# cas-network Part of **CAS** # Certificate Management Service Network Security Troubleshooting Guide ## Problem Index | Problem | Symptom | Severity | Solution Summary | |--------|--------|---------|------------------| | Chrome Certificate Transparency Error | `NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED` in Chrome 53 | Medium | Upgrade Chrome to a version other than 53 | | IIS Inaccessible from Chrome After SSL Install | `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` or site loads in other browsers but not Chrome | High | Enable TLS 1.2 cipher suite using optimization tool or registry file | | Nginx Missing SSL Module | `nginx: [emerg] unknown directive "ssl"` or `"ssl" parameter requires ngx_http_ssl_module` | High | Recompile Nginx with `--with-http_ssl_module` after installing OpenSSL dev libraries | | Apache Fails to Restart After SSL Install | `AH00526: Syntax error on line xx of httpd-ssl.conf` | High | Load `socache_shmcb_module` in `httpd.conf` | | Java Client SSL Handshake Failure | `SSLHandshakeException: unable to find valid certification path` | High | Complete certificate chain or import missing root CA into Java truststore | | Website Shows Old Certificate After Renewal | Browser displays expired or old certificate despite new deployment | Medium | Update certificate on frontend devices (SLB, CDN, WAF) | | Firefox Reports Site as Not Secure | `SEC_ERROR_UNKNOWN_ISSUER` while Chrome works fine | Medium | Configure strong cipher suites and TLS protocols in Nginx | | Certificate Expiration | `CERT_EXPIRED` warning in browsers | High | Renew certificate immediately and redeploy | | IIS HTTPS Returns 404 | HTTP works but HTTPS returns 404 | Medium | Verify HTTPS binding matches IP, port, and hostname in IIS site configuration | ## Problem Details ### Problem 1: Chrome Certificate Transparency Error **Symptoms** - Error message: `NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED` - Behavior: HTTPS website fails to load in Google Chrome version 53 or QQ Browser 9.5.1 (Chrome 53 kernel) - Context: Occurs when accessing any HTTPS site with affected browser versions **Root Cause** - A known bug in Chrome version 53 incorrectly enforces Certificate Transparency requirements, blocking sites that otherwise have valid certificates. **Solution** 1. Upgrade Google Chrome to any version other than 53 (e.g., 52, 54, or later). 2. If using QQ Browser, update to a version based on a Chrome kernel other than 53. **Verification** - After browser upgrade, reload the HTTPS site — it should load without certificate errors. ### Problem 2: IIS Inaccessible from Chrome After SSL Install **Symptoms** - Error message: `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` - Behavior: Site accessible via Firefox or Edge but fails in Chrome after SSL certificate installation on IIS - Context: Common on Windows Server with default TLS/cipher configurations **Root Cause** - Chrome requires modern cipher suites (e.g., ECDHE-based) and TLS 1.2, which may be disabled by default on older Windows/IIS systems. **Solution** 1. Use the **ITrusIIS Optimization Tool** to automatically configure secure cipher suites and protocols. - Download and run the tool as administrator. 2. Alternatively, apply the **IIS8 registry file** to enable TLS 1.2 and strong ciphers: ```bash # Import registry file (provided in documentation) regedit /s IIS8_TLS12_CipherSuite.reg ``` 3. Reboot the server to apply changes. **Verification** - Use an online SSL test (e.g., SSL Labs) to confirm TLS 1.2 and strong ciphers are enabled. - Access the site in Chrome — it should load securely. ### Problem 3: Nginx Missing SSL Module **Symptoms** - Error message: `nginx: [emerg] unknown directive "ssl"` - Error message: `the "ssl" parameter requires ngx_http_ssl_module` - Behavior: Nginx fails to start or reload when SSL directives are used **Root Cause** - Nginx was compiled without the `--with-http_ssl_module` flag, so SSL support is unavailable. **Solution** 1. Check if SSL module is present: ```bash nginx -V 2>&1 | grep http_ssl_module ``` 2. Install OpenSSL development libraries: ```bash # For CentOS/RHEL sudo yum install openssl-devel # For Ubuntu/Debian sudo apt-get install libssl-dev ``` 3. Recompile Nginx with SSL support: ```bash cd /usr/local/nginx/ ./configure --with-http_ssl_module sudo make ``` 4. Replace the binary safely: ```bash sudo cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak sudo cp objs/nginx /usr/local/nginx/sbin/nginx ``` 5. Reload Nginx: ```bash /usr/local/nginx/sbin/nginx -s reload ``` **Verification** - Run `nginx -V 2>&1 | grep http_ssl_module` — output should include `--with-http_ssl_module`. - Confirm HTTPS site loads correctly. ### Problem 4: Apache Fails to Restart After SSL Install **Symptoms** - Error message: `AH00526: Syntax error on line xx of /www/server/apache/conf/extra/httpd-ssl.conf` - Behavior: Apache fails to start after installing SSL certificate **Root Cause** - The `socache_shmcb_module` (required for SSL session caching) is not loaded in `httpd.conf`. **Solution** 1. Edit `httpd.conf`: ```bash sudo nano /etc/httpd/conf/httpd.conf ``` 2. Uncomment or add this line: ```apache LoadModule socache_shmcb_module modules/mod_socache_shmcb.so ``` 3. Test configuration: ```bash apachectl configtest ``` 4. Restart Apache: ```bash sudo systemctl restart httpd ``` **Verification** - `apachectl configtest` returns "Syntax OK". - Apache starts successfully and serves HTTPS traffic. ### Problem 5: Java Client SSL Handshake Failure **Symptoms** - Error message: `SSLHandshakeException: unable to find valid certification path to requested target` - Error message: `SunCertPathBuilderException: unable to find valid certification path` - Behavior: Java application fails to connect to HTTPS endpoint **Root Cause** - Either the server’s certificate chain is incomplete (missing intermediate CA), or the Java truststore (`cacerts`) lacks the required root CA. **Solution** 1. Diagnose the certificate chain: ```bash openssl s_client -connect your.domain.com:443 -showcerts ``` - Verify all certificates in the chain are present. 2. If chain is complete but Java still fails, import the missing root CA: ```bash keytool -import -alias custom-root-ca \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -file /path/to/root-ca.crt \ -storepass changeit ``` - Replace `/path/to/root-ca.crt` with actual root certificate file. **Verification** - Re-run the Java application — connection should succeed. - Use `keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts` to confirm CA is imported. ### Problem 6: Website Shows Old Certificate After Renewal **Symptoms** - Browser shows expired or old certificate even after deploying new one on origin server - Error message: `InvalidCertificate` (in monitoring tools) **Root Cause** - Frontend devices (SLB, CDN, WAF) still serve the old certificate because they were not updated. **Solution** 1. Identify all frontend proxies in front of your origin (e.g., SLB, CDN, WAF). 2. Log in to each service console and upload/redeploy the new certificate. 3. Ensure the new certificate is bound to the correct domain and active. **Verification** - Use `openssl s_client -connect your.domain.com:443` — check issuer and validity dates. - Online SSL checker should show the new certificate. ### Problem 7: Firefox Reports Site as Not Secure **Symptoms** - Error message: `SEC_ERROR_UNKNOWN_ISSUER` - Behavior: Firefox shows "Not Secure" while Chrome works fine **Root Cause** - Firefox enforces stricter cipher suite requirements; weak or outdated ciphers trigger warnings. **Solution** 1. Update Nginx SSL configuration: ```nginx ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ``` 2. Reload Nginx: ```bash nginx -s reload ``` **Verification** - Test site in Firefox — no security warning should appear. - SSL Labs test shows "A" rating and strong cipher support. ### Problem 8: Certificate Expiration **Symptoms** - Error message: `CERT_EXPIRED` - Behavior: Browsers show full-page warning; users cannot proceed easily **Root Cause** - SSL certificate has passed its validity period and was not renewed. **Solution** 1. Renew the certificate via Certificate Management Service. 2. Redeploy the new certificate to all servers and frontend devices. 3. Set up auto-renewal alerts to prevent recurrence. **Verification** - Visit site in browser — padlock icon appears, no expiration warning. - `openssl x509 -in cert.pem -noout -dates` shows future `notAfter` date. ### Problem 9: IIS HTTPS Returns 404 **Symptoms** - HTTP works, but HTTPS returns `404 Not Found` - Error code: `404` **Root Cause** - HTTPS binding in IIS does not match the request (e.g., wrong IP, port, or hostname). **Solution** 1. Open IIS Manager. 2. Select the site → **Bindings**. 3. Ensure an HTTPS binding exists with: - Type: `https` - IP address: matches request (or `All Unassigned`) - Port: `443` - Host name: matches domain (if used) - SSL certificate: correctly assigned 4. Remove conflicting bindings. **Verification** - Access `https://your-domain.com` — site loads correctly. - No 404 error on HTTPS requests. ## FAQ **Q: How do I check if my Nginx supports SSL?** A: Run `nginx -V 2>&1 | grep http_ssl_module`. If output includes `--with-http_ssl_module`, SSL is supported. **Q: What permissions are needed to deploy certificates to IIS?** A: You need local administrator rights on the Windows server to install certificates into the machine store and configure IIS bindings. **Q: How do I enable debug logging for SSL issues in Apache?** A: Add `LogLevel debug` or `LogLevel ssl:debug` in `httpd.conf`, then check error logs after reproducing the issue. **Q: Why does my site work in Chrome but not Firefox?** A: Firefox often enforces stricter security policies on cipher suites and certificate chains. Ensure you use modern TLS protocols (1.2+) and complete certificate chains with strong ciphers. **Q: How do I verify the certificate chain is complete?** A: Use `openssl s_client -connect example.com:443 -showcerts` and confirm all intermediates are present, or use SSL Labs’ SSL Test tool online.