All Products
Search

This Product

    Certificate Management Service:Troubleshoot certificate deployment issues based on browser error messages

    Document Center

    Certificate Management Service:Troubleshoot certificate deployment issues based on browser error messages

    Last Updated:Jan 19, 2026

    This topic describes how to troubleshoot and resolve issues that occur when an SSL Certificate is not effective after deployment or a website is marked as not secure.

    Browser displays "Your connection to this site is not secure"

    image

    Possible causes: The browser cache is not cleared, the SSL Certificate does not match the domain name, or the certificate has expired.

    Solutions:

    • Clear your browser cache and try to access your website again.

    • Check whether the SSL Certificate matches the domain name.

      Method 1: Check in the Certificate Management Service console

      • Log in to the Certificate Management Service console.

      • In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.

      • On the SSL Certificate Management page, find the certificate you deployed and verify that its domain name matches the site's domain name. If the domain names do not match, upload the correct certificate.

      Method 2: Check in the browser

      • Access your website and click the security lock icon in the address bar of your browser.

      • Click Certificate is not valid.

        image

      • On the certificate page, verify that the Common Name (CN) matches the domain name.

        image

    • Check whether the SSL Certificate has expired.

      SSL Certificates have a default validity period of one year. If you have previously installed an SSL Certificate on your server and now see a "not secure" error when accessing your site over HTTPS, the certificate may have expired. You can check the expiration date in two ways.

      Method 1: Check in the Certificate Management Service console

      Method 2: Check in the browser

      • Access your website and click the security lock icon in the address bar of your browser.

      • Click Certificate is not valid.

        image

      • On the certificate page, check the expiration date of the certificate.

        image

    • Check whether the deployed SSL Certificate has an incorrect format.

      Different web servers support different certificate formats. For more information, see Deploy an SSL certificate.

    Possible cause: The certificate path or certificate file name in the configuration file is incorrect.

    Solution:

    Check the SSL Certificate settings in the configuration file of your web server. Make sure that the certificate path and file name specified in the configuration file exactly match the actual path and file name on the server. The following code provides a configuration example for Nginx:

    server {
    listen 443 ssl;
    server_name example.com;

    # Replace the following paths with your own SSL certificate and private key file paths
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # Other configurations...
}

    Possible cause: You purchased a new certificate, but the web server is still using the old one, or the SSL Certificate path in the configuration file has not been updated.

    Solution:

    Create a deployment task to upload the issued certificate to a specified path on your cloud server or replace the certificate file in a specified path. For more information, see Cloud server deployment: Deploy an SSL certificate to an ECS instance or a Simple Application Server.

    Browser displays "This site can't be reached"

    image

    Possible cause: Port 443 is not open.

    Solutions:

    • If you use an Alibaba Cloud ECS server, go to the Security Groups page in the ECS console and open port 443. For more information about how to configure a security group, see Add a security group rule.

      Note

      When you access a website using a default port, you can enter the domain name directly for HTTP (default port 80) or HTTPS (default port 443). If you use a non-default port, you must add the port number after the domain name in the http://domain_name:port_number or https://domain_name:port_number format.

    • Ensure that the server allows HTTPS connections on the default port 443. If you use a non-standard port, ensure that the port is open and not occupied by another service.

    • If you have a firewall set up, check the firewall settings of the server to make sure that they are not blocking external access to port 443.

      image

    • If you do not use an Alibaba Cloud ECS server, refer to the security settings guide for your server to open port 443.

    Possible cause: The web server configuration is incorrect.

    Solutions:

    • Check the configuration file of the web server to ensure that the SSL/TLS-related directives are set correctly and that the web server is listening on port 443.

    • Check the configuration file for syntax errors.

    Possible cause: The SSL Certificate has expired or was not issued correctly.

    Solutions:

    • Check whether the certificate has expired. If the certificate has expired, renew it promptly. For more information, see Renew an SSL certificate and handle expiration.

      image

    • Check whether the certificate was issued correctly and matches your domain name.

      image

    Possible cause: DNS resolution issue.

    Solutions:

    • Confirm that your domain name correctly points to the IP address of the server. Use the ping or nslookup command to check whether the domain name resolves to the correct IP address.

    • If you use a CDN service, confirm that the CDN settings are correct and are not blocking HTTPS traffic.

    Note

    If the preceding steps do not resolve the issue, review the log files of your web server and application for more detailed information. Also, try to access the website from another device or location to rule out issues that are specific to your on-premises network or device. If you have more questions, contact your account manager for consultation.

    Browser displays "uses an unsupported protocol"

    image

    Possible causes: Your web server might be using an insecure protocol version, such as SSL 2.0, SSL 3.0, TLS 1.0, or TLS 1.1. The TLS protocol configured on the web server may also be inconsistent with the TLS protocol supported by the operating system.

    Solutions:

    • Use a more secure protocol version, such as TLS 1.2 or TLS 1.3, in the web server configuration file. The following example shows how to set the supported SSL/TLS protocol versions in the configuration file for Nginx. Ensure that your client supports the configured TLS protocol versions. Otherwise, connection failures may occur.

         server {
       listen 443 ssl;
       server_name yourdomain.com;

       # SSL certificate and key paths
       ssl_certificate /path/to/your_certificate.crt;
       ssl_certificate_key /path/to/your_private.key;

       # Set the supported SSL/TLS protocol versions
       ssl_protocols TLSv1.2 TLSv1.3;

       # Optional: Set more secure cipher suites
       ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
       
       location / {
           root /var/www/html;
           index index.html index.htm;
       }
}

    • Ensure that the cipher suite used by the server is consistent with the TLS protocol supported by the operating system. Configure the relevant settings in the operating system. The method for configuring the TLS protocol varies by operating system. The following steps describe how to configure the TLS protocol in Windows.

      1. Open Control Panel and click Network and Internet.

      2. On the Network and Internet page, click Internet Options, and then click the Advanced tab.

      3. Select TLS 1.2 or TLS 1.3 to provide better security and compatibility.

    Browser displays "Parts of this page are not secure (such as images)" or external resources (images, scripts, styles, etc.) fail to load

    Possible cause: Your website code references resources using the HTTP protocol.

    Solutions:

    • Update all HTTP resources to HTTPS to ensure that all external resources, such as images, scripts, and styles, can be loaded over the HTTPS protocol.

    • If the resources are on the same domain as your website, use relative URLs. This allows the browser to automatically use the protocol of the current page (HTTP or HTTPS) to load the resources.

    • Check whether third-party resources support HTTPS, or directly remove the references to the relevant HTTP resources. After you deploy the changes, access the website again.

    Note

    The implementation logic of website code varies. Make modifications as needed. If you have questions, contact your account manager for consultation.