Below is a server-specific, practical fix guide for the most common SSL/TLS problems, organized by Apache, Nginx, and CDN / reverse-proxy setups. This focuses on what to check, what to configure, and what typically breaks.
Apache (httpd)
1. Install the full certificate chain (most common mistake)
Correct configuration
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fullchain.pem
SSLCertificateKeyFile /etc/ssl/private/privkey.pem
Notes
fullchain.pemmust include leaf + intermediates- Do NOT use only
cert.pem - Restart Apache after changes
2. Fix domain mismatch (www / non-www)
Use one VirtualHost per name or SAN cert.
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
</VirtualHost>
Ensure the certificate includes both names.
3. Force HTTPS without redirect loops
Correct
<VirtualHost *:80>
Redirect permanent / https://example.com/
</VirtualHost>
Behind a CDN
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
4. Enable modern TLS only
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
5. Enable OCSP stapling
SSLUseStapling on
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Nginx
1. Correct certificate + key (must match)
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
Verify
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privkey.pem | openssl md5
Hashes must match.
2. HTTP → HTTPS redirect (safe setup)
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
3. Fix mixed content (proxy / app)
proxy_set_header X-Forwarded-Proto $scheme;
For PHP:
fastcgi_param HTTPS on;
4. Enable modern TLS and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
5. Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
6. HSTS (only after HTTPS works)
add_header Strict-Transport-Security "max-age=31536000" always;
CDN / Reverse Proxy Setups
Cloudflare (example)
Recommended SSL mode
- Full (Strict)
Origin
- Must have a valid certificate (public or Cloudflare Origin)
Common fixes
- Error 525 → TLS handshake failure at origin
- Error 526 → Invalid origin certificate
Avoid
- Flexible SSL (causes loops, insecure)
CDN + Nginx/Apache redirect loop fix
Wrong
- CDN forces HTTPS
- Origin also forces HTTPS without checking headers
Correct
- CDN handles redirect
- Origin trusts
X-Forwarded-Proto
Nginx:
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
Apache:
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
CDN certificate mismatch
Symptom
- Browser shows CDN cert, not your CA
Fix
- That is normal
- Ensure origin cert is valid and trusted by CDN
- For strict mode, origin cert must match hostname
Load Balancers (AWS ALB / Nginx / HAProxy)
TLS termination at load balancer
Pattern
- Client → HTTPS → LB
- LB → HTTP or HTTPS → backend
Fix
- Backend must:
- Accept
X-Forwarded-Proto - Not force HTTPS blindly
- Accept
HAProxy example
frontend https
bind *:443 ssl crt /etc/haproxy/certs.pem
http-request set-header X-Forwarded-Proto https
Verification & Debugging Commands
Check certificate chain
openssl s_client -connect example.com:443 -servername example.com
Check supported TLS versions
openssl s_client -tls1_2 -connect example.com:443
Check HTTP headers
curl -I https://example.com
Quick diagnosis table
| Symptom | Likely cause | Fix location |
|---|---|---|
| Works in Chrome, fails in Firefox | Missing intermediate | Apache/Nginx |
| Redirect loop | CDN + origin conflict | CDN / server |
| Error 525 / 526 | Origin SSL invalid | Origin server |
| Mixed content | Hardcoded HTTP | App / server |
| Some devices fail | TLS mismatch | Server |