My website is not fully secured


#1

Hello Let’s Encrypt Support community,

My domain is: rule34haven.com (Warning: This is a NSFW site. Please remove if it’s not allowed)

It is hosted by Hostinger.

I followed this guide to install LetsEncrypt SSL: https://www.hostinger.com/tutorials/ssl/how-to-install-free-ssl-from-lets-encypt-on-shared-hosting

That guide is supposedly not supported anymore because Hostinger now offers SSL for a fee, but I followed the instructions exactly to install the LetsEncrypt SSL.

I encountered many errors throughout the process, mainly in the Putty program, but managed to get to the end and got the Certificate and Private Key, and entered it in.

However, my website is still not fully secured. It is not https by default, and when I add in https, it works, but says “Your connection to this site is not fully secured.”

Since I know nothing about hosting, SSL, and those operating system terms, can someone assist me to figure out what went wrong with my SSL installation? Should I redo it with some other method?

Thank you very much.


#2

Hi @phoenixblue,

Your website suffers from a mixed content problem, which occurs when you include some HTTP resources (such as images, scripts, or stylesheets) inside of an HTTPS page. You can diagnose this using your web browser’s developer tools, or an online scanner such as

https://www.whynopadlock.com/results/a5f44e3b-b188-4991-91aa-0d2f3dbe6a7b

Fixing this requires changing the links in your site content to secure versions of these resources, or, if the links are automatically generated by a content management tool, updating that tool’s defaults or settings so that it generates HTTPS links instead of HTTP links.


#3

Hi schoen.
Thank you for your help. Since I have no experience in this, what is the easiest way of fixing this problem? Is there a way I can just force https on everything? How would I do that with letsencrypt? Does it have to be done in my hosting provider’s options or from my wordpress website?


#4

Most likely answer:


#5

Thanks for the reply. I changed my site url to https on my wordpress settings, and now everything seems to be working. When I go on my site, it says it’s secured now.

Just 3 questions though.
When I test it on whynopadlock, https://www.whynopadlock.com/results/1d92dcb9-b673-4118-a358-59cdeefe75b5

  1. It still has an X for Invalid Intermediate
  2. I still keep getting a Soft Failure (Mixed content) saying I have an image without https, but I removed all traces of that image from my wordpress and even deleted it through FTP, but it still shows that. Can I ignore that or is that picture hidden in my code somewhere?
  3. Also is force https required? Whynopadlock says I don’t have it.

#6

A1. The cert (chain) is incomplete (the Intermediate is missing: https://www.ssllabs.com/ssltest/analyze.html?d=rule34haven.com)
This is something you can fix.
You probably did not use the fullchain.pem file.

A2a.You must have missed one; or it is imbedded in included content.

A2b. If you ignore it, everyone that visits the site will get the same “insecure” (mixed-content) message. Are you OK with that?

A3.Forcing HTTPS means even if you accept HTTP connections, they will require the user to reconnect via HTTPS. This is a preferred “standard” - make everyone use your HTTPS site.


#7

Hi @phoenixblue

not really. You have a dns entry www. But your certificate doesn’t work with your www version.


Domainname Http-Status redirect Sec. G
http://www.rule34haven.com/
185.224.138.187 301 http://rule34haven.com/ 0.783 D
http://rule34haven.com/
185.224.138.187 200 0.170 H
https://www.rule34haven.com/
185.224.138.187 301 https://rule34haven.com/ 1.623 N
Certificate error: RemoteCertificateNameMismatch
https://rule34haven.com/
185.224.138.187 200 1.660 B

Because your certificate

CN=rule34haven.com
20.12.2018
20.03.2019
rule34haven.com - 1 entry

has only one domain name, not two.

So try to create one certificate with two domain names rule34haven.com www.rule34haven.com.

Or remove your www dns entry. But the better solution is to create the certificate with both domain names.


#9

@JuergenAuer Thank you for letting me know the www didn’t work. I looked at that guide I followed and realized what I did wrong. One of the commands involved “yourdomain.com:www.yourdomain.com” and I (being a complete newbie) put the same link in for both fields (without the www).

I just went through the process again (was much easier and faster after I did it once before), and I think everything is good now.

https://www.whynopadlock.com/results/36b6fc73-8b59-4d92-96af-d2e1cb0de2ac

Thank you guys so much for your help! This community is great. :smiley:


#10

Yep, now it looks good.

You have

Domainname Http-Status redirect Sec. G
http://rule34haven.com/
185.224.138.187 302 https://rule34haven.com/ 0.050 A
http://www.rule34haven.com/
185.224.138.187 301 http://rule34haven.com/ 0.504 D
https://www.rule34haven.com/
185.224.138.187 301 https://rule34haven.com/ 1.590 B
https://rule34haven.com/
185.224.138.187 200 1.357 B

three redirects and one https destination. And your certificate has two domain names:

CN=rule34haven.com
21.12.2018
21.03.2019
rule34haven.com, www.rule34haven.com - 2 entries

And no mixed content warnings :wink:


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.