My website is down. Now what? Part 5 – SSL/HTTPS Issues

This is part of a series on diagnosing your website outage issues. This is part five; links to the other parts are here.

In Part 1 of this series we covered the overview of what could have broken to cause your website to go down. In Part 2, we started working through those possible issues by diagnosing DNS issues. In Part 3 we diagnosed routing issues. In Part 4 we looked at how to diagnose problems with any architectural layers such as firewalls. Now that we know all that is good, we need to look at what is going on with the web host itself. If your site runs over HTTPS, there are a myriad of issues that broken certificates or broken code can cause and that is the subject of this article.

This is not an article on what SSL is or how it works, but some basic terms and knowledge are necessary to understand the content of this article so I will lay them out.

Although secure web sessions are referred to as ‘SSL’ and certificates that provide this security are called ‘SSL Certificates’ the more correct term is TLS. The Transport Layer Security (TLS) standard replaced the Secure Sockets Layer (SSL) standard. But to avoid confusion I will use SSL since it is in more common use even though this guy will kill me.

SSL certificates are the mechanism by which secure Hyper Text Transport Protocol (HTTP) sessions are created. Those secure HTTP sessions are referred to as HTTPS (note the ‘S’ denoting Secure). Therefore, the proper way to think of this is that traffic between your website and your visitor is encrypted when they connect to your web server using https:// links and that encryption is implemented by means of the SSL certificate installed on your host.

Lastly before we jump in, it’s important to understand what SSL certificates actually do. They have two jobs:

  1. Encrypt the traffic between your website visitor and your website so that it cannot be read if it is intercepted by bad guys. Intercepting traffic is easier than you probably think but if the requests are encrypted, bad guy only gets a bunch of encrypted blobs.
  2. Provide non-repudiation to your browser meaning that it assures your browser that it is connecting to the website it asked for. Imagine if you told your browser to connect to your bank, but it connected to some other bad site and you entered your username and password into that bad site. SSL non-repudiation prevents that. I wrote an article on the others things SSL certificates do for the Sucuri blog here if you’d like more information on that.

So, knowing the two main jobs SSL does, what can go wrong on your SSL-enabled site? Here are some of the most common:

Your SSL certificate is broken in some way

I use the term broken to mean a number of things. The most common problems I see are expired SSL certificates, and SSL certificates that do not match the domain name. However, if you want to see all the gory ways in which an SSL certificate can be broken or invalid, the BadSSL.com site lays it out for you. The reason these types of errors cause your browser to refuse to load the site is because of SSL’s second job: non-repudiation. Only a valid certificate can provide non-repudiation.

Expired SSL certificate

Expired SSL certificate image

If the SSL certificate on your host is expired, any decent browser will refuse to load the entire site and instead display an ‘EXPIRED’ error that looks something like the one above. SSL certificates have a validity period, usually of one year, and once they expire they are no longer considered valid.

To fix this type of problem, you’ll need to install a certificate that has not expired onto your web server.

Certificate is not valid for your domain

Bad domain name cert error image

If your web host has not provided you with an SSL certificate, that does not necessarily mean that there is not an SSL certificate on the host for some other domain. This happens frequently with inexpensive shared web hosting plans because many websites share a server, but only a few may have SSL certificates installed. In this situation, if your website is requested under HTTPS, then an incorrect SSL certificate could be served to your visitor’s browser. That will produce some ‘BAD DOMAIN’ type error as shown above.

To fix this problem, you’ll need to install a certificate valid for your domain onto your host.

Mixed-Content issues

The term ‘mixed-content’ refers to a web page that has both insecure (HTTP) and secure (HTTPS) content in it. If you’ve read Part 3 of this series, you’ll recall that your browser requests web pages be sent to it and that will be done over the protocol that was requested. Meaning, if you requested the site over https:// then the page will be sent to you over HTTPS. Web pages, however, are rarely one thing; they are usually comprised of many different pieces of content such as images, style sheets and javascript files and your browser has to request every one of those files individually.

If the web page is incorrectly coded to load those bits of content over HTTP, then your browser will refuse to transfer those bits if you’ve requested the site over HTTPS. The reason for this is to support SSL’s job #1 – encrypt the traffic. If your web page tries to send an insecure (HTTP) bit of content, then it is not possible for the browser to encrypt the entire page so it will just refuse to load those insecure bits. The content is referred to as ‘mixed’ because the page contains a mix of secure and insecure content.

The impact of this can range from negligible to catastrophic. If your site loads one single image over HTTP then it simply won’t show up which may not even be noticeable. But, if you site loads a style sheet over HTTP, then that means none of your styles will load over HTTPS which can completely break a site’s layout entirely.

Mixed content SSL errror image

The image above shows a page that attempts to load a javascript using HTTP (http://mixed-script.badssl.com/nonsecure.js). I’ve opened the developer tools of my browser so you can see the error it displays. Since I’ve called the site over HTTPS, my browser refuses to load it with the message below.

Depending on what that javascript is supposed to do, that may totally break my site.

To fix this problem, you’ll need to go through your site and remove any hardcoded links to http:// resources. For example, change this:

<img src="http://example.com/images/title.jpg" />

to this:

<img src="/images/title.jpg" />

By removing the protocol from the src attribute, the browser will request the content over whatever protocol the original request was made from. Assuming you don’t have a broken SSL certificate, that will allow your browser to load the content securely and avoid the mixed-content errors. Sites like Why No Padlock? can help you find all the bad URLs on your site.

Now that you’ve fixed an HTTPS errors on your site, this concludes the tutorial proper. I’ll be writing some individual articles about other hosting issues that can occur, they they’re more edge cases than mainstream issues, so they will not be part pf this tutorial, however they will be under the website tag so you can find them if you’re looking.