Introduction

A site can have valid HTTPS and still fall back to HTTP/1.1 when you expected HTTP/2. Pages load, certificates look fine, and there may be no obvious error until performance checks or browser tools show that HTTP/2 is missing. This usually points to TLS negotiation, proxy behavior, or web server configuration rather than a general SSL outage. The fix is to verify whether HTTP/2 is enabled end to end and whether ALPN negotiation is actually succeeding.

Symptoms

  • Browser or performance tools show HTTP/1.1 instead of HTTP/2
  • The site has a valid certificate, but HTTP/2 is not negotiated
  • The issue started after changing proxies, TLS settings, or load balancers
  • Only some hostnames or environments lose HTTP/2 support
  • Performance dropped even though HTTPS itself still works

Common Causes

  • HTTP/2 is not enabled on the active HTTPS virtual host or listener
  • TLS configuration does not support the protocol combination needed for HTTP/2 negotiation
  • A reverse proxy, CDN, or load balancer terminates TLS and downgrades traffic
  • ALPN negotiation is disabled or broken on the serving layer
  • The wrong server block, certificate binding, or port configuration handles the request

Step-by-Step Fix

  1. Confirm which layer is expected to serve HTTP/2, because the browser only sees the edge that terminates HTTPS.
  2. Check browser developer tools or protocol tests to verify whether the site is truly falling back to HTTP/1.1.
  3. Review the active HTTPS listener or virtual host and confirm HTTP/2 is enabled on the same endpoint receiving traffic.
  4. Inspect TLS settings for protocol and cipher compatibility, because broken negotiation can prevent HTTP/2 even when HTTPS still works.
  5. If a reverse proxy, CDN, or load balancer sits in front of the origin, verify whether it supports HTTP/2 and whether it is downgrading connections by design.
  6. Confirm ALPN negotiation is available and not disabled by an outdated TLS stack or conflicting security setting.
  7. Check that the intended hostname is using the right certificate binding and server block rather than a fallback HTTPS configuration.
  8. Re-test after reloading the affected service and compare results at both the edge and origin where relevant.
  9. Keep TLS, proxy, and protocol settings documented together so future HTTPS changes do not silently disable HTTP/2 support.