# cas-certificate Part of **CAS** # Certificate Management Service Certificate Management Troubleshooting Guide ## Problem Index | Problem | Symptom | Severity | Solution Summary | |------|------|---------|------------| | Activation Failed During Certificate Purchase | Error message: `Activation failed` during SSL certificate purchase | High | Verify identity, ensure RAM user has AliyunYundunCertFullAccess, or check free certificate quota | | Domain Authorization Validation Push Fails | ConfigurationPushFailed error when pushing DNS records | Medium | Add required TXT record in Alibaba Cloud DNS and remove conflicting CNAME records | | Chrome Browser Shows NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED | Chrome version 53 displays certificate transparency error | Medium | Upgrade Chrome to a version other than 53 | | IIS Service Inaccessible from Chrome After SSL Installation | ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome while other browsers work | High | Enable TLS 1.2 cipher suite using ITrusIIS optimization tool or registry file | | Incomplete SSL Certificate Chain | Browser shows untrusted certificate warning | High | Deploy full certificate chain including intermediate certificates using one-click deployment | | Certificate Deployment Shows Old Certificate | Website displays previously installed certificate | Medium | Update certificate on frontend devices like SLB, CDN, or WAF | | Free DV Certificate Application Fails | CA_Security_Audit_Failed due to domain containing sensitive words | Medium | Use different domain or purchase OV/EV certificate | | Wildcard Certificate Request Fails File Validation | InvalidValidationMethod error when using file validation | Low | Switch to DNS validation method for wildcard certificates | | Certificate Order Status Not Updating | Status remains unchanged after CA notification | Low | Wait for sync delay between CA and Alibaba Cloud to complete | ## Problem Details ### Problem 1: Activation Failed During Certificate Purchase **Symptoms** - Error message: `Activation failed` - Behavior: Certificate purchase process fails at activation step - Context: Occurs during initial SSL certificate purchase, especially for free certificates **Root Cause** - Insufficient permissions for RAM user (missing AliyunYundunCertFullAccess policy) - Identity verification not completed for the account - Free certificate quota exceeded (20 free certificates per account including closed orders) - Domain name suffix ineligible for free certificates (e.g., .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear) **Solution** 1. Ensure your account has completed identity verification 2. If using a RAM user, attach the `AliyunYundunCertFullAccess` policy: ```bash # Using Alibaba Cloud CLI aliyun ram AttachPolicyToUser --PolicyType System --PolicyName AliyunYundunCertFullAccess --UserName ``` 3. Check your free certificate quota in the console: - Navigate to Certificate Management Service console - View remaining quota under Account Settings 4. For restricted domain suffixes, purchase an OV, EV, or vTrus certificate instead of free DV **Verification** - Attempt to purchase certificate again - Successful activation shows "Issued" status in certificate list - Free certificate quota counter decreases by 1 ### Problem 2: Domain Authorization Validation Push Fails **Symptoms** - Error message: `ConfigurationPushFailed` - Behavior: Domain validation configuration fails to push to DNS - Context: When configuring domain authorization validation in Certificate Management Service **Root Cause** - Incomplete DNS configuration in Alibaba Cloud DNS - Conflicting CNAME records that interfere with TXT record validation - Certificate Management Service not authorized to manage DNS records **Solution** 1. Log on to the Alibaba Cloud Domain Name console 2. Select your domain name and click **DNS Settings** 3. If a CNAME record exists for the domain, temporarily remove it 4. Click **Add Record** and add the required TXT record with values provided by Certificate Management Service 5. Return to Certificate Management Service console and verify configuration status **Verification** - Check domain authorization validation status in Certificate Management Service console - Successful validation shows "Verified" status - DNS record propagation can be verified using: ```bash dig TXT _validation.yourdomain.com ``` ### Problem 3: Chrome Browser Shows NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED **Symptoms** - Error message: `NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED` - Behavior: HTTPS websites fail to load in Chrome version 53 and QQ Browser version 9.5.1 - Context: Accessing HTTPS websites with valid SSL certificates **Root Cause** - Known bug in Chrome version 53 that incorrectly handles certificate transparency requirements - Certificate transparency is a security feature that logs certificates in public logs **Solution** 1. Upgrade Chrome browser to any version other than 53: - Open Chrome settings - Go to **Help** > **About Google Chrome** - Allow automatic update to latest version 2. For QQ Browser, upgrade to a version newer than 9.5.1 **Verification** - After browser upgrade, access the HTTPS website again - Website should load without certificate transparency errors - Check Chrome version shows something other than 53.x.x.x ### Problem 4: IIS Service Inaccessible from Chrome After SSL Installation **Symptoms** - Error message: `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` - Behavior: IIS service accessible from other browsers but not Chrome after SSL certificate installation - Context: Windows server running IIS with newly installed SSL certificate **Root Cause** - TLS 1.2 cipher suite not enabled on the IIS server - Chrome requires modern cipher suites and TLS versions for secure connections - Older Windows/IIS configurations may have weak protocols enabled by default **Solution** 1. Download and run the ITrusIIS optimization tool from Alibaba Cloud: - Tool automatically configures optimal cipher suites and enables TLS 1.2 2. Alternatively, manually configure via registry: - Download the IIS8 registry file from Alibaba Cloud documentation - Import the registry file to enable TLS 1.2 cipher suites - Restart the server to apply changes **Verification** - Test connection using OpenSSL: ```bash openssl s_client -connect your-server-ip:443 -servername your-domain.com ``` - Expected output shows TLSv1.2 protocol and strong cipher suite - Chrome browser successfully accesses the IIS service ### Problem 5: Incomplete SSL Certificate Chain **Symptoms** - Error message: `IncompleteCertificateChain` - Behavior: Browser shows certificate as untrusted despite valid server certificate - Context: After deploying SSL certificate to web server **Root Cause** - Missing intermediate certificates in the certificate chain - Server only configured with end-entity certificate, not the full chain - Browsers cannot build complete trust path to root CA **Solution** 1. Verify certificate chain using OpenSSL: ```bash openssl s_client -connect your-server-ip:443 -servername your-domain.com ``` 2. In Certificate Management Service console: - Navigate to **Certificate Management Service** > **Deploy Certificate** - Use the **one-click deployment** feature to automatically deploy full certificate chain 3. If manually deploying, ensure PEM file contains both server certificate and intermediate certificates: ```text -----BEGIN CERTIFICATE----- [Your Server Certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate Certificate] -----END CERTIFICATE----- ``` **Verification** - OpenSSL command shows complete certificate chain with depth levels - Browser certificate details show full trust path to root CA - No certificate warnings in any major browser ### Problem 6: Certificate Deployment Shows Old Certificate **Symptoms** - Behavior: Website displays previously installed certificate even after new certificate deployment - Context: After renewing certificate or enabling certificate hosting **Root Cause** - Frontend devices like SLB, CDN, or WAF still serving old certificate - Certificate updated on origin server but not on edge/cloud services - Cached certificate in intermediate proxy services **Solution** 1. Check if you're using any frontend services: - Server Load Balancer (SLB) - Content Delivery Network (CDN) - Web Application Firewall (WAF) 2. Update certificate on all frontend devices: - For SLB: Update SSL certificate in listener configuration - For CDN: Refresh certificate in CDN domain settings - For WAF: Update certificate in WAF protection settings 3. Use Certificate Management Service's automatic deployment feature: - Navigate to **Hosted deployment for cloud products** - Configure scheduling and target products for automatic deployment **Verification** - Access website directly via origin server IP (bypassing frontend services) shows new certificate - Access through frontend services also shows new certificate - Certificate expiration date matches newly issued certificate ### Problem 7: Free DV Certificate Application Fails **Symptoms** - Error message: `CA_Security_Audit_Failed` - Behavior: Unable to apply for free DV certificate with domain security review failure - Context: Applying for free certificate with domains containing sensitive words **Root Cause** - Domain contains sensitive words like "live", "bank", "fund", "wallet", "pay" - Certificate Authority (CA) security policies block free certificates for high-risk domains - Domain flagged in security databases like VirusTotal **Solution** 1. Check domain safety on VirusTotal: ```bash # Use online tool or API to verify domain reputation curl "https://www.virustotal.com/vtapi/v2/url/report?apikey=&resource=your-domain.com" ``` 2. If domain contains sensitive words, either: - Use a different domain name without sensitive words - Purchase an OV or EV certificate which has different validation requirements 3. Contact your domain registrar to ensure WHOIS information is accurate and publicly available **Verification** - New certificate application succeeds with clean domain - Domain passes CA security audit - Certificate issuance completes within expected timeframe ### Problem 8: Wildcard Certificate Request Fails File Validation **Symptoms** - Error message: `InvalidValidationMethod` - Behavior: File validation option unavailable or fails for wildcard certificate requests - Context: Attempting to validate wildcard domain ownership using file method **Root Cause** - CA/Browser Forum policy prohibits file validation for wildcard certificates - Wildcard certificates require DNS validation to prove control over entire subdomain space - File validation only proves control over specific paths, not all subdomains **Solution** 1. Switch to DNS validation method: - In Certificate Management Service console, select DNS validation during application 2. Add required TXT record to your DNS zone: - Record name: `_validation.*.yourdomain.com` (or as specified) - Record value: Provided validation token from console 3. Wait for DNS propagation (typically 5-30 minutes) 4. Complete validation in Certificate Management Service console **Verification** - DNS record visible via: ```bash dig TXT _validation.*.yourdomain.com ``` - Certificate application proceeds to issuance stage - Wildcard certificate issued with `*.yourdomain.com` in Subject Alternative Names ### Problem 9: Certificate Order Status Not Updating **Symptoms** - Behavior: Certificate order status remains unchanged after CA sends notification - Context: After CA completes validation and issues certificate **Root Cause** - Sync delay between Certificate Authority (CA) and Alibaba Cloud systems - Asynchronous process where CA notification doesn't immediately update console status - Normal operational delay, not an actual error **Solution** 1. Wait for status to update automatically: - Typical sync delay is 5-30 minutes - No action required from user side 2. If status doesn't update after 1 hour: - Refresh the Certificate Management Service console page - Check email notifications from CA for issuance confirmation 3. Contact support only if status remains unchanged after 24 hours **Verification** - Certificate status eventually shows "Issued" in console - Certificate download option becomes available - Email confirmation received from CA ## FAQ **Q: How do I check if my SSL certificate is properly deployed?** A: Use the OpenSSL command to verify your certificate chain: `openssl s_client -connect your-server-ip:443 -servername your-domain.com`. This shows the complete certificate chain, protocol version, and cipher suite. You can also use online SSL checkers like GeoCerts SSL Checker to validate deployment. **Q: What permissions are needed to manage certificates in Certificate Management Service?** A: Your RAM user needs the `AliyunYundunCertFullAccess` system policy attached. This provides full access to certificate management operations including purchase, deployment, renewal, and revocation. Without this policy, you'll encounter permission errors during certificate operations. **Q: Why does my 3-year certificate show only 1-year validity?** A: Multi-year certificate services include multiple 1-year certificates with automatic renewal. The certificate you download has a 1-year validity period, but the service automatically renews it for the full duration you purchased. This complies with industry standards that limit individual certificate validity to 1 year. **Q: Can I delete the TXT record used for domain validation after certificate issuance?** A: Yes, TXT records used for domain validation can be safely deleted after the certificate is issued. These records are only needed during the validation process and don't affect the certificate's validity once issued. **Q: How do I handle certificate trust issues after CA intermediate certificate updates?** A: When CAs like DigiCert or GlobalSign update their intermediate certificates, you may need to reissue your certificate to get the updated chain. In the Certificate Management Service console, look for validity period warnings and follow the reissuance process. Always deploy the complete certificate chain including new intermediate certificates.