There are a few common mistakes or problems that come with using SSL. We've compiled the most common ones here, along with information to help you avoid and resolve the problems you encounter. If the answers to your questions aren't found on this page, feel free to contact our support staff for assistance.

General SSL Usage Help

There are a number of warnings or errors that can come up when accessing web pages via SSL. Almost all of these are small mistakes that are easy to repair.

  • Domain Name Mismatch
    Your SSL digital certificate is set up to use a very specific domain name, which must match exactly to avoid getting this error. For example, if your certificate is for the domain www.my-domain.name, and you type https://my-domain.name into the browser, you will get this warning. Likewise, if your certificate is for my-domain.name and you enter https://www.my-domain.name into your browser, you will get the same warning. In order to avoid this warning, be sure to use the exact domain name on the certificate when making links to secure pages.

  • Page contains both Secure and Insecure Data
    Often when making links or including images in pages, the URL is an Absolute link, meaning that the link includes the protocol, domain, and path to a file. If you include an image in a page using an absolute URL, you can run into this error when the page is viewed using a different protocol than the one indicated in the image URL. For example, if in a web page you include an image using the path http://www.my-domain.name/images/myimage.gif, and then access the page using secure protocol, you will get the warning that the page has encrypted and unencrypted content. The easiest way to avoid this error is to use Relative links, meaning you indicate only the path to a local file in the link (for example, /images/myimage.gif). When linking to files on a remote server, you will need to use an absolute link, so make sure in those cases to use the protocol that the page will usually be viewed with.

  • Low-encryption browsers
    Many older Web Browsers only support 40 or 52 bit encryption. Because modern SSL certificates use 128 bit encryption, older browsers may not be able to view pages securely. If many of your customers are likely to be using older browsers, you may want to get a special low-encryption certificate (available from some Signing Authorities). Because several modern browsers are available free of charge, you may also want to encourage users having problems with your SSL certificate to upgrade to a newer browser.

Custom Certificate Install Help

When installing a custom signed Digital Certificate, there are a number of possible mistakes or errors that can cause problems. In most cases, the Apache Web Server will not start up when one of these errors occurs. If your site will not load in a browser, it is a good idea to check to see if there are any httpsd processes running on your Virtual Private Server. If there are, you may want to restart Apache and try loading the page again.

If restarting the web server does not cause httpsd processes to start on your Virtual Private Server, it is possible your custom certificate is not installed properly. The first thing to do is review the Installation Steps for custom digital certificates. A few common errors include the following.

  • The Private Key has not been decrypted
    You can tell whether or not the Private Key has been decrypted by viewing the file using more or your favorite text editor. If the key file has the following lines, your key is still encrypted.

    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,BCC23A5E16582F3D

    To decrypt your Private Key, run the following command from your Virtual Private Server SSH or Telnet command prompt.

    % openssl rsa -in ~/etc/ssl.pk -out ~/etc/ssl.pk

    You will be prompted to enter your PEM Passphrase, after which the key will be decrypted.

  • The Certificate was uploaded using Binary FTP format
    Check to see if your Certificate was uploaded properly by looking at it in your favorite text editor. If each line has a ^M at the end of it, you will need to upload the file again using ASCII format.

  • The Certificate and Private Key don't match
    If you have multiple servers with SSL, make sure you are using the private key which was generated at the same time as the CSR for that domain.

  • The Certificate was ordered for the wrong Server type
    If you are transferring your certificate from a different server, make sure that the old server was using Apache with SSL as the Web Server software. If not, see the instructions to Move your Certificate.

  • Your Certificate or Key are not complete
    Check to see if the beginning and ending lines of the key or certificate are not all there or are missing. Both the certificate and private key should begin and end with a line containing text identifying the file with five dashes (-) before and after the text, such as -----BEGIN RSA PRIVATE KEY-----.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771