Ssl certificate & green lock not showing/working

Hi there–

I run a hyper local news site titled “The Berkeley Observer.”

I’m desperately trying to utilized Cloudfare’s free SSL certificate, so that my website shows secure. However, it doesn’t seem to be working.

When I type in the “” the website shows that it’s still not secure. See photo below:

I’m confused by this because I’ve had the free Cloudflare SSL certificate active for a long time. Can anyone tell me what’s going on? I should be seeing the green lock beside the web URL.

Thanks for any assistance,

The certificate appears and works, but as shown in here ( there is mixed content.

EDIT: fixing that is a matter of making sure all those addresses (and everything in all other pages) is served under HTTPS. You can do so on your web server, via a CSP of upgrade-insecure-requests or using Automatic HTTPS Rewrites in the Cloudflare dashboard. These option are in order of best to worst, due to possible issues that could arise if you make it an automatic process.

1 Like

Thanks for responding. I tried the automatic HTTPS rewrite in Cloudflare because that seemed like the easiest option…but it doesn’t seem to be working. It seems like that should have solved the problem. :frowning:

Also…on this link you sent:

it’s showing a ton of domains that aren’t mine. Why is that? The only ones on the list that I own are: AND

1 Like

The automatic HTTPS rewrites, as I said, won’t fix everything, since it needs to be sure that the domain support HTTPS, you should do that by hand.

As per the domains, I don’t know which you refer to: if it’s the list in the certificate don’t worry, it’s normal and due to the way Cloudflare issues the certificates; if it’s the ones in the errors, they are resource you link to from you page.

I also followed the instructions on the WhyNoPadlock link found here:

I logged into my Bluehost account and added the highlighted portion as seen in the photo…and still no green padlock. :frowning:

Ok…here’s the latest. I’ve gotten it down to two mixed content errors now. However, I can’t find these two problems on the backend of The Berkeley Observer WordPress site at all. Any suggestions?

Thanks for any advice.


As @Matteo mentioned earlier, you can add a header. If you have access to your .htaccess file, add this line:
Header always set Content-Security-Policy: upgrade-insecure-requests

@matteo and @sdayman…you guys ROCK!

The site now has the little green padlock!!!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.