ScottSwezey.com

Webmaster, Software dev, Business owner, Y2K Survivor,  User

Debugging a new SSL cert: Three common pitfalls

So you’ve finally installed an SSL certificate on your site, but now you find that you still don’t get the lock in the address bar like you expect. It turns out, this is a pretty common issue. Here’s 3 things to check and fix:

1. Redirects

As far as most web servers are concerned, http://yoursite.com and httpS://yoursite.com (note the S in before the :// here) are totally different websites. They can be served based on different files and show different content. By default, the server doesn’t implicitly connect them together in any way.

But that isn’t how most people actually use their site. So what’s the solution? Redirect non-secure traffic to your secure site. Unfortunately for you cPanel users out there, you can’t easily do this through the control panel. You need to manually edit the .htaccess file for your domain.

Rather than put some code that may or may not work for you here, I’ll link to a good resource: http://serverfault.com/questions/214512/redirect-change-urls-or-redirect-http-to-https-in-apache-everything-you-ever – Another option, ask your web host for help. This is simple stuff, so they should be able to do it without any problems.

2. Script URLs

Now you may be seeing a redirect loop, or clicking links on your site may send you back to the non-secure version of the site. This happens because many scripts are pre-configured with their URL when you first install them. WordPress is notorious for this one, and luckily fixing the issue is generally pretty simple. I suggest googling for “SCRIPT change base url” (where SCRIPT is the name of whatever script is running your site. Examples: WordPress, Drupal, or Magento)

If you can’t get into the control panel, and that is the suggested way to make the change, you might want to roll back other HTTPS related changes until you fix the base URL. Editing the DB or a file is usually pretty simple as well.

3. Mixed Content

So now you can see the site over HTTPS, but the lock still won’t show up? It’s possible your site contains mixed content, which is a fancy way of saying that it shows secure and unsecure content on the same page. This may be the hardest to fix since it can be very dependent on your script, theme, and other customizations. The key take away is this: You need to ensure everything image, javascript, css file, and other asset is accessed over HTTPS. If in doubt, try clicking the lock and seeing if your browser can show you any hints as to the issue or which assets are not being feteched securely.

You can't comment here, but I am active on Twitter. Just mention @ScottSwezey to get in touch.