Https login form marked as insecure


My domain is:
My web server is (include version): windows 2008 / IIS 7 (?)
I can login to a root shell on my machine (yes or no, or I don’t know): yes

If I browse from the frontpage : to the login page (top right corner) : I get a “nonsecure form” messages, while the page is in fact https.

I also got an untrusted error when first trying this website on a fresh firefox. Once I visited another website using let’s encrypt it got fixed…

I think something is wrong with the certificate/chain. I haven’t set it up, and this was previously a self-signed kind of website so … go easy on us please. Is this the issue ? How can I find and fix the issue ?



hi @svennd

you have a double whamy going on ::smiley:


you are serving a LetsEncrypt X1 intermediate when you ceritificate is issued from the X3 issuer

the easiest way to fix this is to download the x3 intermediate

rename it to .cer and install it on your server

you should see it in you intermediate store

B) if you run your site through this

it will outline insecure content that is being used on a secure page

most of it is a matter of updating your links from http to https as they are pointing to resources in your domain



It’s probably not the change. I’m seeing a perfectly valid and trusted login form?

Why? This is why:

Your login form uses the HTTP referer header to fill in the destination of the form!

For example, when I went to the login form, directly from your hyperlink above, this was in the source:

		        <form name="frmLogin" id="frmLogin" action="" method="post" onsubmit="return _CF_checkfrmLogin(this)">

Wut…? :scream:

And as you said you visited the login form from a non-secure HTTP site, you’d get a non-secure HTTP site as the “action” of the form. And that will result in an insecure page. (Mixed content.)

If you go to (notice the https) and try to log in, everything will be fine.

How to fix? Well, don’t use a referer as the action of a form, that’s for starters… NEVER trust user input and yes, a HTTP header = user input from the servers point of view. Use a static action for the form, not a dynamic one based on the referer header.

By the way, run your site through the whynopadlock-site like @ahaw021 said: your main site has a lot of non-secure elements.


I downloaded that file and “installed” it, but the issue remains. I will send this to my windows colleague :slight_smile: At-least we know the problem now. The mixed errors are fine.

Thanks for pointing that out as you might have suspected this site was made when animals still could talk. I’m not certified to update this beast :slight_smile:


Well, if you keep linking to the login page from a non-secure HTTP page and you’re not able to update the origin of the form action to something else than the referer, you’re keeping the problem of not having a green padlock on the login page (b/c of the non-secure form action).


try restarting the page in iis



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.