# cas-website

Part of **CAS**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Troubleshoot SSL/TLS certificate issues](../../intent/cas-troubleshoot-issues/SKILL.md). If you're unsure which path to take, check the routing skill first.

# Certificate Management Service Website Security Troubleshooting Guide

## Problem Index

| Problem | Symptom | Severity | Solution Summary |
|--------|--------|---------|------------------|
| Domain Already in Use When Enabling Website Proxy HTTPS | Error message: `This domain name is already in use` | High | Use the HTTPS proxy feature of the existing security or acceleration service instead of CAS website proxy HTTPS |
| Attempting to Enable Website Proxy HTTPS on Protected Domain | User cannot enable website proxy HTTPS despite valid certificate | Medium | Verify if domain is associated with WAF, Anti-DDoS, or CDN; switch to their native HTTPS support |
| Misconfigured Security Layer Due to Duplicate HTTPS Termination | SSL handshake failures or inconsistent security policies | High | Disable CAS website proxy HTTPS and rely solely on the primary service’s HTTPS configuration |

## Problem Details

### Problem 1: Domain Already in Use When Enabling Website Proxy HTTPS

**Symptoms**
- Error message: `This domain name is already in use`
- Behavior: The option to enable "Website Proxy HTTPS" is disabled or fails with an error during activation
- Context: Occurs when attempting to configure HTTPS proxy via Certificate Management Service for a domain already protected by another Alibaba Cloud service

**Root Cause**
The domain is already associated with a security or acceleration service such as Web Application Firewall (WAF), Anti-DDoS Pro, Anti-DDoS Premium, or Content Delivery Network (CDN). Enabling website proxy HTTPS through Certificate Management Service would create a conflicting HTTPS termination point, potentially bypassing or weakening the existing protection layer. To maintain security integrity, CAS blocks this configuration.

**Solution**
1. Identify which service is currently managing your domain:
   - Log in to the Alibaba Cloud console
   - Navigate to **Web Application Firewall**, **Anti-DDoS**, or **CDN** services
   - Check if your domain appears in any of their configurations
2. Use the built-in HTTPS proxy feature of that service instead:
   - For **WAF**: Go to *Protection Configuration > HTTPS Settings* and upload your certificate there
   - For **Anti-DDoS Pro/Premium**: Configure SSL certificates under *Website Access > HTTPS Configuration*
   - For **CDN**: In the *Domain Management* section, enable HTTPS and bind your certificate
3. Do **not** enable website proxy HTTPS in Certificate Management Service for this domain

**Verification**
- Confirm that the domain no longer shows the `This domain name is already in use` error in CAS
- Access your website via `https://yourdomain.com` and verify the SSL certificate is valid using browser tools or:
  ```bash
  openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
  ```
- Ensure traffic flows through the intended security/acceleration service (check WAF logs or CDN access logs)

### Problem 2: Attempting to Enable Website Proxy HTTPS on Protected Domain

**Symptoms**
- User has a valid SSL certificate issued or uploaded in CAS
- The "Enable Website Proxy HTTPS" toggle is grayed out or fails silently
- No explicit error shown in UI, but HTTPS does not function as expected

**Root Cause**
The domain is registered with a security or acceleration service that automatically claims exclusive control over HTTPS configuration. Certificate Management Service detects this association and prevents redundant or conflicting proxy setup, even if the user is unaware of the underlying service linkage.

**Solution**
1. Determine active services linked to the domain:
   ```bash
   # Use Alibaba Cloud CLI to list WAF domains (example)
   aliyun waf ListDomains --RegionId cn-hangzhou
   ```
2. If found, migrate HTTPS configuration to that service:
   - In WAF console: *Website Access > HTTPS Settings > Upload Certificate*
   - Ensure the same certificate used in CAS is applied in the primary service
3. Remove or disable any duplicate HTTPS listeners in load balancers or origin servers that may interfere

**Verification**
- After configuring HTTPS in the primary service (e.g., WAF), test site accessibility over HTTPS
- Use online tools like [SSL Labs](https://www.ssllabs.com/ssltest/) to confirm certificate validity and chain completeness
- Monitor for mixed-content warnings or insecure resource loads

### Problem 3: Misconfigured Security Layer Due to Duplicate HTTPS Termination

**Symptoms**
- Intermittent SSL errors (e.g., `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`)
- Inconsistent security headers or policy enforcement
- Traffic bypasses WAF rules or DDoS protections unexpectedly

**Root Cause**
Both Certificate Management Service (via website proxy HTTPS) and another service (e.g., WAF) are terminating HTTPS independently, creating a double-proxy scenario. This can lead to protocol mismatches, certificate conflicts, or traffic routing outside the intended security perimeter.

**Solution**
1. Disable website proxy HTTPS in Certificate Management Service:
   - Go to CAS console > **Website Security** > find your domain
   - Turn off **Website Proxy HTTPS**
2. Centralize HTTPS termination in one service only—preferably the one providing security (WAF/Anti-DDoS)
3. Validate origin server configuration:
   - If using WAF, ensure origin communicates over HTTP (unless mutual TLS is required)
   - Avoid enabling SSL on both proxy and origin unless explicitly needed

**Verification**
- Perform a full curl test through the proxy:
  ```bash
  curl -I https://yourdomain.com --resolve yourdomain.com:443:<WAF_IP>
  ```
- Confirm response includes expected security headers (e.g., `X-WAF-Block`, `Strict-Transport-Security`)
- Check that all requests appear in WAF or Anti-DDoS logs

## FAQ

**Q: Why can't I enable website proxy HTTPS for my domain in Certificate Management Service?**  
A: Your domain is likely already associated with a security or acceleration service like WAF, Anti-DDoS, or CDN. These services provide their own HTTPS proxy capabilities, and enabling it again in CAS would create a conflict. Use the HTTPS feature within the existing service instead.

**Q: How do I check if my domain is linked to WAF or CDN?**  
A: Log in to the Alibaba Cloud console and navigate to the WAF, Anti-DDoS, or CDN service dashboards. Look for your domain in their domain lists. Alternatively, use the Alibaba Cloud CLI to query domain associations programmatically.

**Q: Can I use Certificate Management Service to manage certificates even if I don’t use its website proxy HTTPS?**  
A: Yes. You can issue, upload, and manage certificates in CAS and then deploy them manually or via API to other services like WAF, CDN, or SLB. CAS acts as a certificate repository regardless of proxy usage.

**Q: What happens if I force-enable website proxy HTTPS on a protected domain?**  
A: The system prevents this action entirely. You will receive the error `This domain name is already in use`, and the configuration will not be applied. This safeguard ensures your security posture isn’t compromised by misconfiguration.

**Q: Where should I configure my SSL certificate if I use both CDN and WAF?**  
A: Configure the certificate in the outermost service—typically CDN if it’s in front of WAF, or WAF if it’s the first point of contact. Avoid duplicating certificate binding across layers unless required for end-to-end encryption, and ensure consistent cipher suites and protocols.