---
Title: Troubleshoot issues
URL Source: https://company-skill.com/p/cas/cas-troubleshoot-issues
Language: en
Description: You're encountering an SSL/TLS certificate error and need to identify whether the root cause lies in certificate lifecycle management, server/browser configuration, or service-layer conflicts. The…
---

# Troubleshoot issues

Part of **Certificate Management Service (CAS)**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You're encountering an SSL/TLS certificate error and need to identify whether the root cause lies in certificate lifecycle management, server/browser configuration, or service-layer conflicts. The solution depends entirely on where and how the error manifests.

**Typical User Questions**:
- ChromeNET::ERR_CERT_AUTHORITY_INVALID
- Why does Firefox say my site is not secure?
- How to fix Java 'unable to find valid certification path'?

- Apache after SSL install

## Decision Tree

Pick the best path for your situation:

- **If** your error message includes **"Activation failed"**, **"ConfigurationPushFailed"**, **"CA_Security_Audit_Failed"**, or involves **domain validation**, **DNS validation**, or **free certificate quota** limits → Use (go to *cas/cas-certificate*)
- **If** you see browser-specific errors like **"NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"**, **"ERR_SSL_VERSION_OR_CIPHER_MISMATCH"**, **"SEC_ERROR_UNKNOWN_ISSUER"**, or server errors such as **"AH00526 syntax error"**, **"ngx_http_ssl_module"** missing, or Java’s **"unable to find valid certification path"** → Use (go to *cas/cas-network*)
- **If** you receive **"This domain name is already in use"** when enabling **Website Proxy HTTPS**, and your domain uses **Web Application Firewall**, **Anti-DDoS Pro**, **Anti-DDoS Premium**, or **CDN** → Use HTTPS (go to *cas/cas-website*)
- **Otherwise (default)** → Start with ****, as most visible SSL issues manifest at the client or web server layer.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Console / Dashboard | medium | No | No | Free DV certificates do not support .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear domains | `cas/troubleshooting/cas-certificate` |
| SSLTLS | medium | No | No | Chrome 53 has a known bug triggering NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED falsely | `cas/troubleshooting/cas-network` |
| HTTPS | HTTPS | low | No | No | Domains already protected by WAF, Anti-DDoS, or CDN cannot enable Website Proxy HTTPS | `cas/troubleshooting/cas-website` |

## Path Details

### Path 1: Console / Dashboard
**Brief Description**: This path addresses issues during certificate issuance and management in Alibaba Cloud Certificate Management Service (CAS), including failures during purchase, domain validation, or renewal. It requires a RAM user with the **AliyunYundunCertFullAccess** policy and handles errors like **InvalidValidationMethod** or **CA_Security_Audit_Failed** due to sensitive domain keywords.

**Key technical facts**:
- Auth method: RAM user with AliyunYundunCertFullAccess policy

**When NOT to Use**:
- Chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH

### Path 2: Console / Dashboard
**Best For**: SSLTLS

**Brief Description**: This path resolves SSL/TLS integration issues with web servers (Apache, Nginx, IIS) and client compatibility problems in browsers or Java applications. It covers missing modules like **ngx_http_ssl_module** in Nginx or **socache_shmcb_module** in Apache, and trust chain issues causing **"unable to find valid certification path"** in Java.

**Key technical facts**:
- Prerequisites: WindowsIIS, LinuxrootsudoApache/Nginx

**When to Use**:
- ChromeNET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

- Nginxunknown directive "ssl"

**Known Limitations**:
- Chrome 53bugNET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

- Apache SSLsocache_shmcb_module

### Path 3: HTTPS

**Best For**: HTTPS

**Brief Description**: This path handles conflicts when attempting to enable the **Website Proxy HTTPS** feature on domains already protected by Alibaba Cloud **Web Application Firewall**, **Anti-DDoS Pro**, **Anti-DDoS Premium**, or **CDN** services. The system blocks this to prevent **conflicting HTTPS termination** points.

**Key technical facts**:
- Prerequisites: WAFAnti-DDoSCDN

**When to Use**:
- HTTPS"This domain name is already in use"
- WAFAnti-DDoSCDNCASHTTPS

**When NOT to Use**:
- Chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH

## FAQ

Q: Which path should I start with?
A: If you’re seeing a browser warning or server startup failure, begin with ****. If the error occurs during certificate purchase or renewal in the CAS console, use ****. Only use **HTTPS** if you explicitly tried enabling that feature and got “This domain name is already in use”.

Q: What if I have a domain like `mybank.live` but used the generic certificate path?
A: You’ll likely hit **CA_Security_Audit_Failed** because domains containing sensitive words like **bank** or **live** trigger manual review or rejection, even if other paths might seem applicable.

Q: If I’m using CDN and try to enable Website Proxy HTTPS, what happens?
A: The system blocks it with **"This domain name is already in use"** because **CDN** is a **security protection service** or **acceleration service** that already terminates HTTPS, creating **conflicting HTTPS termination**.

Q: What if I chose the network path but my real issue is free certificate quota exhaustion?
A: You’ll waste time debugging Nginx or browser settings while the actual problem is that you’ve exceeded the **free certificate quota** (20 certificates), which only the **** path addresses.

Q: Can I use DNS validation for a wildcard certificate if I’m on the network troubleshooting path?
A: No — **DNS validation**, but this constraint is only documented in the **** path. Using the wrong path may lead you to attempt an unsupported validation method.

Q: Why does Firefox show “not secure” when Chrome works fine?
A: Firefox enforces stricter **TLS 1.2 cipher suite** requirements and may reject weak chains that Chrome accepts. This is a classic case for the **** path.

Q: Does the website proxy path apply if I use Anti-DDoS Premium?
A: Yes — **Anti-DDoS Premium** (like **Anti-DDoS Pro** and **Web Application Firewall**) is considered a **security protection service**, so enabling **Website Proxy HTTPS** will fail with a domain conflict error.

## Related queries

ssl certificate error, tls certificate issue, certificate not trusted, browser certificate warning, domain validation failed, certificate renewal failed, chrome err cert, firefox sec error, java ssl handshake failed, iis ssl setup error, nginx ssl unknown directive, apache ssl restart fail, csr doma

---
Part of [Certificate Management Service (CAS)](https://company-skill.com/p/cas.md) · https://company-skill.com/llms.txt