Greetings everyone. Don’t really know what I’m doing with this, but recently set up this account to secure a website with SSL. I changed the name servers to point here and I now can see all the DNS stuff stored here. The main page says it is applying a Universal cert and when I go to https://address I get the little green padlock next to the address but I don’t get the website, just a placeholder screen. Whereas if I go to the http://address I get the website but with a warning that the site is not secure. Have I left some important box unticked, or missed a step?
Until your Universal Certificate becomes Active, you can only use HTTP, which Chrome now flags as “Not Secure.”
Certificate activation should take less than 24 hours. If it takes longer than that, login to Cloudflare and then contact Cloudflare Support.
Thanks for your reply. The SSL/TLS app says Universal SSL Status - Active Certificate
- What’s your SSL setting on the Crypto page? Is it Flexible, or Full?
- Does your server have its own SSL certificate? If so, you were probably using it before switching to Cloudflare.
SSL setting is Full.
Not sure about the web server - I was told it didn’t have one, but I suppose that might be wrong.
If it doesn’t have one, you should use Flexible SSL.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-
OK - changing to Flexible definitely seems to have helped. I am getting to the site now, although it is showing up as Not Secure.
If you’re using HTTPS and it’s “not secure,” you probably have Mixed Content:
https://support.cloudflare.com/hc/en-us/articles/200170476-How-do-I-fix-the-SSL-Mixed-Content-Error-Message-
Is that what it means when it says “Parts of this page are not secure (such as images)”?
Exactly. Some steps to help:
On your Cloudflare Crypto page, make sure “Always Use HTTPS” is turned on, as well as “Automatic HTTPS Rewrites.” That takes care of most, if not, all of the mixed content.
An additional step would be to add the following line to your .htaccess file:
Header always set Content-Security-Policy “upgrade-insecure-requests;”
Thank you very much, that seems to have done the trick!
This topic was automatically closed after 31 days. New replies are no longer allowed.