Padlock in address bar is red but, when I click on it, I see a certificate under 'view site information'

chargingBull · March 11, 2021, 1:29am

My domain is: www.howlingdev.site

I ran this command: sudo cerbot --apache -d howlingdev.site

It produced this output:

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20.04.2

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

danb35 · March 11, 2021, 1:39am

I'm not seeing any issues, nor is this check:
https://www.whynopadlock.com/results/0d43f24c-9582-4693-9773-34b424c2b603

chargingBull · March 11, 2021, 1:42am

chargingBull · March 11, 2021, 1:45am

Thank you for your reply.
Not really sure why the certificate shows up but, the padlock remains red.
I just included a screen shot and it is red while the certificate looks good.
I clicked on the padlock and selected 'view site information'.

danb35 · March 11, 2021, 1:57am

Looks very much like a mixed-content problem--your site is serving some resources (images, CSS, or something) via HTTP. I'd expect whynopadlock.com to have shown that, though.

JemmyLoveJenny · March 11, 2021, 5:40am

Yourpage requested js/css from https://172.104.4.10/
As the ip address "172.104.4.10" does not meet the DnsName of the certificate "www.howlingdev.site"
It seems you are using Wordpress, please visit https://www.howlingdev.site/wp-admin/options-general.php
And change the site URL from "172.104.4.10" to "www.howlingdev.site"

chargingBull · March 13, 2021, 1:35pm

Yes JemmyLoveJenny, That fixed the problem.
As soon as I went into WP under general > settings > site url and changed the IP address to human friendly DNS, the padlock came up.
The padlock went away when I put the IP address in the address bar.
I'm not sure what that field affects exactly.
I must have set that before I purchased the domain name.

Thanks so much. That was a huge help!

schoen · March 14, 2021, 9:26pm

The web browser software checks that the name in the address bar matches one of the names in the certificate. But (while it is technically possible to issue certificates for IP addresses), Let's Encrypt doesn't issue certificate for IP addresses, only for DNS domain names. That means that if you access a site with a Let's Encrypt certificate via HTTPS using its IP address, it will always be a mismatch, as seen by your browser.

This behavior is a bit different between HTTP and HTTPS, because of the presence of certificates and the need to proactively list individual names in the certificate when requesting them. For example, in HTTP, you could sometimes make an "unauthorized" name for a web site that you don't run yourself, just by registering a domain name and pointing it at the web site's IP address. If the web site operator doesn't try to proactively prevent this and only a single site is hosted on that server, it will normally work—as long as the browser can find the server, the site content will come up.

But in HTTPS, if you point an "unauthorized" domain name at a site, it will be invalid to access it that way from a browser's point of view, because the site will never serve a certificate that matches that name, and therefore the browser will not be able to confirm whether the connection is, in fact, to the intended site.

system · April 13, 2021, 9:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.