In Chrome browser - your connect to this site is not fully secure

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jtgs.ca

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):linux 3.10.0-962.3.2.lve1.5.24.8.el7.x86_64

My hosting provider, if applicable, is:hostpapa

I can login to a root shell on my machine (yes or no, or I don’t know):no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel 76.0.20

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

#2

What was the rest of the error message?

https://www.whynopadlock.com/results/0b07924d-176c-4025-89e4-bdf6bc38def1
https://www.whynopadlock.com/results/e423c2d0-e9df-4f81-98c6-ff2cfc49f72a

It looks like there’s some mixed content – JavaScript files loaded over HTTP instead of HTTPS. (It would also be a problem if other things like CSS or images were mixed.)

Chrome’s developer tools can help show what’s going on.

It might be that all you need to do to fix it is change the site URL in WordPress’s configuration to use https.

https://codex.wordpress.org/Changing_The_Site_URL

2 Likes
#3

The message I see in chrome. - "Your connection to this site is not fully
secure
Attackers might be able to see the images you’re
looking at on this site and trick you by modifying
them. Learn more

#4

Hi @dylan

use Ctrl + Shift + I, that opens the console. There you see a different error message.

greensock.js?ver=1.19.0:19 Mixed Content: 
The page at 'https://jtgs.ca/' was loaded over HTTPS, 
but requested an insecure image 
'http://jtgs.ca/wp-content/uploads/2015/04/Website-Background.jpg'. 
This content should also be served over HTTPS.

The check result @mnordhoff had posted (from whynopadlock)

https://www.whynopadlock.com/results/0b07924d-176c-4025-89e4-bdf6bc38def1

shows the same problem.

An image with an insecure url of “http://jtgs.ca/wp-content/uploads/2015/04/Website-Background.jpg” was loaded via the javascript file: https://jtgs.ca/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.0 on line 18. The insecure URL may not be directly contained in the script file and may exist elsewhere.
You may need to contact your web hosting provider for assistance. This URL will need to be updated to use a secure URL for your padlock to return.

But: This Javascript file doesn’t have the wrong url. Wrong urls are in two CSS files ( https://check-your-website.server-daten.de/?q=jtgs.ca ), the JavaScript loads the content.

The css files are loaded via https. But they have a lot of url definitions:

background: url("http://jtgs.ca/wp-content/uploads/2015/04/site-logo.png")

This is mixed content.

First file:

http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-webfont.eot http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-webfont.eot?iefix http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-webfont.svg#webfont1Lb5Pdit

Second:

http://jtgs.ca/wp-content/uploads/2015/04/site-logo.png http://jtgs.ca/wp-content/themes/church-event/wpv_theme/assets/images/bx_loader.gif 

I removed most of the links in the second sample, the list is too long.

So there are more then two links you should change

http -> https

if there is a https version.

3 Likes
#5

Not sure how to locate those two file. Any suggestions

#6

These are the two files:

https://jtgs.ca/wp-content/themes/church-event/cache/all.css?ver=1487945858

https://jtgs.ca/wp-content/plugins/all-in-one-event-calendar/cache/61748dc8_ai1ec_parsed_css.css?ver=2.5.36

Both have a lot of url(http://…) definitions, that’s mixed content.

PS: Use https://check-your-website.server-daten.de/?q=jtgs.ca to recheck your domain.

There you see all the definitions in these two files you should change.

The first file has three font definitions loaded via http.

The second has 16 image http links

1 Like
#7

Thanks Juergen it worked

1 Like
#8

I see, you have rechecked your domain with the updated tool https://check-your-website.server-daten.de/?q=jtgs.ca

Chrome is now happy, that’s good. But the Chrome-check is incomplete. FireFox shows the error loading a font:

Laden von gemischten aktiven Inhalten "http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/League_Gothic-webfont.eot?iefix" wurde blockiert.[Weitere Informationen] greensock.js:19:20323
Laden von gemischten aktiven Inhalten "http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/League_Gothic-webfont.svg#webfont1Lb5Pdit" wurde blockiert.[Weitere Informationen] greensock.js:19:20323 

But the error message is wrong, same as Chrome. greensock.js is the JavaScript that loads the file. But the file isn’t defined in that JavaScript, instead in that CSS-file.

http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-webfont.eot
http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-webfont.eot?iefix
http://jtgs.ca/wp-content/plugins/all-in-one-event-calendar-extended-views/public/themes-ai1ec/vortex/font/../font/League_Gothic-|

So check your file

https://jtgs.ca/wp-content/plugins/all-in-one-event-calendar/cache/61748dc8_ai1ec_parsed_css.css?ver=2.5.36

and change there these three font-links http -> https.

Then recheck your domain, then the mixed content warning

I https://jtgs.ca/ 69.90.161.130
200
Mixed content - content loaded via http

should be removed.

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.