When you configure an SSL certificate for your domain in the Alibaba Cloud CDN console, browsers may still display certificate-related warnings. The following sections cover the most common causes and how to fix them.
Expired certificate
Symptom: The browser displays a message such as "Your connection is not private" (Chrome), "This Connection Is Not Secure" (Firefox), or "This website's security certificate is expired" (Edge). The certificate has passed its validity date. Browsers reject expired certificates regardless of the issuer.
Resolution: Renew the certificate, then update it in the CDN console.
If you purchased the certificate through SSL Certificates Service, see Manually renew an SSL certificate.
To update the certificate in CDN after renewal, see Configure an SSL certificate.
Incorrect system time
Symptom: A valid certificate appears expired or is flagged as not yet valid.
Certificate validation checks the current date against the certificate's validity period. If your computer's clock is significantly off, the browser may treat a valid certificate as expired or not yet valid.
Resolution: Verify that your computer's system time and date are correct, then revisit the website.
Self-signed certificate
Symptom: The browser displays "NET::ERR_CERT_AUTHORITY_INVALID" (Chrome) or "SEC_ERROR_UNKNOWN_ISSUER" (Firefox).
A self-signed certificate is one you generate yourself rather than one issued by a certificate authority (CA). Browsers do not trust self-signed certificates by default because they can be forged and are vulnerable to man-in-the-middle (MITM) attacks.
Resolution: Replace the self-signed certificate with one issued by a trusted CA. Purchase an SSL certificate through SSL Certificates Service.
Mixed content (HTTP resources on an HTTPS page)
Symptom: The browser removes the padlock icon from the address bar, or loads the page but blocks certain resources. The browser console may show warnings such as "Mixed Content: The page was loaded over HTTPS, but requested an insecure resource."
When a page is served over HTTPS but loads resources — such as images, scripts, or stylesheets — over HTTP, browsers flag this as a security risk.
Resolution: Change all HTTP resource URLs in your web pages to HTTPS. To identify affected resources, open the browser's developer tools (F12), go to the Console tab, and look for mixed content warnings that list the specific HTTP resource URLs.
Outdated TLS version
Symptom: The browser displays "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" (Chrome) or "SSL_ERROR_NO_CYPHER_OVERLAP" (Firefox).
Transport Layer Security (TLS) has six protocol versions: SSLv2, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. SSLv2, SSLv3, TLS 1.0, and TLS 1.1 have known vulnerabilities and are no longer considered secure. Some browsers reject connections that use these older versions.
Resolution: Set the minimum TLS version to TLS 1.2 or TLS 1.3 in the Alibaba Cloud CDN console. For instructions, see Configure TLS version control.
To verify the TLS version your domain currently negotiates, run the following command:
openssl s_client -connect your-domain.com:443 -tls1_1If the connection succeeds, the server still accepts TLS 1.1 or earlier. After updating the TLS settings in the CDN console, rerun the command to confirm the older version is rejected.
Weak cipher suite
Symptom: Security scanners or browsers flag the connection as using insufficient encryption.
A cipher suite with insufficient encryption strength can expose data in transit.
Resolution: Use 128-bit Advanced Encryption Standard with Galois/Counter Mode (AES-GCM) for encryption and ECDHE_RSA as the key exchange mechanism.