After a website is added to WAF, the website can be accessed over HTTP, but fails to be accessed over HTTPS. For example, the website may fail to open, the certificate may be untrusted, interfaces may fail to be called, or errors may be reported for devices, OSs, or apps of specific types. This topic describes how to troubleshoot the access issues.

Check whether HTTPS is selected in the WAF console and whether the required certificate is uploaded

To use WAF to protect HTTPS services, you must select HTTPS in the WAF console and upload the same certificate and private key as the certificate and private key of the origin server. If you use WAF together with other services, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, you must upload a certificate and private key to WAF. The certificates and private keys of other services do not take effect on WAF. You must separately upload the certificate and private key of WAF.
Note After a certificate is uploaded in the WAF console, a maximum of 5 minutes are required for the configuration to take effect. During this period, access issues may occur. Before you change the DNS record of your website to WAF, we recommend that you modify the hosts file on your computer and verify domain name settings. After you confirm that the domain name settings are in effect, you can change the DNS record of your website to WAF. For more information, see Verify domain name settings.

Check whether the certificate chain is valid

An invalid certificate chain is a common cause of HTTPS access issues. In most cases, a certificate service provider offers a valid certificate chain that contains one server certificate and one or more root certificate authority (CA) certificates. The following figure shows a certificate chain that contains an Alibaba Cloud SSL certificate. Certificate chain, valid
Make sure that a valid certificate chain is uploaded to WAF. To combine multiple certificates into a certificate chain, concatenate the content of the certificates into a single file. Make sure that the server certificate is at the top level of the certificate chain, followed by root certificates. The following example shows an example of a certificate chain that can be uploaded.
-----BEGIN CERTIFICATE-----
……
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
……
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
……
-----END CERTIFICATE-----

If a certificate chain is invalid, the browser displays an on-screen message to prompt that the certificate is untrusted. In this case, if the website is accessed from Android mobile phones, specific OSs, or apps of specific types, errors are reported in some environments.

You can use online third-party testing tools, such as SSL Installation Checker, to check whether a certificate chain is valid. For more information, visit SSL Installation Checker.
Note The online third-party testing tools can be used to check the status of the certificate chain only for the destination to which your website is mapped. For example, If your website is mapped to the origin server, instead of WAF, the online third-party testing tools cannot be used to check whether the certificate chain of WAF is valid.

Check whether a server name indication (SNI) compatibility issue occurs

If clients or apps of specific types cannot access your website over HTTPS and the error message "SSL handshake failed/error" or "the certificate cannot be trusted" is displayed, the clients or apps may not support SNI. Clients that use outdated versions of Android and apps that are developed by using outdated versions of Java are incompatible with SNI. Internet Explorer, outdated mobile phones, and callback interfaces for third-party payment systems are incompatible with SNI.

Most browsers, apps, and payment callback interfaces of Alipay and WeChat support SNI. If you can access your website when your website is mapped to the origin server but cannot access your website when your website is mapped to WAF, an SNI compatibility issue occurs. We recommend that you upgrade the client or map your website to the origin server.

For more information, see HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted").

Check whether your website is hosted on Windows Server 2003 or IIS6 servers

After a website that is hosted on Windows Server 2003 or IIS6 servers is added to WAF, the HTTP 502 status code is returned when the website is accessed over HTTPS. The status code is returned because the TLS version and cipher suite of the system are outdated and do not meet the security requirements. The TLS and cipher suite are incompatible with the default HTTPS back-to-origin algorithm of WAF. The feature that allows you to redirect HTTPS requests to origin servers is not supported for websites that are hosted Windows Server 2003 servers. Microsoft recommends that you do not host your HTTPS website on Windows Server 2003 servers. We recommend that you host your website on servers that run Windows Server 2008 or later to ensure secure communications.

Check whether the Diffie-Hellman (DH) key meets the length requirements

If the DH key is too short to meet the length requirements, the key is not secure. WAF does not support this type of key. If you use a new version of Mozilla Firefox, such as Mozilla Firefox 51.0.1, to access the website that is not protected by WAF, an error message similar to the following message is displayed. Connection failed, Mozilla Firefox
To resolve this issue, upgrade related components, such as the JDK, to ensure that the DH key is 2048-bit long or longer.
Note The length of the key is determined by the server encryption algorithm that is used. The length is irrelevant to the configurations of the certificate. If you are unable to resolve this issue, contact your origin server developer or search for relevant solutions. You can search for relevant solutions based on the following error message: SSL routines:ssl3_check_cert_and_algorithm:dh key too small.

Check whether HTTP is selected

If you enable the feature that redirects HTTP requests to HTTPS requests on the origin server, you must select HTTP and HTTPS in the WAF console. If you select only HTTP or HTTPS in this situation, WAF cannot forward HTTPS requests to the origin server, and errors are reported.