Hello,
I just set my website up with the free ssl from cloudflare. After everything is set up, the page is still not secure.
If I enter with https://, I get “your connection is not private - NET::ERR_CERT_COMMON_NAME_INVALID”. If I enter without https://, I just get the not secure instead of padlock.

Settings are on flexible, and https always on.
Nameservers are changed, wordpress plugin activated etc.

Site: philipsundt.com

Results from WNP: https://www.whynopadlock.com/results/819de25a-527c-4549-95b6-ea8061b2cc32

Please help, thank you!

The Cloudflare part of it works. But the host end is not correct.

Screen Shot 2020-05-14 at 12.40.51 PM1348×820 93.9 KB

For somebody that has 4 hours of experience with websites - can you explain what that means, and what I need to do? Thank you, really appreciate it

First of all, congratulations on surviving your first four hours.

You’ve added SSL to your domain at Cloudflare. Great. Now your visitors can use HTTPS. But your host, the other end of the connection, does not have SSL, so your visitors aren’t getting an end-to-end HTTPS connection.

Your host, in an effort to squeeze every last dollar out of you, wants to charge you $30 to add SSL to their end for your website. Nice hosts don’t do that because they can get SSL for free from Let’s Encrypt.

Thanks, I feel completelt lost though, hehe.

I assume we are talking about freehosting.com here?

Does this mean that as long as I have them as my host, I wont be able to secure my website with SSL (if I don’t pay $30)?

If that’s the host you’re using. Maybe that’s how they make their money. But without SSL on the server, your visitors won’t get a completely secure connection.

Ah, forgot to mention the host in the initial post.

What about setting SSL settings on flexible? Says it’s between the browser and cloudflare. That would take the host out of the mix no? Not as secure maybe, but it’s better than nothing, right?

First, thank you for your incredible help!

For now I cannot afford to pay $30 for SSL. There is no sensitive info on my page - no passwords, credit card info… nothing - so I guess flexible has to be fine for now.

You say that visitors will see the padlock - well, I don’t - why?
As I said in my initial post: If I enter the domain with https://, I get to

" Your connection is not private

Attackers might be trying to steal your information from www.philipsundt.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID", and if I enter the domain without https://, I see the i with the circle “Your connection to this site is not secure”

How come the padlock is not there?

As it’s been five hours at this point (more or less), your local DNS might not be fully up to date and is still connecting to the original non-Cloudflare IP address of your site. Major DNS changes, such as moving a domain to Cloudflare, can take up to 48 hours before the whole wide world gets the same answer.

Flexible makes security people cringe. So badly that some consider it deceitful and less-than-secure, as you’re telling your visitors it’s secure when it’s not quite so. It’s your choice.

This topic was automatically closed after 30 days. New replies are no longer allowed.