HTTPS troubleshooting
Are you seeing a certificate error in the browser? This article aims to help developers troubleshooting such errors.
TLS certificates are provided for all domains. See the HTTPS article for general features and configuration.
# Review certificates in the browser
To troubleshoot TLS/SSL issues, it's often helpful to view the certificate in the browser. In Chrome and Firefox you can:
- open
https://www.{{domain}}.com< make sure to use https not http - click on the lock icon
- click on the "certificate" to reveal the cert
# You see a certificate warning
You visit your Apps domain under the https:// address and the browser throws an error that the certificate can't be verified. If you inspect the cert in the browser, you see that the cert is issued for *.frbit.app not for your domain. The error might be:
NET::ERR_CERT_COMMON_NAME_INVALIDraw
This can happen, if the domain is brand new and the cert is not yet installed. It can take up to 24 hours for the certs to get installed. The cert for the apex domain (for forwarding) usually takes a bit longer than the other one.
This can also happen, if your domain is not routed to fortrabbit (yet). Only domains that are already routed to fortrabbit will receive a TLS cert. Please see the domain settings in the Dashboard.
There are also other edge cases when this can happen, for example, if your domain has set CAA records with DNS.
# The browser shows a mixed content warning
The cert is installed but you are seeing an error like this:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
Your website is requesting external resources over non-secure addresses (http). Check the source code of your website and find and replace all http:// requests. This can be CSS files, fonts, images or AJAX calls.
You can use https:// instead or you just leave out the protocol entirely like so: //. The last method will use whatever has been used before, so that works especially well, with different environments, for instance when your local development machine doesn't have TLS.
# Solve SSL verification errors
This is the fix for verification errors when using ssl_verify. If you are receiving an error like the following:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedraw
You need to set the capath as well. Assuming you are using PHP streams, it would look like this:
$context = stream_context_create(); stream_context_set_option($context, 'ssl', 'verify_peer', true); stream_context_set_option($context, 'ssl', 'capath', '/etc/ssl/certs'); # <<< that's the one stream_context_set_option($context, 'ssl', 'allow_self_signed', false); $fp = stream_socket_client("thedomain.tld:443", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $context); # .. if (stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT) === false) { die("Failed to verify certificate"); } #...php
For cURL, the option CURLOPT_CAPATH needs to be set to /etc/ssl/certs.
Found a tpyo?Edit