What is mixed content in SSL?

Mixed content occurs when some elements of a page are loaded over insecure HTTP while the main page is loaded over secure HTTPS.

How do I fix the 'Not Secure' warning after SSL install?

Common fixes include resolving mixed content, installing the full certificate chain, ensuring the domain matches the certificate, and setting up proper HTTPS redirects.

Troubleshooting Guide

Why Browsers Still Say “Not Secure” After SSL is Installed

📅 December 19, 2025 • ⏱️ 6 min read

After installing an SSL certificate, the expectation is simple: a professional padlock icon and a secure connection. However, many website owners are met with frustration when browsers continue to display the "Not Secure" warning despite having HTTPS enabled.

If you're facing this, don't worry—the certificate itself is rarely faulty. Normally, this warning points to a configuration issue, a content error, or a trust gap elsewhere in the SSL stack. This guide will walk you through the most common causes and how to fix them.

What “Not Secure” Actually Means

When a browser flags a site, it is communicating that it cannot confirm 100% safety. This usually happens for one of three reasons:

The connection is not fully encrypted (Mixed Content).
The certificate is misconfigured or has a name mismatch.
The chain of trust back to the root CA is broken.

1. Mixed Content (The #1 Culprit)

Most Common Issue

Mixed content occurs when your site loads over HTTPS, but some elements (like images, scripts, or fonts) are still being requested over an insecure HTTP connection. This compromises the security of the entire page.

Fix: Open your browser console (F12) to identify the specific HTTP requests. Update these URLs to HTTPS, use relative paths where possible, and implement 'HTTPS rewrite rules' on your server or CDN.

2. Incomplete SSL Certificate Chain

Many servers only provide the domain certificate and forget to include the intermediate certificates provided by the CA. Without these, older browsers and mobile devices cannot trace the trust back to a root authority.

Fix: Ensure you install the full CA bundle (Leaf + Intermediates). You can verify your chain order using our diagnostic tools.

3. Certificate Name Mismatch

This happens when the certificate doesn't cover the specific domain you're accessing. For example, a certificate issued for www.example.com might not cover example.com if not explicitly included in the SAN (Subject Alternative Names).

Fix: Re-issue your certificate to include all necessary aliases or use a wildcard certificate to cover subdomains.

4. HTTP to HTTPS Redirection Missing

Even if SSL is perfectly installed, visitors might still land on the unencrypted HTTP version of your site if you haven't forced a redirect. Browsers will rightfully warn users that their data is at risk.

Fix: Apply a global 301 redirect from HTTP to HTTPS in your .htaccess or server configuration file.

                    Quick Diagnostic Checklist:
                    Full chain installed
No mixed content
Correct domain coverage
HTTPS redirection enabled
Strong TLS protocols
Non-expired certificate

                

Conclusion

An alert doesn't necessarily mean your site is compromised; it means the browser needs more evidence that the connection is fully secure. By following this structured troubleshooting approach, you can eliminate configuration gaps, restore the padlock icon, and ensure a safe experience for your users.

Diagnose Your Warning Instantly

Don't guess why your site says "Not Secure." Use our free SSL Checker to pinpoint the exact issue in seconds.

Check My Site Security