Do you mean that you have two versions of the site with the same content -- an http version on your hosting company server and an https version on Cloudflare, and that googlebot is crawling both of them ... although there aren't any re-directs from the http pages to the https pages.

Do you mean that you have two versions of the site with the same content -- an http version on your hosting company server and an https version on Cloudflare, and that googlebot is crawling both of them ... although there aren't any re-directs from the http pages to the https pages.

Nope that isn't how cloudflare works , it sits infront of the server and acts as a proxy serving the frontend content to Google (think of it like varnish but remote) when you move to cloudflare it takes over the nameserver and all dns records. Technically yes there is a duplicate server in the background but it is unlikely to be crawled as there is no public dns record and you can always write a script to prevent direct access to the ip.

Ok so now on to the original poster, cloudflare has some powerful tools and there is a setting to automatically rewrite mixed content to https. Now I am assuming you are on a free version of cloudflare and using a shared SSL. Ok if thats the case you might want to consider upgrading to dedicated SSL as not all browsers (or search engines) are compatible with shared SSL certs. I personally always use a dedicated SSL on Cloudflare, this costs $5 per month. Yes you will need to change all sitemaps to https.

MayankParmar -- Do you mean that you haven't changed the nameservers yet and that they still point to your old http site's server?

Aristotle - The nameservers are pointing to CloudFlare and the content is on the http site's server, CloudFlare is just a content delivery network and it has a feature that enables https. I have that on but I haven't setup the redirection and the mixed content issue is there. So the https version of site is working fine with mixed content (I can fix it easily) but even without redirection, Google is crawling the new articles as https.

Now I am planning to install a dedicated SSL and setup redirection, fix mixed content. I have two questions:

If I go with non-Cloudflare SSL, what I should do with the current Cloudflare SSL? It has to be disabled or deleted before installing the private certificate and if it has to be deleted, I need to re-enable it after installing the dedicated SSL?

As I had the SSL installed although no redirection was setup. Google indexed most of my articles as https and I have no https property in Google Console. So after creating a new property, I need to submit new index sitemap, post, page, tag, categories sitemaps despite Google is already indexing some of my pages as https?

I would use the cert supplied by Cloudfare, the less expensive one. But if you want the fancy secure company logo and think paying the extra money is worth it, go with Comodo.

I use a free Lets Encrypt [letsencrypt.org] security cert and it works great.

Prior to turning on the redirect, go through your site, page by page, and make sure all file paths are relative (no protocol.)

Also make sure all file paths in any scripring, including Adsense scripts if you are using them, is HTTPS or just remove the protocol.

Use Chrome browser to test each page. Fix any errors. Once done, you can switch on the redirect.

Then add the HTTPS property to Google Search Console. Update your sitemap.xml if you use one and resubmit to GSC as well.

Bing and Yandex will take care of themselves.

I'm also making the move, changing page by page. I don't fully understand all the ins and outs. Once you install the SSL cert, pages become https. What happens to the http pages? Seems the http pages and their counterpart https pages coexist? But with a 301 redirect nobody sees them? And you can't do a 301 without having an https page to send an http page to, right?

It's very nerve wracking.

@ember, yes... that's one way to describe it.

The protocol (HTTP or HTTPS) is what the browser uses to negotiate with the server. Your pages are the same. You just need to make everything the same type protocol because that's what the browser is asking for.

So most of my pages will be https by later this week (if I do not sleep or eat). I have the SSL installed but on some pages not all of the elements will be secure in time. So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure? I'm just wondering how dramatic the warning will be on an http page vs an https page with the little i in the circle instead of a padlock.

It's very nerve wracking.

I experimented with a very small site before converting my main business sites and I only had one issue and that was on one site I had to reinstall Statcounter for some reason.

I'm not bragging about this since, basically, I did nothing because I host my sites on a Parallels Plesk server and the whole lot was pre-installed and it was only a question of ticking a couple of boxes, in fact it was so simple that when one of my sites wouldn't validate it was a case of unchecking the boxes and back to the original.

I certainly converted a dozen sites in less than an hour.

Do I need to go every page and check if it has lockpad? I have over 6000 articles!

You don't need to do it but I certainly would.

So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure?

I'm guessing the warnings will get you either way . Guess we'll find out next week.

They have a few crawling tools that would identify these live pages for you. I invested into it and finally bought a sitemap creator too. Just to speed it along.

I'm just wondering how dramatic the warning will be on an http page

On my main browser, if pat of a page's content is unsecure, then a message appears along the bottom of the screen which says "only secure content is displayed", and this is followed by a "Show all content" clickable button.

So the visitor has to click the "Show all content" button in order to see the unsecure content.

@aristotle - I thinks he's concerned about the warning changes happening next week:

[webmasterworld.com...]

[pcworld.com...]

keyplyr -- I answered the question about https pages on which part of the content is non-secure.

For questions about http pages, see the various discussions on various threads

Thanks, all. SHE appreciates the insights :)

[edited by: ember at 8:21 pm (utc) on Sep 25, 2017]

Oops -- in my earlier answer I accidentally quoted the wrong snippet. Here is the question that I intended to answer:

So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure?

As I said, the message from the browser appears along the bottom of the screen, and the visitor has to click a "Show all content" button in order to see the unsecure part of the page.

Sorry for the confusion.

Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc

Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc

Yes that's true. Also, some browsers allow you to choose a security level, such as high security, medium security, or low security. This could determine which warnings you see.

In my main browser I use the high security level, which may explain why I see more warnings about invalid and expired certificates than others apparently do.

I would venture to say that 98% of the world online community never changes their browser settings, so they see whatever default warning the browser shows them, especially with mobile.

In fact, most clients I've spoken with aren't sure of what browser they use... if they even know what a browser is.

Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc

I have the default security settings in both Chrome and Firefox yet Firefox shows a "connection not secure" "parts of this page are not secure" while Chrome shows the green padlock.

Is this mixed content? Why on one browser rather than the other?

I would suggest making resources secure before converting the page. As others have said on other threads, the additional interstitial warnings shown to some (even if not all) users are much more likely to put off Joe Public, than a relatively unobtrusive "Not secure" tag in the address bar.

And I say this as a person who has converted, and recommend conversion, to https.

I have the default security settings in both Chrome and Firefox yet Firefox shows a "connection not secure" "parts of this page are not secure" while Chrome shows the green padlock.

Is this mixed content? Why on one browser rather than the other?

Sounds like you may be looking at cache, at least in one of the browsers.

I have a site that is now https secure with links to http sites and it is still showing the little green padlock. I thought all links on an https page have to be to https sites or the page is not secure?

I have a site that is now https secure with links to http sites and it is still showing the little green padlock. I thought all links on an https page have to be to https sites or the page is not secure?

Only incoming links that display some type of content, or interact with the page in some way.

"We have deployed SSL certificate for the domain. We request you to bypass the request from cloudflare to server to reflect the same"

My host told me. These guys are slow to reply back, are they referring to enable the Full Strict mode on Cloudflare?

The certificate is installed at server.

Can someone please tell me what is to be done on Cloudflare? Currently, it is set to Flexible SSL with no redirection setup. As now I have the SSL installed at server, what has to be done on Cloudflare?

I moved mine a few days ago. Very stressful as Google ip was blocked in the ssl firewall and it was not a traditional one so must be allocated to SSL or via update. Very hard to find after speaking to at least 20 techs at Rackspace - they finally found it today. Make sure that no google ips block your https site.