CloudFlare SSL "Flexible" certificate (the free version) question

Here is what happened. It may have nothing to do with Cloudflare, or maybe I inadvertently ticked a box or something.

Google Ads recommended that I put SSL on my site for my customers safety. I saw that Cloudflare gave a free SSL certificate for low-level protections. (all financial transactions on my site are handled by Clickbank, I only run banner ads, so customer information protection was not big for me)

Anayway, to pacify Google I went to Cloudflare and saw that I already had “Flexible” protection. That is their free SSL certificate. I then checked my URLs and noticed that they had an s at the end of the http.
(I did not change any settings in Cloudflare, that I remember, my SSL certificate says it has been the same for 2 years)
I thought that was fantastic, so I put my landing page URL into Google Ads with the https. I was happy. I though the problem solved itself.

Now my site does not work. It is blocked by both Chrome and Firefox because of mixed content.

Would changing the SSL to “None” fix the mixed content problem? Then, once I can access the site, I can implement it properly

Both Chrome and Firefox will allow me to view mixed content, but neither will allow me to send information to the mixed content domain. This means I cannot login to my WP Dashboard to try and fix the problem. (A2 Hosting has a FAQ on how to fix this but only if you can get into your WP Dashboard)

Will turning off the SSL fix it? OR What is the best way to fix it? OR What should I do next? AND most importantly, How do I not make the problem worse? (it is my habit to turn mishaps into calamities)

You mean “Off”? Yes, that would disable TLS altogether, however - unless you enforce HTTPS on Cloudflare’s side - you should still be able to open your site on HTTP even with the current setting.

So what do you think is wrong then? The mixed content idea came from A2 Hosting. What else might be wrong?

Should I try flipping it to “Off” and see?

THanks for answering

If you have mixed content you have mixed content. There is not much to discuss in that case, but that should be a pretty obvious error.

Whats your URL?

You can try this, but as I said originally, attempting to access it via HTTP should already work at this point. If it doesnt simply turn HTTPS off.

For clarification, you dont want HTTPS for the encryption but only to please Google, right?

Let me step-in for a minute and clear things out.

To answer the original question: setting SSL to Off will remove any HTTPS capability on your site, it won’t solve the issue, it will revert back to your previous state.

To solve the issue you should fix the mixed content errors (you can see a list in the browser’s console, open it and then reload the page just to be sure to see all or try https://www.whynopadlock.com/). They can be fixed by Cloudflare, to some degree, by using the Automatic HTTPS Rewrites option in the SSL/TLS app.

The best way to fix those would be to make all external resources (basically all links, excluding href for a tags) are loaded, at least when your site is HTTPS, on a secure connection. They should all be relative (if they are resources in your own domain) or have https:// or // (the double slash is correct, it will use the current protocol, first option is preferred though) at the beginning.

The second-best option (it would work if you have A TON of resources) would be adding a HTTP Header like this: Content-Security-Policy: upgrade-insecure-requests or Content-Security-Policy: block-all-mixed-content. The first forces every link to HTTPS, if it doesn’t work it will fail and not load. The second blocks all HTTP requests and prevents them to load. It can be done via meta tag in the HTML, but is best to do so as a header.

The next step would be to force all connections to HTTPS (and maybe to a single version, if applicable, between www.example.com and example.com for SEO) to prevent any HTTP connection at all. This can be done via the Always Use HTTPS option in the SSL/TLS app and possibly a page rule (or on the server side, but it would slow things) for the other issue.

EDIT saw that you use Wordpress, you should probably add a page rule removing caching on the admin page. Search in the Community, there are other people that know WP more than me that shared their knowledge.

I turned on “always use https” in Crypto. (and I updated to TLSv1 because of the “whynopadlock” sites recommendation)
I used “whynopadlock” and can see that most of my errors are coming from internal pictures.
Maybe now that I have “always on https” there will be less to fix. (although WNP did mention an emoji javascript.
I cannot log into my WP Dashboard.
Can I use Filezilla to search everything in my public_html folder and change all the http to https? Otherwise I don’t know how to change the protocol.

Edit to previous post.
The “always on https” seems to have fixed it. I just logged into my WP dashboard.

Now I have access, do I need to do anything inside WordPress.
I have shared resources, I don’t have my own server I have a shared hosting account.
The “always on https” feature on Crypto, will it add a burden to my limited resources. Is there a way to go into WP and change it manually if it uses a lot of resources

and

Thank you. You are a big help.

HTTPS does not put additional load on your server.

The easiest way to fix those internal links is to add this line to your .htaccess file:
Header always set Content-Security-Policy: upgrade-insecure-requests

For that I just need to find it in Filezilla and add the line. Thanks to everyone for helping. It was great the way everyone helped

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.