Common TLS issues
| Issue | Severity |
|---|---|
| TLS 1.0 / 1.1 enabled | Critical — deprecated, known vulnerabilities, rejected by modern browsers |
| Certificate expired | High — browsers show a warning, users leave |
| Certificate expiring soon (< 14 days) | High — renew immediately |
| Self-signed certificate | High — no trusted CA, browser warning |
| Domain mismatch | High — browser blocks the connection |
Diagnose
# Check if the server accepts TLS 1.1
openssl s_client -connect yoursite.com:443 -tls1_1 2>/dev/null | grep "Cipher"
# If it shows a cipher — TLS 1.1 is still active
# Same for TLS 1.0
openssl s_client -connect yoursite.com:443 -tls1 2>/dev/null | grep "Cipher"
# Check certificate expiry
openssl s_client -connect yoursite.com:443 2>/dev/null | openssl x509 -noout -dates
Vercel / Netlify
TLS is fully managed — certificates are issued and renewed automatically. If vibeblame still reports an issue, the likely cause is a custom domain that wasn't verified or is misconfigured. Check the domain settings in the platform dashboard.
Cloudflare
TLS is also managed. To disable TLS 1.0 / 1.1:
Cloudflare Dashboard -> SSL/TLS -> Edge Certificates -> Minimum TLS Version -> set to TLS 1.2
Nginx (VPS / self-hosted)
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
}
nginx -t && nginx -s reload
Apache
# httpd.conf or ssl.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
apachectl configtest && systemctl restart apache2
Vue (Nuxt) and Angular
TLS is configured at the infrastructure level — not inside Nuxt or Angular application code. Use the Nginx, Cloudflare, Vercel, or Netlify configs from this guide depending on your hosting.
Local HTTPS for Nuxt development:
# Generate a local trusted cert
brew install mkcert && mkcert -install
mkcert localhost
// nuxt.config.ts
export default defineNuxtConfig({
devServer: {
https: {
key: './localhost-key.pem',
cert: './localhost.pem',
},
},
})
Local HTTPS for Angular development:
mkcert localhost
ng serve --ssl --ssl-key localhost-key.pem --ssl-cert localhost.pem
In production, deploy behind Nginx, Cloudflare, or a managed platform and apply TLS settings there.
WordPress / PHP on shared hosting
On shared hosting (cPanel, Plesk), you usually can't edit the server config directly. Options:
- Cloudflare (free plan) — add your site to Cloudflare, set Minimum TLS Version to 1.2. Cloudflare terminates TLS before the request reaches your hosting.
- Hosting control panel — many hosts have an SSL/TLS section in cPanel or Plesk where you can select the minimum TLS version.
- Contact your host — ask them to disable TLS 1.0 / 1.1 for your domain.
For certificate management on cPanel, use the built-in Let's Encrypt integration (usually under "SSL/TLS" or "Let's Encrypt SSL") — it handles auto-renewal.
Tilda
TLS is managed by Tilda. If the certificate is issued through Tilda, there is nothing to configure — contact Tilda support if there is a problem.
If your domain goes through Cloudflare, set Minimum TLS Version to 1.2 as described above.
Certificate auto-renewal with Let's Encrypt (self-hosted)
# Install certbot
apt install certbot python3-certbot-nginx # or python3-certbot-apache
# Issue a certificate
certbot --nginx -d yoursite.com -d www.yoursite.com
# Test renewal
certbot renew --dry-run
# Add to cron (twice daily)
crontab -e
# Add:
0 0,12 * * * certbot renew --quiet --post-hook "nginx -s reload"
Domain mismatch
Happens when the certificate covers yoursite.com but the request comes to www.yoursite.com, or vice versa.
Issue a certificate for both:
certbot --nginx -d yoursite.com -d www.yoursite.com
And add a redirect so only one variant is used:
server {
listen 80;
server_name www.yoursite.com;
return 301 https://yoursite.com$request_uri;
}
Verify
openssl s_client -connect yoursite.com:443 2>/dev/null | openssl x509 -noout -text | grep -E "Not After|DNS:"
For a full graded report, use SSL Labs. Aim for grade A or A+.