After you deploy an SSL certificate to your web server, browsers may display error messages that indicate configuration problems. This guide helps you identify the cause and apply the correct fix based on the specific error message.
"Your connection to this site is not secure"
This error means the browser cannot establish a trusted HTTPS connection to your server.
Possible causes
Stale browser cache: The browser cached an old or invalid certificate.
Certificate-domain mismatch: The Common Name (CN) on the certificate does not match the domain in the URL.
Expired certificate: SSL certificates have a default validity period of one year. The certificate may have expired.
Incorrect certificate format: Different web servers require different certificate file formats.
Wrong certificate path or filename: The paths in the web server configuration file do not match the actual file locations.
Outdated certificate on the server: An older version of the certificate is still deployed on the server.
Solutions
Clear browser cache
Clear your browser cache and reload the page. If the error persists, proceed to the next solutions.
Verify certificate-domain match
Option A: Check in the Certificate Management Service console
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
Locate your certificate and verify that the bound domain matches the domain in your browser address bar. If the domain names do not match, upload the correct certificate.
Option B: Check in the browser
Click the Certificate is not valid link or the padlock icon in the address bar.
View the certificate details. Confirm that the Common Name (CN) field matches the domain you are accessing.
Check certificate expiration
Option A: Check in the Certificate Management Service console
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
Locate your certificate and check the expiration date.
If the certificate has expired, renew it. For more information, see Renew an SSL certificate and handle expiration.
Option B: Check in the browser
Click the padlock icon or the Certificate is not valid link in the address bar. The certificate details show the validity period.
Check the certificate format
Different web servers support different certificate formats. Deploy the correct format for your web server. For more information, see Deploy an SSL certificate.
Check certificate paths in the configuration file
Verify that the certificate and private key paths in your web server configuration file point to the correct files.
Example NGINX configuration:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}Confirm that /etc/nginx/ssl/example.com.crt and /etc/nginx/ssl/example.com.key exist and contain valid content.
Redeploy the certificate
If you recently renewed or reissued your certificate, redeploy it to the server. Then restart the web server to load the new certificate.
For cloud server deployment, see Deploy an SSL certificate to an Elastic Compute Service (ECS) instance or a Simple Application Server.
"This site can't be reached"
This error means the browser cannot connect to the server at all. The issue is typically at the network or server level.
Possible causes
Port 443 is not open: The HTTPS default port (443) is blocked by a firewall or security group rule.
Incorrect web server configuration: The web server is not configured to handle HTTPS requests.
Expired or incorrectly issued certificate: The certificate cannot be validated.
DNS resolution failure: The domain does not resolve to the correct IP address.
Solutions
Open port 443
HTTPS uses port 443 by default. HTTP uses port 80. If you use a non-default port, the URL must follow the format https://domain_name:port_number.
For Elastic Compute Service (ECS) instances:
Log on to the Security Groups page in the ECS console.
Locate the security group associated with your instance.
Add an inbound rule that allows TCP traffic on port 443.
For detailed steps, see Add a security group rule.
For other servers:
Check your firewall settings and ensure port 443 is open for inbound TCP traffic.
Check web server configuration
Verify that your web server configuration file includes the correct HTTPS settings. For NGINX, the configuration must include the listen 443 ssl; directive and valid certificate paths.
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}After updating the configuration, restart the web server.
Verify the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
Verify that the certificate status is valid and correctly issued.
If the certificate has expired, renew it. For more information, see Renew an SSL certificate and handle expiration.
Check DNS resolution
Run the following commands to verify that your domain resolves to the correct server IP address:
ping your_domain
nslookup your_domainIf the domain does not resolve correctly:
Check your DNS records in your domain registrar's control panel.
If you use Content Delivery Network (CDN), verify the CDN settings and ensure the origin server address is correct.
If the preceding steps do not resolve the issue, review the log files of your web server and application for more detailed information. Also, try to access the website from another device or location to rule out issues that are specific to your local network or device. If you have more questions, contact your account manager for consultation.
"Uses an unsupported protocol"
This error means the server uses an outdated, insecure protocol that the browser refuses to accept.
Possible causes
Insecure protocol versions enabled: The server uses SSL 2.0, SSL 3.0, TLS 1.0, or TLS 1.1. Modern browsers block these protocols due to known security vulnerabilities.
TLS protocol mismatch: The TLS version configured on the server is not supported by the client operating system or browser.
Solutions
Configure TLS 1.2 and TLS 1.3 on the web server
Disable insecure protocols and enable only TLS 1.2 and TLS 1.3.
NGINX configuration example:
server {
listen 443 ssl;
server_name example.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}After updating the configuration, restart NGINX.
Update TLS settings on the client operating system
If the error appears only on specific client machines, the operating system may not support the required TLS version.
Windows example:
Open Control Panel > Network and Internet > Internet Options.
Click the Advanced tab.
Under the Security section, select Use TLS 1.2 and Use TLS 1.3 (if available).
Clear the checkboxes for Use SSL 2.0, Use SSL 3.0, Use TLS 1.0, and Use TLS 1.1.
Click OK and restart the browser.
"Parts of this page are not secure (such as images)"
This warning appears when a page loads over HTTPS but references resources (images, scripts, stylesheets, or other assets) over HTTP. Browsers call this mixed content and may block the insecure resources.
Possible causes
The website source code contains hardcoded
http://URLs for images, scripts, or other resources.Third-party resources are loaded over HTTP.
Solutions
Update HTTP resource URLs to HTTPS
Search your website source code for all http:// resource references and replace them with https://.
Before:
<img src="http://example.com/image.png" />
<script src="http://example.com/script.js"></script>After:
<img src="https://example.com/image.png" />
<script src="https://example.com/script.js"></script>Use relative URLs for same-domain resources
For resources hosted on the same domain, use protocol-relative or path-relative URLs.
Protocol-relative URL:
<img src="//example.com/image.png" />Path-relative URL:
<img src="/images/image.png" />Check third-party resources
For resources loaded from third-party domains:
Verify that the third-party service supports HTTPS. If it does, update the URL to use
https://.If the third-party service does not support HTTPS, host the resource on your own server or find an alternative provider that supports HTTPS.
Remove any unnecessary third-party HTTP references.
If the issue persists after you try the solutions in this guide, review the log files of your web server and application for more detailed information. Also, try to access the website from another device or location to rule out issues specific to your local network or device. If you still need help, contact your account manager for consultation.