How do I resolve certificate deployment issues based on browser prompts? - Certificate Management Service

This topic describes how to troubleshoot the issue that a certificate does not take effect or your website is reported as insecure after the certificate is installed. This topic also describes the corresponding solutions.

The browser displays the "Your connection to this site is not secure" message

Possible cause: The browser cache is not cleared, the domain name that is bound to the certificate is different from the domain name of the website, or the certificate is expired.

Solution:

Clear the browser cache and access the website again.
Check whether the domain name that is bound to the certificate is the same as the domain name of the website.
Method 1: Use the Certificate Management Service console
- Log on to the Certificate Management Service console.
- In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
- On the SSL Certificate Management page, find the certificate and check whether the domain name that is bound to the certificate is the same as the domain name of the website. If the domain names do not match, upload the certificate to which the domain name of the website is bound.
Method 2: Use a browser
- Access the domain name of the website and click the security lock in the address bar of the browser.
- Click Certificate is not valid.
- On the page that appears, check whether the value of the Common Name (CN) parameter is the same as the domain name of the website.
Check whether the certificate is expired.
The default validity period of a certificate is one year. If the certificate is not installed for the first time, check whether the certificate is expired. You can use one of the following methods to perform the check:
Method 1: Use the Certificate Management Service console
- Log on to the Certificate Management Service console.
- In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
- On the SSL Certificate Management page, find the certificate and check whether the certificate is expired.
  If the certificate is expired, renew the certificate. For more information, see Renew an official SSL certificate.
Method 2: Use a browser
- Access the domain name that is bound to the certificate, and click the security lock icon in the address bar of the browser.
- Click Certificate is not valid.
- On the page that appears, view the expiration time of the certificate.
Check whether the format of the installed certificate is valid.
Different types of servers support different certificate formats. For more information, see Deploy SSL certificates.

Possible cause: The certificate path or certificate file name in the configuration file is incorrect.

Solution:

Check the certificate-related settings in the configuration file of your web server to ensure that the specified certificate path and certificate file name are correct. The following sample code provides an example of the certificate-related settings in the configuration file of an NGINX server:

server {
    listen 443 ssl;
    server_name example.com;

    # Replace the following paths with the paths to your certificate file and private key file:
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # Other configurations.
}

Possible cause: A new certificate is purchased, but the website still uses the old certificate, or the paths to the new certificate file and private key file are not updated.

Solution:

Create a deployment task to upload the new certificate to the specified directory of your cloud server, or replace the certificate file in the specified directory. For more information, see Manually deploy a certificate to an Alibaba Cloud simple application server or an ECS instance.

The browser displays the "This site can't be reached" message

Possible cause: Port 443 is disabled on your server.

Solution:

If your website is hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance, log on to the ECS console and go to the Security Groups page. Then, configure security group rules to allow traffic over port 443. For more information about how to configure security group rules, see Add a security group rule.
Note
If you allow access to a website over a default port, you can directly enter the domain name for access. Port 80 is the default HTTP port and port 443 is the default HTTPS port. If you allow access over a non-default port, you must append the port number to the domain name in the http://Domain name:Port number or https://Domain name:Port number format.
Make sure that HTTPS connections to the server use the default port 443. If the connections use a non-standard port, check whether the port is enabled and occupied by other services.
If you configured a firewall, check the firewall settings of the server to ensure that external access to port 443 is allowed.
If your website is not hosted on a server other than an Alibaba Cloud ECS instance, refer to the documentation of the server and follow the related instructions to allow traffic over port 443.

Possible cause: The web server is incorrectly configured.

Solution:

Check the configuration file of the web server to ensure that SSL/TLS settings are correct and port 443 is monitored.
Check whether the configuration file has syntax errors.

Possible cause: The certificate is expired or incorrectly issued.

Solution:

Check whether the certificate is expired. If the certificate is expired, renew the certificate. For more information, see Renew an official SSL certificate.
Check whether the certificate is correctly issued and matches your domain name.

Possible cause: A DNS resolution error occurred.

Solution:

Check whether your domain name points to the IP address of the server. You can run the ping or nslookup command to check whether the domain name is resolved to the required IP address.
If you use Alibaba Cloud CDN (CDN), make sure that CDN settings are correctly configured and HTTPS traffic is allowed.

Note

If the issue persists, we recommend that you review the log files of your web server and application to obtain more information. You can also access the website by using a different device or location to troubleshoot issues specific to your network or device. If you still have questions, contact your account manager.

The browser displays a message indicating that the website uses an unsupported protocol

Possible cause: Your web server uses an insecure protocol version, such as SSL 2.0, SSL 3.0, TLS 1.0, or TLS 1.1, or the web server may be configured with a TLS version that is not supported by your operating system.

Solution:

Use a secure protocol version, such as TLS 1.2 or TLS 1.3, in the configuration file of the web server. The following sample code provides an example on how to specify the supported SSL/TLS versions in the configuration file of an NGINX server. Before you specify SSL/TLS versions, make sure that your client supports the versions. This helps prevent connection failures.

   server {
       listen 443 ssl;
       server_name yourdomain.com;

       # The paths to the certificate and private key files.
       ssl_certificate /path/to/your_certificate.crt;
       ssl_certificate_key /path/to/your_private.key;

       # Specify the SSL/TLS versions that you want the certificate to support.
       ssl_protocols TLSv1.2 TLSv1.3;

       # Optional. Specify cipher suites that provide higher security.
       ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
       
       location / {
           root /var/www/html;
           index index.html index.htm;
       }
}

Make sure that the cipher suites used by the server match the TLS versions supported by the operating system. You can configure the related settings in the operating system. The methods for specifying TLS versions vary based on the operating system. The following section describes how to specify TLS versions in a Windows operating system.
1. Open Internet Explorer and click Network and Internet.
2. In the Network and Internet panel, click Internet Options. In the Internet Options dialog box, click the Advanced tab.
3. Enable TLS 1.2 or TLS 1.3 to improve security and compatibility.

The browser displays a message indicating that specific content such as images on the current page is insecure or external resources such as images, scripts, or styles cannot be loaded

Possible cause: HTTP resources are referenced in the code of your website.

Solution:

Update all HTTP resources to HTTPS to ensure that all external resources, such as images, scripts, and styles, can be loaded over HTTPS.
If the same domain name is bound to the resource and your website, you can use a relative URL to allow the browser to automatically use the protocol of the current page to load the resource. The protocol can be HTTP or HTTPS.
Check whether third-party resources support HTTPS, or remove references to related HTTP resources and access the website after deployment and release.

Note

The implementation logic varies based on the website code. Modify the settings based on your business requirements. If you still have questions, contact your account manager.

The browser displays the "Your connection to this site is not secure" message

Method 1: Use the Certificate Management Service console

Method 2: Use a browser

Method 1: Use the Certificate Management Service console

Method 2: Use a browser

The browser displays the "This site can't be reached" message

The browser displays a message indicating that the website uses an unsupported protocol

The browser displays a message indicating that specific content such as images on the current page is insecure or external resources such as images, scripts, or styles cannot be loaded