So you’ve finally installed an SSL certificate on your site, but now you find that you still don’t get the lock in the address bar like you expect. It turns out, this is a pretty common issue. Here’s 3 things to check and fix:
As far as most web servers are concerned, http://yoursite.com and httpS://yoursite.com (note the S in before the :// here) are totally different websites. They can be served based on different files and show different content. By default, the server doesn’t implicitly connect them together in any way.
But that isn’t how most people actually use their site. So what’s the solution? Redirect non-secure traffic to your secure site. Unfortunately for you cPanel users out there, you can’t easily do this through the control panel. You need to manually edit the .htaccess file for your domain.
Rather than put some code that may or may not work for you here, I’ll link to a good resource: http://serverfault.com/questions/214512/redirect-change-urls-or-redirect-http-to-https-in-apache-everything-you-ever – Another option, ask your web host for help. This is simple stuff, so they should be able to do it without any problems.
2. Script URLs
Now you may be seeing a redirect loop, or clicking links on your site may send you back to the non-secure version of the site. This happens because many scripts are pre-configured with their URL when you first install them. WordPress is notorious for this one, and luckily fixing the issue is generally pretty simple. I suggest googling for “SCRIPT change base url” (where SCRIPT is the name of whatever script is running your site. Examples: WordPress, Drupal, or Magento)
If you can’t get into the control panel, and that is the suggested way to make the change, you might want to roll back other HTTPS related changes until you fix the base URL. Editing the DB or a file is usually pretty simple as well.
3. Mixed Content