WordPress HTTPS SSL Configuration Common Errors and Solutions
I hit more than 10 different坑 (pitfalls) while setting up HTTPS on my WordPress site. From certificate申请 failures to Nginx configuration conflicts to the final mixed content issues — each one stopped me for hours. This article documents every real pitfall I encountered with verified solutions.
Background: Why HTTPS Matters
Starting in 2026, Google explicitly uses HTTPS as a ranking signal. Unencrypted sites not only suffer in search rankings — many modern browser features simply won't work. More practically: without HTTPS, your WordPress site can't call most third-party APIs (payments, social login, etc.).
5 Real Scenarios Where SSL Certificate Issuance Fails
Pitfall 1: Certbot Standalone Mode Grabs Port 80
Error message:
An unexpected error occurred:
The server encountered a temporary issue and may
not be able to restart the verification process.**Root cause**: Certbot's --standalone mode needs to bind port 80 itself to verify your domain. If Nginx or Apache is already using port 80, verification fails immediately. This is extremely common among beginners.
Solution: Two correct approaches:
Option 1 (recommended): Use the Nginx plugin so Certbot verifies through Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comOption 2: Temporarily stop Nginx, use standalone mode to verify, then restart Nginx
sudo systemctl stop nginx
sudo certbot certonly --standalone -d yourdomain.com
sudo systemctl start nginxVerification command: After issuance, verify the certificate was generated:
sudo certbot certificates
# Output should include: Certificate Path: /etc/letsencrypt/live/yourdomain.com/fullchain.pemPitfall 2: DNS TXT Record Propagation Delay
Error message:
The validation of your DNS TXT record is taking longer than expected.
This is usually due to slow propagation times.Root cause: Let's Encrypt's DNS-01 verification requires publishing a TXT record in your DNS system. Due to global DNS synchronization timing, sometimes verification reports "record hasn't propagated yet."
Solution: Wait 2-5 minutes after setting the TXT record before retrying. Exact time depends on your DNS provider:
| DNS Provider | Typical Propagation Time |
|---|---|
| Cloudflare | 30 seconds - 2 minutes |
| Alibaba Cloud DNS | 1-5 minutes |
| DNSPod | 1-5 minutes |
| GoDaddy | 5-30 minutes |
Verification command: Manually check if TXT record is active before requesting:
dig TXT _acme-challenge.yourdomain.com +short
# Should return the random string Let's Encrypt gave youPitfall 3: CAA Records Blocking Issuance
Error message:
CAA record prevents issuance for this domainRoot cause: CAA (Certification Authority Authorization) records specify which CAs are allowed to issue certificates for your domain. If your DNS has CAA records that don't include Let's Encrypt, certificate issuance fails.
Solution: Add or modify the CAA record to allow Let's Encrypt:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"Or, if using Cloudflare or similar services with auto-configuration, you can simply delete the CAA record (Let's Encrypt allows issuance by default).
Verification command: Check current CAA records:
dig CAA yourdomain.com +shortPitfall 4: Certificate Renewal Cron Conflicts with Nginx
Error message: Certificate clearly issued successfully, but auto-renewal fails after 90 days
Root cause: Let's Encrypt certificates are valid for 90 days and need auto-renewal. Many tutorials give this cron task:
0 0 * * * certbot renew --quietBut if this task runs while Nginx is active, --standalone mode renewal fails.
**Correct approach**: Use --deploy-hook in the cron to ensure Nginx reloads after renewal:
0 0 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx"Verification command: Manually test the renewal process (won't actually renew, just simulates):
sudo certbot renew --dry-run
# Should show "Congratulations, all renewals succeeded"Pitfall 5: Missing HTTPS Redirect in Nginx Config
**Symptom**: HTTPS certificate installed successfully, but visiting http://yourdomain.com doesn't auto-redirect to https://yourdomain.com
Root cause: Certificate issuance success doesn't mean your site automatically uses HTTPS. You must manually add redirect rules in Nginx configuration.
**Solution**: Add to the server block in Nginx config:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}Verification command: Test Nginx syntax and reload:
sudo nginx -t # Check config syntax
sudo systemctl reload nginx # Reload configurationWordPress HTTPS Migration: Mixed Content Issues
Root Cause
Even with SSL certificate successfully installed, many WordPress sites still show "not secure" in HTTPS environments. This happens because the page loads via HTTPS but some resources (images, scripts, stylesheets) still load via HTTP. This is called "Mixed Content."
Typical browser DevTools errors:
Mixed Content: The page at 'https://yourdomain.com' was loaded over HTTPS,
but requested an insecure script 'http://yourdomain.com/wp-content/plugins/...'.Solution 1: Database Bulk Replace (Recommended)
WordPress database stores many absolute URLs that need converting from http:// to https://.
Using WP-CLI (cleanest method):
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-plugins --skip-themesUsing Better Search Replace plugin (for non-technical users):
1. Install and activate the Better Search Replace plugin
2. Tools → Better Search Replace
3. In "Search for" enter: http://yourdomain.com
4. In "Replace with" enter: https://yourdomain.com
5. Select all database tables
6. Check "Run as dry run" to test first, then uncheck to execute
Solution 2: WordPress Dashboard Configuration
Force HTTPS in wp-config.php:
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL', true);Set site URLs in wp-config.php:
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');Solution 3: Check Plugins and Themes for Hard-coded URLs
Some plugins or themes hard-code HTTP resource URLs. Checking method:
1. Search for http:// strings in WordPress theme editor
2. Check wp-content/themes/your-theme/functions.php
3. Check common plugin directories wp-content/plugins/
Common file paths to check:
wp-content/themes/your-theme/functions.php
wp-content/themes/your-theme/header.php
wp-config.php (add after require_once section)Verifying HTTPS Configuration is Correct
Complete Verification Checklist
1. SSL certificate validity: Visit https://www.ssllabs.com/ssltest/ to analyze your site
2. HTTP auto-redirect: Visit http://yourdomain.com in an incognito window, confirm auto-redirects to HTTPS
3. Mixed content check: Press F12 in Chrome → Security panel → check for "mixed content" warnings
4. WordPress admin: Log into wp-admin, confirm address bar shows padlock icon
5. **API call test**: Use curl to test HTTPS response:
curl -I https://yourdomain.com
# Should return HTTP/2 200 or HTTP/1.1 200Quick Diagnostic Commands
# Check certificate remaining validity
sudo certbot certificates | grep -A2 "Your cert"
# Check if Nginx is correctly listening on ports 443 and 80
sudo ss -tlnp | grep -E ':443|:80'
# Check if certificate files exist
ls -la /etc/letsencrypt/live/yourdomain.com/Best Practices to Avoid Pitfalls
1. Use the official Certbot configuration generator (https://certbot.eff.org/) — select your OS and web server type for exact commands
2. **Test DNS propagation before requesting the certificate**: Use dig to confirm TXT record is active first
3. Configure Nginx HTTPS listener BEFORE requesting the certificate: Don't use standalone mode competing for port 80
4. **Renewal cron tasks must include --deploy-hook**: Otherwise after renewal Nginx won't reload and your site will error out
5. **Always backup the database before any replacements**: Use wp db export for backup before any changes
Summary
The core pitfalls in WordPress HTTPS configuration are just three:
1. Certificate issuance: Port 80 conflicts, DNS propagation delays, CAA records
2. **Auto-renewal**: Cron task needs --deploy-hook
3. **Mixed content**: Database bulk replace + wp-config.php force HTTPS
Handle these three issues properly and HTTPS configuration is no longer a nightmare.
👉 立即参与:https://platform.minimaxi.com/subscribe/token-plan?code=E5yur9NOub&source=link
📌 This article was AI-assisted generated and human-reviewed | TechPassive — An AI-driven content testing site focused on real tool reviews
🔗 Recommended Tools
These are carefully selected tools. Using our affiliate links supports us to keep producing quality content: