This topic provides troubleshooting methods for HTTPS access exceptions after the website is connected to WAF (HTTP access is normal). The symptoms include failure to open the page, the system prompts that the certificate cannot be trusted, failure to call some ports, and access errors for certain machine types, operation systems, and Apps.
HTTPS enabled and certificate uploaded?
Is certificate chain complete?
-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQFmr88Z0mn6rEleGaC6UVEzANBgkqhkiG9w0BAQsFADCB Obc3E+7h0u6cUXaQAmFNZ2a... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFYjCCBEqgAwINMTYwNjA3MDAwMDAwmlTaWduLCBJbmMuMRLnN5bWNiLmNvbS9 wY2EzLWc1Lm1hbnRlY1BLSS0yLTU... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIG/TCCBeWgAwIBAgIQLMUH03pBzhUCrOR0SsKM+DANBgkqhkiG9w0BAQsFADB+ NzIDMgUHVibGljIFByaW1... -----END CERTIFICATE-----
If the certificate chain is incomplete, the page may prompt that the certificate cannot be trusted, and some Android mobile phones, operation systems, or Apps may encounter access errors or exceptions (the access may be normal in some environments).
If only some specified clients or applications cannot normally access the HTTPS service, the system prompts “SSL handshake failed/error”, or “the certificate cannot be trusted”, it may be because the client does not support SNI. These clients or applications may be old Android devices, calling programs (especially programs using SSL protocol) developed with an older version of JAVA, IE browser running on a Windows XP, some old version mobile phones, and some third-party payment callback interfaces.
Currently, most browsers, applications, and WeChat and Alipay callback interfaces support SNI. It may be the SNI compatibility problem if the access returns to normal when you resolve the domain name to the origin, and you encounter exceptions if you resolve the domain name to the WAF. You can upgrade the client, or directly resolve the callback interface to the origin.
For more information, see HTTPS access exceptions arising from SNI compatibility (Certificate not trusted).
Windows Server 2003/IIS6 server
Access HTTPS service from Windows Server 2003 or IIS6 server that is connected to WAF may cause a white screen or 502 error. Because the TLS version and encryption suite of these systems are too old, the security performance is too weak, and it is not compatible with WAF’s default HTTPS back-to-source algorithm. WAF does not support HTTPS back-to-source requests for Windows Server 2003, and Microsoft officially suggests not to use Windows Server 2003 to build HTTPS sites. For your communication security, we recommend that you upgrade your operating system to Windows Server 2008 or later.
Link failure caused by short DH key
SSL routines:ssl3_check_cert_and_algorithm:dh key too small.
HTTP enabled for services requiring HTTP redirect?
If you have set on the origin to force redirect HTTP access requests to HTTPS, then you must select both HTTP and HTTPS in WAF. Otherwise, these HTTP requests cannot be normally forwarded to the origin after they are redirected to WAF, and the system throws an error.