SSL Mixed-Content Issue in WP-Admin (multisite)

wordpress
plugins
multisite

#1

Hi, I am in a multisite environment. SSL is enabled (flexible) and Automatic HTTPS Rewrites & Always use HTTPS are enabled too. SSL work for front-end of all domains, but Admin Area of only Primary Domain get greenpad lock, other get mixed content warning (WP is calling core WP JS & Images via http)

Can anyone help me to fix this (get red of mixed content in Admin Area)?


#2

Hi there. I haven’t run WP multi-site in quite a while (so I don’t have a test environment right now) but have you tried adding define('FORCE_SSL_ADMIN', true); to wp-config.php ?

I’m under the impression this will force logins and wp-admin to HTTPS but I’m not certain what will happen when you enable this for multi-site so test at your own risk! :man_technologist:t2::nerd_face::skull_and_crossbones:


#3

Hi, thanks for your reply, I have tried this but it doesn’t make any difference.

Problem is that, admin section IS loading via SSL but calling to WP JS/Images via http instead of https


#4

Did you view the source of the wp-admin page to find the offending http:// links?

I’m curious if you have your site URLs set to https:// ?

I set up a multisite instance and ran into this issue almost immediately. I have the exact same Cloudflare settings: flexible SSL, Always use HTTPS and Automatic HTTPS Rewrites enabled. Here’s what I did to fix it:

  1. Install Cloudflare Flexible SSL Wordpress plugin
  2. ACTIVATE ^ this ^ plugin
  3. Dig into wordpress database via phpmyadmin or command-line to find the wp_options table
    • Change siteurl and home to https:// instead of http://
  4. Test

#5

Tried, and it made the website http (https redirected to http too)
and admin area was on redirect loop, even after disabling “Automatic HTTPS Rewrites” in cloudflare.

Admin area is still loading images & wp-emoji.js via http
other resources (css & js) are loading via https


#6

URLS are all set to http:// in Wordpress

What else could there possibly be wrong to be causing this issue besides Cloudflare then? If Cloudflare is supposed to be calling all the pages of a site and re-serving them under https:// but it isn’t doing that, perhaps it’s Cloudflare that’s the problem? How could I test to see if it is?


#7

It sounds like you want everything on your server using HTTP, while using Cloudflare to convert everything to HTTPS.

How about setting: define(‘FORCE_SSL_ADMIN’, false);

Once you feel you’ve cleared all HTTPS internal references to your site(s), I suggest you :grey: your DNS entries and test to make sure everything is strictly HTTP.

If that’s all working correctly, then you should be able to get back on Cloudflare.

I’m sure you feel like you’re going in circles trying to get this sorted out, which is why I’m advising to leave Cloudflare out of the loop while you back up and create a consistent HTTP environment on your server.

Out of curiosity, you don’t have an option on your server to install its own SSL certificate so you can run SSL Full?


#8

Yes I do have a cPanel option to install my own cerificates but instructions are skimpy at best and so far my attempts at doing so haven’t helped anything. My understanding is that I should use the Full option with a self-signed SSL certificate and Full(strict) with a ‘valid SSL certificate’. So my questions would be:

  1. Aren’t they ALL ‘valid’? So what EXACTLY is needed to run Full(strict), what are the special conditions? Can I use the free certificates from Cloudflare or can I use Let’s Encrypt certificates, or must I pay for them somewhere?

  2. What kind of certificates exactly are the free ones from Cloudflare, and can I even install them on my cPanel?

  3. Is there any benefit to using Cloudflare’s DNS if I’m NOT using their SSL certificates installed on my cPanel?

  4. Is there any benefit to using Cloudflare’s DNS if I’m NOT using their Flexible option to support SSL in the reverse-proxy way they do?

Thanks for your assistance :slight_smile:


#9
  1. Yes, they’re all valid, but offer different levels of end-to-end security.
    https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

  2. Cloudflare can supply a Cloudflare Self-Signed certificate on your server that Cloudflare would recognize as Full (Strict). Or you can use Let’s Encrypt (also Strict).
    https://support.cloudflare.com/hc/en-us/articles/224985668-How-to-install-an-Origin-CA-certificate-in-cPanel

3 & 4) If you use Cloudflare’s DNS in :orange:, you get full site protection and caching (all of Cloudflare’s cool features from the Free plan). If it’s :grey:, you won’t get the security and performance features, but you’ll have blazing quick and robust DNS. SSL is one of the many features available to you in :orange: mode.


#10

Thanks for your advice. First I turned off SSL in Cloudflare for all the domains on the Multisite and clicked the orange clouds to gray ones under DNS for the two most important domains I’m trying to set up, and the sites all worked fine under http://. Then I followed the instructions for just one of the domains at https://support.cloudflare.com/hc/en-us/articles/224985668-How-to-install-an-Origin-CA-certificate-in-cPanel and followed the ‘Using Cloudflare Dashboard’ option and then the procedure for ‘Installing the Origin CA Certificate in cPanel’ to obtain a happy message from cPanel of ‘SSL Host Successfully Installed. You have successfully configured SSL. The SSL website is now active and accessible via HTTPS: on this domain: [showing the domain with a preceding * to indicate it supported all subdomains]’. That text was followed in the same popup box by a somewhat ambiguous message saying "The SSL certificate also supports these domains, but these domains do not refer to the SSL website mentioned above: Cloudflare Origin Certificate, [and the ROOT domain of the wildcard domain shown just above]. So with that ambiguous message it’s NOT QUITE CLEAR if the root domain should work under SSL now or not, but when I tested it at that point, it didn’t work, with the redirect errors I’ve become accustomed to seeing.

Assuming however that the ambiguous message meant that SSL would theoretically work for the root domain I figured there were probably some unstated requirements that I still had to figure out to actually make it work, and went on to remove ‘define(‘FORCE_SSL_ADMIN’, false);’ from wp-config.php (after having earlier tested ‘define(‘FORCE_SSL_ADMIN’, true);’ without any benefit, and there being other domains and subdomains on that Multisite install that are NOT using SSL anymore which I didn’t want to cause conflicts with). Removing that command from wp-config.php didn’t help anything though, the site still didn’t work.

So, still following the trails of randomly scattered partial instructions that are all over the web that I have tried numerous combinations of before, I tried setting the SiteURL and Home settings in Wordpress to https://, but that was without any effect. Then I went back to Cloudflare and enabled Full(strict) SSL for the domain and made sure it’s DNS records had orange clouds instead of gray ones, and Voila! – Now I get this error: ‘Error 526 Ray ID: 3bbf6d990f1e0ef7 • 2017-11-11 07:09:48 UTC Invalid SSL certificate’ which didn’t go away or change when I put the SiteURL and Home settings in Wordpress back to http://. Strangely, this error shows up under https:// for the domain, even with a green lock! It just seems so absolutely absurd to be showing https:// with a green lock on a page reporting an ‘Invalid SSL certificate’, I don’t know what to think. Is this a Cloudflare-only thing, or would SSL certificates from other outfits perform with the same asbsurdity? I only have so many years left to test all the potential combinations of things, I have to focus down.

It would be logical that Cloudflare should have SSL turned on for a domain running it’s own certificate and that SSL should then work too, but since there does not seem to exist a coherent set of start-to-finish instructions anywhere for how to accomplish this (certainly not for Wordpress Multisites!), logic doesn’t necessarily have to apply. Cpanel had said SSL was ready to go too but maybe there are special conditions for Cloudflare? I’m reluctant to change nameservers to test this with some other DNS provider and maybe Cloudflare’s certificates only work when DNS is managed by Cloudflare? – there are so many basic questions for which no answers are discoverable except by asking seasoned pros like you who’ve either been tutored by someone or worked through all the myriad combinations of settings to find out for yourself through trial and error what actually works.

BTW, [email protected] is completely nonresponsive. I’m starting to think that Cloudflare is the reason for the problems I’m experiencing, is that possible or likely? Can you suggest a more reliable way to enable SSL on my Wordpress Multisite besides paying someone else to do it for me?


#11

Remember that the Cloudflare SSL certificate you installed via cPanel only works when you use Cloudflare in :orange: mode. It’s effectively a self-signed certificate that browsers won’t recognize.

That error message with the Ray ID should be enough for Cloudflare Support to track down the problem. If that email address didn’t work, I suggest you log in at support.cloudflare.com and manually submit a ticket.

Multisite definitely seems to be the challenge here, but cPanel may also influence this behavior. Theoretically, it should behave like Server Blocks, where the server routes all the requests to the correct domain/subdomain, and Cloudflare will be none the wiser.

I don’t have a test environment with cPanel to track down what’s happening. Does cPanel also have an option to install Let’s Encrypt certificates instead? If so, I’d :grey: the domain and see if you can get HTTPS working that way.