Security
SSL/TLS certificates explained for developers
Every HTTPS connection relies on a TLS certificate. Understanding how they work helps you debug errors, avoid common misconfigurations, and choose the right setup for your project.
What a certificate does
A TLS certificate serves two purposes: it proves the server really is who it claims to be (authentication), and it enables encrypted communication (confidentiality). Browsers verify certificates by checking the signature of a trusted Certificate Authority (CA).
Certificate Authorities
A CA is an organisation that issues and signs certificates. Browsers ship with a list of trusted CAs. If a certificate is signed by one of them (or by an intermediate CA that chains up to one), the browser trusts it. Let’s Encrypt is a free, automated CA that issues domain-validated (DV) certificates.
Let’s Encrypt and ACME
Let’s Encrypt uses the ACME protocol to automate certificate issuance. Your server proves it controls the domain by either:
- HTTP-01 challenge: serving a token file at
http://yourdomain.com/.well-known/acme-challenge/ - DNS-01 challenge: adding a TXT record to your DNS
Simplewala uses HTTP-01 via Nginx. The process is fully automatic.
Common errors and fixes
| Error | Likely cause |
|---|---|
ERR_CERT_AUTHORITY_INVALID | Self-signed cert, expired cert, or missing intermediate chain |
NET::ERR_CERT_DATE_INVALID | Certificate expired — renew or check auto-renewal |
ERR_CERT_COMMON_NAME_INVALID | Certificate domain doesn’t match the requested domain |
ACME validation failed | DNS not pointing to the server yet, or port 80 blocked |
Debugging with openssl
# Check the certificate served by a domain openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \ | openssl x509 -noout -dates -subject
On Simplewala
Simplewala provisions Let’s Encrypt certificates automatically for every domain you add to the Front Door proxy. Certificates are renewed 30 days before expiry with no manual action required.