Topics:

SSL, or Secure Sockets Layer protocol, helps protect information that is exchanged between a server and a client.

For more information about what SSL is, see our Secure Server (SSL) Information article.

Possible Reason: SSL Enabled, But No Certificate

What is it?

An SSL certificate is required for SSL sites to be considered secure. There are server features to turn on SSL and servers that come with SSL enabled, but both still require an SSL certificate to be secure.

Is it happening to me?

If you haven’t purchased an SSL certificate or enabled Let’s Encrypt, then this is the most likely the reason your site is insecure.

How to fix

You will either need to buy an SSL certificate or enable Let’s Encrypt to secure your website. You can get them in the Manage Your SSL section of your Account Control Center.

Possible Reason: Your SSL Certificate Expired

What is it?

SSL certificates are only good for so long. It can expire if it’s not renewed, which will cause the site to become insecure.

Note: Let’s Encrypt certificates renew automatically, so this is unlikely to be the cause for Let’s Encrypt certificate problems, unless you have made recent changes to your domain configuration.

Is it happening to me?

Check the Manage Your SSL section in your Account Control Center. The Manage Your SSL interface keeps track of your certificates and will tell you when one is expired.

How to fix

If it’s not too long after the expiration date, you may be able to renew it. However, after a certain amount of time, the certificate becomes non-renewable. If this happens, you will have to either buy a completely new SSL certificate or enable Let’s Encrypt.

Possible Reason: Non-Secure Links/Resources

What is it?

Non-secure links or resources can cause the page to be flagged as non-secure, even if it has an SSL certificate. Things you need to make sure are secure are: 

  • Images
  • Cascading style sheets (CSS)
  • Javascript

You can check to see if these things are secure by checking how they’re linked in your code. Secure external links begin with https, while non-secure links begin with http. Local content that uses a relative path will automatically adopt SSL when it is installed on a domain.

Is it happening to me?

If none of the earlier possible reasons were the problem and you have images, CSS, or Javascript files, you should double-check their links. If you see that you have unsecured links, this is most likely the problem. 

How to fix

If you find any links that are http, you need to make them secure. 

To fix unsecured links, you need to make sure that your HTML code either calls locally hosted elements via a relative path, such as:

/images.logo.png

/includes/script.js

Or, if they’re called by their absolute path, you need to be sure the link includes the https.

https://mydomain.com/images/logo.png

https://mydomain.com/includes/script.js

Likewise, if you are using a CDN for resources on your website, you should check the CDN and make sure it is operating over SSL.

Possible Reason: Let’s Encrypt isn’t Configured Correctly

What is it?

The Let’s Encrypt certificate process is automatic, making it easier and faster for customers to put Let’s Encrypt on their domain. However, because the process is automatic, adding a Let’s Encrypt certificate isn’t always successful. This could just be a run-of-the-mill error that is fixed on the second attempt or an actual problem with the domain that will keep Let’s Encrypt from installing. If the Let’s Encrypt process reaches ten unsuccessful tries, it will halt the process.

However, Let’s Encrypt is still enabled on your domain. It may look like your certificate was  successfully generated, but it was not.

Is it happening to me?

You can go to your Manage Your SSL section of your Account Control Center and check your domain. Secure domains have a green lock next to their name. Insecure domains have a red lock. If the domain’s lock is still red, but Let’s Encrypt is already enabled, it is likely that your domain was not issued a Let’s Encrypt certificate.

How to Fix it

If the Let’s Encrypt automatic process failed, it is likely that your domain is not configured correctly. Double check your domain and make sure everything is in place. For help, see our Troubleshooting: Let’s Encrypt article.