SSL/TLS FAQ

更新时间:
复制 MD 格式

This topic answers common questions about SSL/TLS concepts, features, and use cases.

How do I resolve certificate risk warnings?

Problem

Browsers display a certificate risk warning when you access a domain, even after you have configured an HTTPS certificate for it in the Edge Security Accelerator (ESA) console.

Causes and solutions

  • Expired certificate: Renew your certificate and then update it in the ESA console. If you purchased your certificate from the Alibaba Cloud SSL Certificates Service, refer to SSL Certificate Renewal and Expiration to renew the certificate, and then update the certificate.

  • Incorrect system time: An incorrect system clock can cause browsers to misinterpret a valid certificate as expired or invalid. Verify that your computer's system time is correct, then try accessing the website again.

  • Self-signed certificate: A self-signed certificate is not issued by a trusted Certificate Authority (CA). Browsers do not trust self-signed certificates because they are vulnerable to spoofing and man-in-the-middle attacks, which triggers security warnings. We recommend replacing it with a certificate issued by a trusted CA. You can purchase a certificate from Alibaba Cloud SSL Certificates Service.

  • Mixed content: This issue occurs when a secure HTTPS page loads insecure resources over HTTP. Update all resource links to use HTTPS.

  • Outdated TLS version: SSL/TLS includes multiple protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3. Only TLSv1.2 and TLSv1.3 are currently considered secure. In the ESA console, disable the older, insecure protocols and enable only TLSv1.2 or TLSv1.3. For more information, see Configure TLS Version and Cipher Suites.

  • Weak cipher suite: The selected cipher suite is likely weak or outdated. Use a modern cipher suite that offers strong encryption, such as one based on 128-bit AES-GCM.

Free ESA certificate expiration

ESA automatically renews free certificates without affecting the certificate currently deployed for your domain:

  • Automatic Renewal Time: ESA attempts to automatically renew your free certificate 30 days before it expires. You do not need to reapply, and the renewal does not count against your certificate quota.

  • Risk of renewal failure: Because Let's Encrypt issues free certificates, renewal can fail due to DNS resolution errors or validation failures.

Note

If auto-renewal fails, ESA notifies you by SMS and email. You must then manually upload a new certificate to avoid disrupting your service.

Client certificate passthrough in Layer 4 proxy mode

ESA provides two modes for handling a client certificate, depending on your business requirements:

  • ESA node terminates TLS (standard mTLS): In this mode, the ESA node acts as the TLS termination point, and the client certificate is validated at the ESA node. This secures the link between the client and the ESA. To configure this mode, see Configure client certificate.

  • Layer 4 proxy (TCP passthrough): To implement end-to-end mTLS authentication, where the client certificate is passed directly to the origin server for validation, use the ESA Layer 4 proxy feature. In this mode, ESA does not terminate the TLS connection or replace the certificate. Instead, the client's TLS handshake is passed through directly to the origin server to complete mTLS. This feature requires an upgrade to the Enterprise Edition. For more information about the Layer 4 proxy, see Layer 4 proxy.

What is HTTPS?

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP. It encrypts data sent between a client and a server, protecting it from being intercepted or modified. While standard HTTP transmits data in plaintext, HTTPS uses SSL/TLS protocols to create a secure, encrypted connection. It provides both authentication and encryption, making it essential for sensitive communications like online payments. To configure HTTPS on ESA, follow the SSL/TLS Quick Start guide. This process deploys a certificate across all ESA nodes to ensure network-wide data encryption.