Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer? yes
Please share your search results url:

When you tested your domain using the [Cloudflare Diagnostic Center], what were the results?
Could not find the Diagnostic Center with the URL provided.

Describe the issue you are having:
Until yesterday my website was working fine. Today it gives “mixed content” message in chrome lock (in the url bar) and a lot of ERR_SSL_PROTOCOL_ERROR when trying to log in or log out (but after the error, if you type the website URL, you are succefully logged or logged out in the system).

I use Cloudflare flexible SSL and have no way to install SSL in my serve, that’s why I use flexible. It was working uninterruptedly for years with no problem. Today a lot of user started screaming because of this error.

Always Use HTTPS: ON
Minimum TLS Version: 1.0
Opportunistic Encryption : On
TLS 1.3 : On
Automatic HTTPS rewrites: ON

What error message or number are you receiving?
This site can’t provide a secure connection sent an invalid response.

Have you tried from another browser and/or incognito mode?

Kind regards,

I see a lot of issues with the actual website content and, mixed content, is exactly one of them.

If you click on mixed content, you’ll see a tutorial helping you out on things you can attempt to do and fix, but it’s most definitely unrelated to Cloudflare.

This is something a developer would need to fix, by acting directly on the server. Look at the console logs in the browser and fix issues one by one.

I’ll add that it’s a very bad practice not having any certificate on the origin. Any reasonable server right now has to support certificates in some manner.


Thanks for the answer, Matteo. But this can’t help me with the issue. I’ll try to be more precise.

500 days ago the code in my website was exactly the same (I am not updating it since I am working in an software change), and there was no mixed content problem after passing through Cloudflare.
My original server ever had mixed content, but Cloudflare always could fix this. The problem started 2 days ago. So, 498 day it was working, and suddenly, stopped working.

I have this setting on:
Automatic HTTPS Rewrites helps fix mixed content by changing “http” to “https” for all resources or links on your web site that can be served with HTTPS.

This feature was always on, since the first day I started using Cloudflare. And looks like it was working good for the old days (never had mixed content warning in chrome for me or for my users), and 2 days ago mixed content warnings started appearing. So I cannot understand why you say this problem is unrelated to Cloudflare. Is there some explanation for this feature to be ON and mixed content still being shown?

Thanks for the advice on the certificate on the origin. I am working in an update of my forum to use Discourse (same forum software that feeds this Cloudflare forum), and it will have ssl certificate on the origin.

P.S.: I have to mention that two months ago I changed my Cloudflare plan from PRO to FREE. I was on pro for, at least, three years.

(I had to break my post in two because this system was complaining that “new users can post only 4 links” :scream: and I wasn’t able to post anything. But my post doesn’t have any links… breaking in two was the solution… no logic)

Maybe there was some chrome update in the meantime that changed the way mixed content warnings are thrown?

Why not?

As @matteo already wrote, it is a bad idea to use that legacy mode and you will run into all sorts of issues, as you already do. Plus it is extremely disingenuous of course.

There’s a whole article on why you shouldn’t use it.

It might be that some domain was dropped from the automatic update list, you should have all external links be HTTPS, and all internal ones be relative ones.

It’s unrelated as the list is not managed by Cloudflare itself and it’s a backup solution, you should have links be good by default and have that catch eventual stragglers.

My guess is the automatic mixed content links…

That will be indicated in the console logs from Chrome itself…

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.