SSL cert will not stay on, tried fixing mixed content errors

ssl

#1

Hello anyone,

I have been trying to figure this out for a week. My site forthawksupply.com will not keep the https:// it starts to resolve to https:// but then breaks and Chrome says i-circle (not secure). I followed several YouTube videos and have searched the internet. The setup plugins are Cloudflare and Really Simple SSL. It looks to me like it is either a mixed content issue or a 301 redirect.

Settings I have are Flexible/Automatic HTTPS Rewrites in Cloudflare
clicked Applied, Optimize Cloudflare for WordPress
Really Simple SSL Settings are:

  • Auto replace mixed content
  • Enable WordPress 301 redirection to SSL
  • Enable Javascript redirection to SSL
    I even once tried to “Enable 301 .htaccess redirect” and copied some code from one of my another sites .htaccess to see if it would stay redirected.

I have disconnected any cache plugins I had
I tried using SSL Insecure Content Fixer
I even tried the Force HTTPS plugin

I have purged the Cloudflare plugin cache after every change.
How can I be sure it is “mixed content” which is highly likely and fix it? I have used the web extension for developer tools but I can’t see any errors?

Any advice/direction is greatly appreciated.


#2

Right now, I’m getting a 502 error, so your host currently isn’t responding to Cloudflare.

I see you’ve tried several approaches, including “Automatic HTTPS Rewrites.” You didn’t mention it, but also make sure you have “Always Use HTTPS” enabled in the Crypto page.

Once you get your site back up, post back so we can take a look at what’s causing the errors.


#3

The domain is responding to me, but you have mixed content (10 images on the home page which seems to be the only problem).

I would try first forcing HTTPS on your backend, like using an HTTPS base domain, usually the Automatic HTTPS Rewrites work well for this kind of scenario though.

The website also replies extremely slowly for me (~2 seconds for the HTML).

https://www.whynopadlock.com/results/66cf99f7-6772-4a91-a6a2-febee45a4ca0


#4

Thank you @sdayman for replying. I have the site back up. I think because I was frequently changing the settings I was ddosing myself.

This comment:
“You didn’t mention it, but also make sure you have “Always Use HTTPS” enabled in the Crypto page”

I did this, but I have 3 other sites that I didn’t enable this and all 3 work fine. I left this enabled but now… like @matteo said I have 10 mixed content errors. They are all media but now I am stuck trying to fix this.

None of these 3 plugins worked, (Forced HTTPS/Really Simple SSL/Insecure Content Fixer) none of them work. I have looked in the Media tab in Wordpress all the content is marked https://

I am not really sure where to look to change the content. I will try looking in the database and my .htaccess to see if there is anything I can do to change them all. Any ideas would also be a great help.

Thanks matteo and sdayman


#5

Obviously they work, but they probably won’t have HTTPS enabled and won’t redirect to it, unless you have the same setting somewhere else.

Are you sure you have Automatic HTTPS Rewrites enabled in the dashboard, if the domain is the same this setting changes all mentions to https://, automatically.

The last option is deploying a Content Security Policy (here is the Header, also available as an HTML Meta tag, see below in the video):

Content-Security-Policy: upgrade-insecure-requests

You can also watch the 3rd part in this series, created by @troyhunt, which is ideal for setting basic HTTPS:


#6

Excellent tut homie,

I was about to use Better Search Replace and “hard-code” https:// and possibly break my stuff. Excellent. I hope I don’t speak too soon and have it fail again?

This isn’t a heavy site so I might venture on and see if I can do the whole tut to the site. I have basic understanding but I am in no way a coder.

Lastly,

Yes I have that enabled for all 4 of my sites. I can’t answer why it did not change all the content.

Maybe?? it was the “Really Simple SSL” plugin? I say this because it added code to my other site’s .htaccess but not this site.

But it was code for a 301 redirect which isn’t what fixed the error. So? …no clue??

Code:
RewriteCond %{HTTP:X-Forwarded-Proto} !https <<<???
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Anyway…

Thanks @matteo and thanks @sdayman

Respectfully,


#7

You shouldn’t hard code, you should use relative paths if at all possible. That will solve all the problems.

For the HTTPS Rewrites it should change all http:// instances to https:// for all known websites that support it.

The code you have there is an https:// redirect done on the server. If you have the SSL settings set to Flexible it will cause issues as an infinite loop. You need to perform the redirect only on one side of the back end: or your server or on Cloudflare.

Unfortunately I know very little about Wordpress…


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.