Help Center

This reference guide addresses common issues encountered when configuring and maintaining SSL/HTTPS for custom domains, providing an overview of potential problems and their characteristic solutions. Understanding these points can help diagnose and resolve connectivity and security warnings related to secure connections.

Properties: Common Issues and Their Characteristics

• Certificate Not Issued — DNS Configuration — An SSL certificate may fail to issue if the domain's DNS records (e.g., A records pointing to the server, or CNAME records for domain validation) are incorrectly configured or have not yet fully propagated across the internet. Certificate authorities require successful domain validation, which relies on these records being correct and resolvable.
• Mixed Content Warnings — Browser Security — Occur when an HTTPS page loads some of its resources (such as images, scripts, stylesheets, or fonts) over an insecure HTTP connection. Browsers flag these as security risks because even a single insecure resource can compromise the entire page's security, displaying warnings like "Not Secure" or a broken padlock icon.
• Redirect Loops — Redirection Logic — A redirect loop happens when a browser is caught in an endless cycle of redirects, typically between HTTP and HTTPS versions of a URL, or between different proxy/CDN configurations. This often results in a "Too Many Redirects" error and prevents the page from loading.
• Certificate Renewal — Automated Processes — For many managed SSL services and certificates from providers like Let's Encrypt, the renewal process is fully automated. These systems are designed to renew certificates before expiration, typically requiring no manual intervention from the domain owner, provided the DNS configuration remains stable.
• Initial SSL Provisioning Time — Deployment Duration — The time it takes for an SSL certificate to be issued and fully provisioned can vary. Factors include DNS propagation time, the certificate authority's processing queue, and the hosting provider's automation. It commonly ranges from a few minutes to several hours.
• Cloudflare Proxy Conflicts — Proxy Configuration — When using Cloudflare as a proxy, conflicts can arise depending on the chosen SSL/TLS encryption mode (e.g., Flexible, Full, Full Strict). Incorrect settings can lead to issues where Cloudflare expects an SSL certificate on the origin server, but one is not present or configured improperly.
• Testing SSL Status — Verification Methods — Verifying the correct setup and functionality of an SSL certificate involves checking various aspects such as certificate validity, chain integrity, and protocol support. Several online tools and browser developer consoles offer methods to perform these checks.

Examples: Typical Resolutions and Explanations

The following outlines common approaches to resolve the issues described above.

• Resolving Certificate Issuance Failures: Ensure that the domain's A record points to the correct server IP address and that any required CNAME records for domain validation are properly configured. Allow sufficient time (up to 48 hours, though often faster) for DNS changes to propagate globally. Use a DNS lookup tool to confirm propagation.
• Addressing Mixed Content Warnings: Identify all resources loaded via HTTP on the HTTPS page. This can often be done using browser developer tools (Console or Network tabs). Update all identified resource URLs from http:// to https://. For content embedded within text areas or dynamic content, ensure the application logic correctly generates HTTPS URLs. Implementing a Content Security Policy (CSP) can also help enforce HTTPS for all resources.
• Fixing Redirect Loops: Investigate all layers of redirection: your web server configuration (Apache, Nginx), CDN/proxy settings (e.g., Cloudflare), and application-level redirects. Ensure that only one entity is responsible for redirecting HTTP to HTTPS, and that no configurations are inadvertently redirecting HTTPS back to HTTP. For Cloudflare, review the "SSL/TLS encryption mode" setting.
• Verifying Automatic Renewal: Confirm with your hosting provider or SSL service documentation that automatic renewal is enabled and configured for your domain. Regularly check the certificate's expiration date using browser developer tools or online SSL checkers to ensure it is being renewed as expected. Most services attempt renewal weeks before actual expiration.
• Managing Initial Provisioning Expectations: Understand that while many certificates provision quickly, delays can occur. Monitor your domain's DNS propagation and the status provided by your hosting or SSL provider. If delays persist beyond a few hours, verify DNS records and contact support.
• Configuring Cloudflare SSL Correctly:
  • Flexible SSL: Encrypts traffic between the user and Cloudflare. Traffic between Cloudflare and your origin server is HTTP. This requires no SSL certificate on your origin.
  • Full SSL: Encrypts traffic end-to-end. Requires an SSL certificate on your origin server (can be self-signed or a free Cloudflare Origin Certificate).
  • Full (Strict) SSL: Encrypts traffic end-to-end and requires a *valid, trusted* SSL certificate on your origin server. This is the most secure option.
  Ensure your origin server's SSL setup matches the Cloudflare mode selected to avoid conflicts.
• Utilizing SSL Testing Tools: Use online services like SSL Labs' SSL Server Test to perform a comprehensive analysis of your server's SSL configuration, including certificate chain, protocols, and vulnerabilities. Browser developer tools (Security tab) can also provide immediate feedback on certificate details and mixed content. Tools like Why No Padlock can specifically help diagnose mixed content issues.

Notes

• DNS propagation can take time, ranging from minutes to 48 hours, which directly impacts SSL certificate issuance and resolution of domain-related issues.
• Always verify that your domain's A records point to the correct server IP and that any CNAME records for validation are accurate.
• Regularly check your website's SSL status, especially after making DNS or server configuration changes, to catch potential issues early.
• When using a CDN or proxy like Cloudflare, carefully review their specific SSL/TLS configuration options as they can significantly impact your site's secure connection.