LochStudios  /  Help Centre  /  Troubleshooting  /  Fix "Not secure" and mixed-content warnings

Fix "Not secure" and mixed-content warnings

Resolve browser warnings about insecure connections and mixed content by fixing SSL certificates and updating resource URLs.

Updated

When your site shows "Not secure" in the browser address bar or mixed-content warnings, visitors lose trust and modern browsers may block content. Here's how to diagnose and fix these issues.

Understanding SSL/TLS certificates

An SSL/TLS certificate encrypts data between your visitor's browser and your server, protecting passwords, credit cards, and personal information. A valid certificate shows a lock icon and https:// in the address bar.

Without a valid certificate, browsers show a warning and mark the site as "Not secure".

Diagnose the problem

Check your browser

1. Open your site in the address bar (e.g., yourdomain.com).
2. Look at the address bar:
- Lock icon with checkmark = Certificate is valid ✓
- Caution/warning icon = Certificate is invalid or expired
- No icon or "Not secure" = No HTTPS/certificate configured
3. Click the icon to see the certificate details and error message.

Common warnings:

SSL_ERROR_BAD_CERT_DOMAIN
"The certificate is not valid for the requested domain."

SSL_ERROR_RX_RECORD_TOO_LONG
"The server is misconfigured or using the wrong port for HTTPS."

ERR_SSL_PROTOCOL_ERROR
"The SSL/TLS handshake failed."

Mixed Content: The page was loaded over HTTPS, 
but requested an insecure resource 'http://...'

Test your certificate online

Visit SSL Labs or IsMySiteSecure:

  1. Enter your domain.
  2. The tool will check your certificate validity, expiration, and configuration.
  3. You'll see a grade (A+ is best, F is worst) and specific errors.

Fix #1: Install or enable your SSL certificate

If your site has no SSL certificate:

1. Log in to your hosting control panel (cPanel, Plesk, etc.)
2. Look for "SSL/TLS Certificates" or "SSL Manager"
3. If you see no certificate listed, you need to:
- Use a free certificate (e.g., Let's Encrypt via AutoSSL) — most hosting providers offer this
- Purchase a certificate from a vendor if you need a branded/extended validation cert
- Install it by clicking "Install" or "Use" in your control panel

Enable AutoSSL (if available):

  1. In your SSL manager, look for "AutoSSL" or "Let's Encrypt"
  2. Click "Enable" or "Auto-renew"
  3. Select your domain
  4. Click confirm

The certificate will be installed automatically within hours.

Fix #2: Renew an expired certificate

If your certificate shows "Expired" or a date in the past:

  1. Log in to your hosting control panel
  2. Go to SSL/TLS Certificates
  3. Find the expired certificate and click "Renew"
  4. Confirm the renewal (it may be automatic for Let's Encrypt)
  5. Wait 5–15 minutes for the renewal to process

After renewal, clear your browser cache and reload the site.

Fix #3: Fix certificate domain mismatch

If the warning says the certificate doesn't match your domain (e.g., the certificate is for old-domain.com but you're using yourdomain.com):

1. Check what domain(s) your certificate covers:
- Click the warning icon in your browser
- Look for "Subject" or "Certificate details"
- It should match your current domain

2. If it doesn't match, you need a new certificate:
- Delete the old certificate in your hosting control panel
- Install a new one for your current domain
- If using Let's Encrypt, use AutoSSL to generate a new cert for the right domain

3. For wildcard subdomains:
- If you have subdomains (mail.yourdomain.com, shop.yourdomain.com), request a wildcard certificate (*.yourdomain.com)
- Most hosting providers can do this through AutoSSL

Fix #4: Resolve mixed-content warnings

If your site loads but you see "Mixed Content" warnings, you're loading some resources (images, scripts, stylesheets) over insecure HTTP when the page itself is HTTPS.

Browser consoles often block mixed content to protect users.

Find the insecure resources

1. Open your browser's Developer Tools (F12 or right-click → "Inspect")
2. Go to the Console tab
3. Look for warnings like:
```
Mixed Content: The page at 'https://yourdomain.com/' was loaded over HTTPS,
but requested an insecure resource 'http://example.com/image.jpg'
```
4. Note the resource URL (image, script, stylesheet, etc.)

Fix the issue

You need to change all http:// URLs to https:// in your site code:

If your site is HTML/WordPress:

  1. Log in to your file manager or FTP
  2. Search for http:// in your HTML/template files
  3. Replace it with https:// — be careful to only replace external resource URLs, not your domain references
  4. Save and reload

If you're using an external service or CDN:

  • Images hosted on another domain: Update the URL to use HTTPS instead of HTTP
  • Third-party scripts or fonts: Check if the provider offers HTTPS URLs
  • Analytics, tracking, or ads: Most major providers support HTTPS; update the embed code

Database migrations (if applicable):

If your site stores URLs in a database (WordPress, custom app), you may need to update stored URLs:

// Search for URLs starting with 'http://'
// Replace with 'https://'

Your hosting provider can help if you're not comfortable editing the database.

Common sources of mixed content

  • Third-party images or logos loaded from http://
  • Outdated embed codes for videos, maps, or widgets
  • Hardcoded external links in theme files
  • Ads or analytics services using old HTTP URLs

Fix #5: Restart your web server

After installing or renewing a certificate, restart Apache/Nginx to ensure the certificate is active:

Contact your hosting provider and ask them to:
CODE2

Then reload your site in the browser.

Verify the fix

1. Visit your site (https://yourdomain.com)
2. Look for the lock icon in the address bar
3. Click the lock to view certificate details — it should show:
- ✓ Valid domain match
- ✓ Not expired
- ✓ Issued by a trusted CA (e.g., Let's Encrypt, Digicert)

  1. Check the browser console (F12) for any mixed-content errors
  2. Use an SSL checker (SSL Labs) to confirm it's working

Maintenance

  • Let's Encrypt certificates renew automatically — no action needed
  • Paid certificates should renew 30 days before expiration — your hosting provider will notify you
  • Monitor certificate expiration dates in your hosting control panel
  • Update external embed codes if services change their URLs (e.g., Google Maps, YouTube)

When to contact your hosting provider

If the above steps don't resolve the issue:

  • Certificate installation failed
  • Certificate shows valid in the panel but "Not secure" in browser
  • Mixed-content warnings persist after updating URLs
  • You need help updating database URLs or embed codes

Provide them with:
- Your domain name
- The exact warning message from your browser
- Steps you've already taken


Was this article helpful?

← Back to Troubleshooting