diff --git a/cmd/manage/renewtls.go b/cmd/manage/renewtls.go
index bfd672a4..5175e64a 100644
--- a/cmd/manage/renewtls.go
+++ b/cmd/manage/renewtls.go
@@ -15,15 +15,14 @@ import (
 
 func NewRenewTLS(f factory.Factory) *cobra.Command {
 	var force bool
-	rtls := &cobra.Command{
-		Use:     "renewtls",
-		Short:   "renew tls domain",
-		Aliases: []string{"rtls", "rt"},
+	tlsCmd := &cobra.Command{
+		Use:     "tls",
+		Short:   "check and renew tls",
 		Version: "1.2.11",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return httptls.CheckReNewCertificate(force)
 		},
 	}
-	rtls.Flags().BoolVarP(&force, "force", "f", false, "force renew tls")
-	return rtls
+	tlsCmd.Flags().BoolVarP(&force, "force", "f", false, "force renew tls")
+	return tlsCmd
 }
diff --git a/internal/pkg/util/httptls/httptls.go b/internal/pkg/util/httptls/httptls.go
index 99de555f..524d03f6 100644
--- a/internal/pkg/util/httptls/httptls.go
+++ b/internal/pkg/util/httptls/httptls.go
@@ -52,7 +52,7 @@ func checkCertificate(domain string) (bool, error) {
 	log := log.GetInstance()
 	log.Debugf("start check domain %s certificate", domain)
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint:gosec
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: false}, // nolint:gosec
 	}
 	client := &http.Client{
 		Transport: tr,
@@ -60,14 +60,20 @@ func checkCertificate(domain string) (bool, error) {
 	}
 	resp, err := client.Get(domain)
 	if err != nil {
+		if strings.Contains(err.Error(), "x509: certificate is valid for ingress.local") {
+			log.Warnf("domain %s use self-signed certificate", domain)
+			return true, nil
+		}
 		return false, err
 	}
 	defer func() { _ = resp.Body.Close() }()
 	for _, cert := range resp.TLS.PeerCertificates {
+		// 证书过期已过期
 		if !cert.NotAfter.After(time.Now()) {
 			log.Warnf("domain %s tls expired", domain)
 			return true, nil
 		}
+		// 证书过期时间在7天内过期
 		if cert.NotAfter.Sub(time.Now()).Hours() < 7*24 {
 			log.Warnf("domain %s tls expire after %fh", domain, cert.NotAfter.Sub(time.Now()).Hours())
 			return true, nil
diff --git a/pkg/quickon/quickon.go b/pkg/quickon/quickon.go
index 4028fa03..0175895b 100644
--- a/pkg/quickon/quickon.go
+++ b/pkg/quickon/quickon.go
@@ -258,7 +258,7 @@ func (m *Meta) Init() error {
 			for {
 				if file.CheckFileExists(defaultTLS) {
 					m.Log.StopWait()
-					m.Log.Done("download tls cert success")
+					m.Log.Done("detect tls cert file success")
 					if err := qcexec.Command(os.Args[0], "experimental", "kubectl", "apply", "-f", defaultTLS, "-n", common.GetDefaultSystemNamespace(true), "--kubeconfig", common.GetKubeConfig()).Run(); err != nil {
 						m.Log.Warnf("load default tls cert failed, reason: %v", err)
 					} else {
@@ -273,9 +273,11 @@ func (m *Meta) Init() error {
 				m.Log.Debug("wait for tls cert ready...")
 				time.Sleep(time.Second * 5)
 				trywaitsc := time.Now()
-				if trywaitsc.Sub(waittls) > time.Minute*3 {
+				if trywaitsc.Sub(waittls) >= time.Minute*5 {
 					// TODO  timeout
-					m.Log.Debugf("wait tls cert ready, timeout: %v", trywaitsc.Sub(waittls).Seconds())
+					m.Log.Warnf("wait tls cert ready, timeout: %v", trywaitsc.Sub(waittls).Seconds())
+					cmd := fmt.Sprintf("%s pt tls", os.Args[0])
+					m.Log.Warnf("wait cluster install success, please use cmd check: %s", color.SGreen(cmd))
 					break
 				}
 			}