Question from Carol: I have a blog and my web host recently installed a free Let’s Encrypt security certificate on it for me.
I can now access the blog with https: in the URL instead of http: but when I view a page in Chrome it doesn’t display the little padlock that indicates that the site is secure.
When I click on the little “circled i” for information it gives me this message:
“Your connection to this site is not fully secure.“
I sent my web host a message a couple of days ago and another one last night asking what the problem could be but so far I haven’t heard back from them.
Do you have any idea what could be causing Chrome to not display the padlock and give me this message instead?
In most cases, the problem resource is being called from a URL that begins with http: instead of https:.
Every resource call on a secure web page must be called from a secure https: URL or you won’t get the padlock in the address bar and the browser will flag the page as being insecure.
Just one insecure resource call will result in the entire page being marked as insecure.
This situation is referred to as a “Mixed Content” issue and the exact cause(s) of this issue can be very difficult to track down and fix without a little help.
Luckily, that help is readily available via an amazing free online tool called “Why No Padlock?“.
Using “Why No Padlock?” is easy. Simply follow the steps below:
1 – Visit https://www.whynopadlock.com with your preferred web browser.
2 – Type (or copy and paste) your blog’s URL into the “Secure Address” box.
3 – Check the box to prove that you’re a human instead of a robot.
4 – Click the Test Page button.
The tool will now run a test on your page to track down and identify any insecure resource calls or other types of issues that could be causing the page to fail the security test.
After the test is complete (which could take anywhere from several seconds to several minutes) you’ll see a list of all the issues that were found printed on the screen.
If your blog is typical most or all of the issues found will be resources that are being called from insecure http: pages.
Luckily, those are usually very easy to fix simply by finding those URLs in the page’s source code and changing the http: part of the URL to https:.
Of course that will only work if the page the flagged resource is being called from is actually encrypted (i.e. secure) itself.
If you need help with making the needed change(s) your web host might be able to help. If not, you might need to hire a pro to help you fix the issue(s).
I hope this helps, Carol. Good luck!
Bonus tip #1: This post has more info about Chrome marking insecure sites as such right in the browser’s address bar.
Bonus tip #2: Want to make sure you never miss one of my tips? Click here to join my Rick’s Tech Tips Facebook Group!
If Facebook isn’t your cup of tea, I invite you to sign up for my Rick’s Daily Tips Daily Update Newsletter.
Want to ask Rick a tech question? Click here and send it in!
If you found this post useful, would you mind helping me out by sharing it? Just click one of the handy social media sharing buttons below.