Welcome to WebmasterWorld Guest from 54.81.220.239

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

HTTPS in process... a few questions before I make the move

     
4:14 pm on Sep 14, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1487
votes: 281


I have the Cloudflare’s Flexible SSL enabled but I haven’t setup the redirection and also the mixed content issue exists. It is like this since almost one year, I actually had no idea that it was enabled by the host at the time of migration. I have no problem so far. But now I’m planning to move to HTTPS. I have a few questions.

Shall I stick with Cloudflare SSL or buy the Comodo Positive SSL?

If I go with non-Cloudflare SSL, what I should do with the current Cloudflare SSL? It has to be disabled or deleted before installing the private certificate and if it has to be deleted, I need to re-enable it after activating the third-party SSL?

As I had the SSL installed although no redirection was setup. Google indexed most of my articles as https and I have no https property in Google Console. So after creating a new property, I need to submit new index sitemap, post, page, tag, categories sitemaps despite Google is already indexing some of my pages as https?
7:10 pm on Sept 15, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


Do you mean that you have two versions of the site with the same content -- an http version on your hosting company server and an https version on Cloudflare, and that googlebot is crawling both of them ... although there aren't any re-directs from the http pages to the https pages.
9:36 pm on Sept 15, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Sept 14, 2011
posts:1045
votes: 132


Do you mean that you have two versions of the site with the same content -- an http version on your hosting company server and an https version on Cloudflare, and that googlebot is crawling both of them ... although there aren't any re-directs from the http pages to the https pages.


Nope that isn't how cloudflare works , it sits infront of the server and acts as a proxy serving the frontend content to Google (think of it like varnish but remote) when you move to cloudflare it takes over the nameserver and all dns records. Technically yes there is a duplicate server in the background but it is unlikely to be crawled as there is no public dns record and you can always write a script to prevent direct access to the ip.

Ok so now on to the original poster, cloudflare has some powerful tools and there is a setting to automatically rewrite mixed content to https. Now I am assuming you are on a free version of cloudflare and using a shared SSL. Ok if thats the case you might want to consider upgrading to dedicated SSL as not all browsers (or search engines) are compatible with shared SSL certs. I personally always use a dedicated SSL on Cloudflare, this costs $5 per month. Yes you will need to change all sitemaps to https.
10:06 pm on Sept 15, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


MayankParmar -- Do you mean that you haven't changed the nameservers yet and that they still point to your old http site's server?
7:59 am on Sept 16, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1487
votes: 281


Aristotle - The nameservers are pointing to CloudFlare and the content is on the http site's server, CloudFlare is just a content delivery network and it has a feature that enables https. I have that on but I haven't setup the redirection and the mixed content issue is there. So the https version of site is working fine with mixed content (I can fix it easily) but even without redirection, Google is crawling the new articles as https.

Now I am planning to install a dedicated SSL and setup redirection, fix mixed content. I have two questions:

If I go with non-Cloudflare SSL, what I should do with the current Cloudflare SSL? It has to be disabled or deleted before installing the private certificate and if it has to be deleted, I need to re-enable it after installing the dedicated SSL?

As I had the SSL installed although no redirection was setup. Google indexed most of my articles as https and I have no https property in Google Console. So after creating a new property, I need to submit new index sitemap, post, page, tag, categories sitemaps despite Google is already indexing some of my pages as https?
8:14 am on Sept 16, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I would use the cert supplied by Cloudfare, the less expensive one. But if you want the fancy secure company logo and think paying the extra money is worth it, go with Comodo.

I use a free Lets Encrypt [letsencrypt.org] security cert and it works great.

Prior to turning on the redirect, go through your site, page by page, and make sure all file paths are relative (no protocol.)

Also make sure all file paths in any scripring, including Adsense scripts if you are using them, is HTTPS or just remove the protocol.

Use Chrome browser to test each page. Fix any errors. Once done, you can switch on the redirect.

Then add the HTTPS property to Google Search Console. Update your sitemap.xml if you use one and resubmit to GSC as well.

Bing and Yandex will take care of themselves.
12:01 am on Sept 17, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 26, 2005
posts:2281
votes: 603


I'm also making the move, changing page by page. I don't fully understand all the ins and outs. Once you install the SSL cert, pages become https. What happens to the http pages? Seems the http pages and their counterpart https pages coexist? But with a 301 redirect nobody sees them? And you can't do a 301 without having an https page to send an http page to, right?

It's very nerve wracking.
12:58 am on Sept 17, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@ember, yes... that's one way to describe it.

The protocol (HTTP or HTTPS) is what the browser uses to negotiate with the server. Your pages are the same. You just need to make everything the same type protocol because that's what the browser is asking for.
7:39 pm on Sept 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 26, 2005
posts:2281
votes: 603


So most of my pages will be https by later this week (if I do not sleep or eat). I have the SSL installed but on some pages not all of the elements will be secure in time. So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure? I'm just wondering how dramatic the warning will be on an http page vs an https page with the little i in the circle instead of a padlock.
8:01 pm on Sept 24, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member redbar is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:3201
votes: 478


It's very nerve wracking.


I experimented with a very small site before converting my main business sites and I only had one issue and that was on one site I had to reinstall Statcounter for some reason.

I'm not bragging about this since, basically, I did nothing because I host my sites on a Parallels Plesk server and the whole lot was pre-installed and it was only a question of ticking a couple of boxes, in fact it was so simple that when one of my sites wouldn't validate it was a case of unchecking the boxes and back to the original.

I certainly converted a dozen sites in less than an hour.
6:41 am on Sept 25, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1487
votes: 281


Do I need to go every page and check if it has lockpad? I have over 6000 articles!
6:48 am on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


You don't need to do it but I certainly would.
7:39 am on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure?
I'm guessing the warnings will get you either way . Guess we'll find out next week.
2:01 pm on Sept 25, 2017 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 22, 2011
posts: 448
votes: 6


They have a few crawling tools that would identify these live pages for you. I invested into it and finally bought a sitemap creator too. Just to speed it along.
7:12 pm on Sept 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


I'm just wondering how dramatic the warning will be on an http page

On my main browser, if pat of a page's content is unsecure, then a message appears along the bottom of the screen which says "only secure content is displayed", and this is followed by a "Show all content" clickable button.

So the visitor has to click the "Show all content" button in order to see the unsecure content.
7:27 pm on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@aristotle - I thinks he's concerned about the warning changes happening next week:

[webmasterworld.com...]

[pcworld.com...]
7:40 pm on Sept 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


keyplyr -- I answered the question about https pages on which part of the content is non-secure.

For questions about http pages, see the various discussions on various threads
8:19 pm on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 26, 2005
posts:2281
votes: 603


Thanks, all. SHE appreciates the insights :)

[edited by: ember at 8:21 pm (utc) on Sep 25, 2017]

8:19 pm on Sept 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


Oops -- in my earlier answer I accidentally quoted the wrong snippet. Here is the question that I intended to answer:

So would it be better to do the 301 direct anyway and send people to https pages that are not 100% secure yet or wait on the 301 until all pages are 100% secure?


As I said, the message from the browser appears along the bottom of the screen, and the visitor has to click a "Show all content" button in order to see the unsecure part of the page.

Sorry for the confusion.
9:03 pm on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc
9:16 pm on Sept 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3609
votes: 346


Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc

Yes that's true. Also, some browsers allow you to choose a security level, such as high security, medium security, or low security. This could determine which warnings you see.

In my main browser I use the high security level, which may explain why I see more warnings about invalid and expired certificates than others apparently do.
10:58 pm on Sept 25, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I would venture to say that 98% of the world online community never changes their browser settings, so they see whatever default warning the browser shows them, especially with mobile.

In fact, most clients I've spoken with aren't sure of what browser they use... if they even know what a browser is.
11:35 am on Sept 26, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Mar 9, 2012
posts: 111
votes: 23


Different browsers show different warnings and display the differently. Best to test in all major browsers: Chrome, Edge, Safari, Opera, etc


I have the default security settings in both Chrome and Firefox yet Firefox shows a "connection not secure" "parts of this page are not secure" while Chrome shows the green padlock.

Is this mixed content? Why on one browser rather than the other?
12:05 pm on Sept 26, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1716
votes: 262


I would suggest making resources secure before converting the page. As others have said on other threads, the additional interstitial warnings shown to some (even if not all) users are much more likely to put off Joe Public, than a relatively unobtrusive "Not secure" tag in the address bar.

And I say this as a person who has converted, and recommend conversion, to https.
5:49 pm on Sept 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I have the default security settings in both Chrome and Firefox yet Firefox shows a "connection not secure" "parts of this page are not secure" while Chrome shows the green padlock.

Is this mixed content? Why on one browser rather than the other?
Sounds like you may be looking at cache, at least in one of the browsers.
7:17 pm on Sept 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 26, 2005
posts:2281
votes: 603


I have a site that is now https secure with links to http sites and it is still showing the little green padlock. I thought all links on an https page have to be to https sites or the page is not secure?
7:51 pm on Sept 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I have a site that is now https secure with links to http sites and it is still showing the little green padlock. I thought all links on an https page have to be to https sites or the page is not secure?
Only incoming links that display some type of content, or interact with the page in some way.
11:41 am on Sept 27, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1487
votes: 281


"We have deployed SSL certificate for the domain. We request you to bypass the request from cloudflare to server to reflect the same"

My host told me. These guys are slow to reply back, are they referring to enable the Full Strict mode on Cloudflare?
4:44 am on Sept 28, 2017 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1487
votes: 281


The certificate is installed at server.

Can someone please tell me what is to be done on Cloudflare? Currently, it is set to Flexible SSL with no redirection setup. As now I have the SSL installed at server, what has to be done on Cloudflare?
12:04 pm on Sept 28, 2017 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:May 3, 2017
posts:112
votes: 6


I moved mine a few days ago. Very stressful as Google ip was blocked in the ssl firewall and it was not a traditional one so must be allocated to SSL or via update. Very hard to find after speaking to at least 20 techs at Rackspace - they finally found it today. Make sure that no google ips block your https site.