem

If I understand correctly,

1. You run this server yourself, such as out of your home.
2. You have never installed any kind of SSL certificate, not even a self-signed one that you created only for your own use such as for https testing.
3. Your site does not use https for any legitimate reason (no https content).

As rainborick pointed out, Google would not normally check an https URL unless something made them think there would be content there.

Once they did go there, they should not have been able to connect, and therefore should not have received any certificate at all, not even an "untrusted" one.

What happens when you go to your own site using [yoursite.com...] ?

You should get a Cannot Connect page. In Firefox, it says "Unable to connect. Firefox can't establish a connection to the server at..." (I have only tested this in Windows/Apache. Will test in Linux later on a site where I have not enabled SSL by my own actions, and report if the result is different.)

Conclusions:

1. If you have no need for SSL, you should use your firewall to close port 443. No one should be allowed to connect to your server on that port. If you do this, also remove the redirect that you apparently installed a short time ago.

2. If Google encountered a certificate there, and you are certain that you did not put one there, then you should consider the possibility that your server has been compromised and someone else installed the certificate that was presented to Google.

When this situation arises, the primary issue for most websites isn't the trustworthiness of the certificate.

Yes, but this message specifically refers to the trustworthiness of the certificate. In fact, it specifically refers to the trustworthiness of the certifying authority.

If your hosting service provides SSL on all of its sites from a single certificate, run away!

I'm unclear whether that is directed at my situation which I described earlier.

On ordinary shared hosting, all the websites share the same IP address, and none of the hosted sites can provide public web accessibility via https.

But the host does have an SSL certif on the server (in the server's name) to allow SSL access to cPanel, for example, and sometimes SSH or SFTP.

The certif is probably not an expensive one with a high trust level, and it is definitely not trusted for any individual site on the server (because of the name mismatch), but it does provide an acceptable means of encryption for the purposes it is intended for.

Allowing people to access web pages of any of the hosted sites by https is not one of those intended purposes.

This is a standard setup on shared servers, including at big hosting companies, and not a situation to run away from.

On the other hand, if a hosting company allows its (non-shared, dedicated or VPS) customers to purchase and install a certificate, but they sell all those people the same certificate over and over, I think that would be pretty bad, right? (!)

2. If Google encountered a certificate there, and you are certain that you did not put one there, then you should consider the possibility that your server has been compromised and someone else installed the certificate that was presented to Google.

That's why i assumed it was a mistake by Google, the message was sitting in my account but later that day it disappeared , but it was me maybe worrying over nothing but i do have a couple of keywords that are as stubborn as you can get, and was thinking if Google don't trust my site could this be the reason

We made sure the server was not compromised or never had been.

so im just putting it down to another glitch with Google, but if the message comes again ill just add a certificate