Mixed Content

[Paul Nash]

Have installed Really Simple SSL Pro. I have disabled all plugins except Really Simple SSL.

Debug gives this:

Options:
* Mixed content fixer
SERVER: apache
SSL is not yet enabled for this site
** Detecting configuration **
plugin version: 2.5.11
Opening testpage to check for ssl: https://www.adderleyparish.co.uk/wp-content/plugins/really-simple-ssl/ssl-test-page.php
test page url, enter in browser to check manually: https://www.adderleyparish.co.uk/wp-content/plugins/really-simple-ssl/ssl-test-page.php
No ssl detected. No certificate, or the testpage is blocked by security settings. The ssl testpage returned the error:
siteurl or home url defines found in wpconfig
ssl not enabled, show notice

I can confirm that the SSL Certificate is in place have checked with external checker and it’s definitely there. If I go via Chrome and use the console I can load some of the mixed content over https and the lock appears so it’s definitely there.

Mixed Content Scan gives this:

successNo blocked urls found
successNo .js or .css files with http:// urls found.
successNo .js or .css files on other domains with http:// urls found.
successNo posts in your database found with links to blocked remote urls found.

I can confirm that there is lots of mixed content and it is preventing the SSL certificate from loading as well as css.

I have used “Better Search and Replace and I’ve scanned the SQL manually the only http:// is in wp_options where we have had to set the site url and the wordpress url so that users can access the site whilst we get to the bottom of the problem.

Finally: if we set the wordpress url to https:// we get the infinite redirects problem and we can’t access the admin console.

All help gratefully received.

[Rogier LankhorstKeymaster]

The mixed content scan from Really Simple SSL pro only searches for mixed content which the mixed content fixer in Really Simple SSL does not fix. So if your site only contains “fixable” mixed content, the scan does not show any issues.

I just checked your site, and can confirm that the mixed content issues you are having is normally fixed by Really Simple SSL, but that the mixed content fixer is currently not active.

For detection of SSL, please follow the steps in this article:
https://really-simple-ssl.com/knowledge-base/no-ssl-detected-but-im-sure-i-have-ssl/

The redirect loop on the back-end is fixed by Really Simple SSL when you activate the plugin. If you would experience this anyway, there’s a manual fix as well.

Even though you do not have SSL enabled yet, I’m assuming Really Simple SSL is activated, which means the mixed content fixer should kick in already when on SSL. But I can’t find the marker data-rsssl in your html, so is it possible you have some caching active on your site? Please clear, then deactivate any caching plugin you might have.

Let me know if this helps!

[Rogier LankhorstKeymaster]

I missed the part where you said you already disabled all plugins, sorry about that. This means it’s probably not a caching plugin. Although I have had experiences with W3TC where the cache still existed after deactivating it. Always clear first.

If you have enabled SSL I’ll check for the mixed content fixer again, and we’ll decide on the next step.

[Paul Nash]

Rogier, many thanks for the prompt response I really appreciate this. After a few days of to and fro with the hosting company and endless staring at WP config files and sql tables you can imagine that frustrations are running high.

One step at a time. Detecting SSL. I have read the piece on enabling SSL and I cannot see the “enable ssl” button. This may be for one of three reasons either a) I’ve been staring at this screen for so long now I cannot see what is in front of me, a distinct possibility; b) I’m looking in the wrong place; c) it’s not showing. As there is nothing anybody can do about a) let’s start with b).

I’m looking at the broken admin dashboard in https. All of the usual admin menu headings are on the left hand side and SSL is at the bottom of the settings list. Click on that and I can see the RS SSL items at the bottom of the page.

Configuration shows: the detected setup starting with No SSL detected.
HTTP Strict Transport Security was not set in your .htaccess
Mixed Content fixer is activated
Native WordPress function is_ssl() returned false
Last scan completed without errors

Settings shows:

Auto replace mixed content
Debug
Stop editing the .htaccess file
Turn HTTP Strict Transport Security on
Receive an email when your certificate is about to expire
Enable the mixed content fixer on the WordPress back-end

Debug shows it’s report which hasn’t changed

Scan for issues shows the same report as before and underneath is:

Import and insert file (twice)
Fix http in CSS and js files
Role back changes made to your files
Edit files

And that’s it.

[Rogier LankhorstKeymaster]

Sometimes the admin breaks when the site is loaded over SSL. This will go away as soon as SSL is enabled. But this will cause the activate SSL button to be down the page somewhere.

If you search for the words “Go ahead, activate SSL”, you should find a basic form of the button. Just click it, then you probably will need to login again, and your admin is normal on https.

[Paul Nash]

Rogier

I appreciate the calm patience but I think this whole process may have unearthed another problem.The “Go ahead, activate SSL” button is definitely not showing. In my wisdom I thought remove, re-install, start again. Really Simple SSL deleted no problem but deleting Pro generated an “internal server error deletion failed” Have you come across this before?

[Rogier LankhorstKeymaster]

I have recently discovered a bug in the uninstall code for the pro plugin. This does not do any harm, it only blocks removal through the WP plugins dashboard. This is already fixed in the version we are testing right now and will be pushed out soon.

Could you give me access to your WP install so I can take a look? If so, you can email me at support (at) really-simple-ssl.com

[Paul Nash]

Let me know if you don’t get a user name / password e-mail in the next 10 minutes. It will give you admin access and you can change the password to something a little more sensible.

[Rogier LankhorstKeymaster]

I just checked your site, I think somehow the fix Really Simple SSL needs to insert in your site didn’t get inserted. Could you insert the following code into your wp-config.php:

$_SERVER[“https”] = “on”;

That should tell WordPress that it’s on SSL. In most cases the server passes this variable, and if not, there are some other variables that can be checked. If neither happens, Really Simple SSL should insert it in your wpconfig.

This also explains why the mixed content fixer didn’t activate: it checks for the wordpress is_ssl() function, which in turn depends on the $_SERVER[“https”] = “on”; variable.

While you insert that, I’ll do some research why the plugin didn’t insert this. When it’s inserted, you should get the “activate SSL” button, and your site should run on SSL.

[Rogier LankhorstKeymaster]

I just did some checks. The reason this code didn’t get inserted automatically is a combination of the plugin not being able to open the testpage, and your server not returning on of the variables that are most used for SSL detection. If the testpage could be opened, the plugin would notice the absence of the variables and insert it. But in your case, as it can’t be opened, you need to add this yourself.

[Paul Nash]

Many thanks Rogier. Have done as asked. Website loads in https:// then I get:

Sorry, you are not allowed to access this page.

When trying to access the admin page.

[Rogier LankhorstKeymaster]

Apparently the problem is that in this case, just inserting this variable causes issues.

Can you do a test for me?

If you open your ftp client, go to wp-content/plugins/really-simple-ssl/ssl-test-page.php, and open it with an editor, can you at there at the top add:

<?php var_dump($_SERVER);?> 
<?php var_dump($_ENV);?> 

Then I can see what your server is passing as variables, and I can make a custom script to put in your wpconfig.

[Rogier LankhorstKeymaster]

Ok, you can remove it now, I’ve copied the result. I’ll get back to you.

[Rogier LankhorstKeymaster]

Your server does not pass HTTP_X_FORWARDED_SSL=”on”, which I check for, but “HTTP_X_FORWARDED_SSL”=>”1”.

That’s why it didn’t work. Can you try adding this to your wp-config.php instead of the line I sent you earlier?

//Begin Really Simple SSL Load balancing fix
$server_opts = array("HTTP_CLOUDFRONT_FORWARDED_PROTO" => "https", "HTTP_CF_VISITOR"=>"https", "HTTP_X_FORWARDED_PROTO"=>"https", "HTTP_X_FORWARDED_SSL"=>"on", "HTTP_X_FORWARDED_SSL"=>"1");
foreach( $server_opts as $option => $value ) {
   if ( (isset($_ENV["HTTPS"]) && ( "on" == $_ENV["HTTPS"] )) || (isset( $_SERVER[ $option ] ) && ( strpos( $_SERVER[ $option ], $value ) !== false )) ) {
     $_SERVER[ "HTTPS" ] = "on";
     break;
   }
}
//END Really Simple SSL

[Paul Nash]

Oops! didn’t mean to post all of that: we’ll have to delete. Forgot to mention we have also lost HTTPS though if you manually edit the URL it still works

[Rogier LankhorstKeymaster]

I’ve removed that. Can you contact me by mail? I think the only way would be if I can try some things with FTP access.

[Rogier LankhorstKeymaster]

Just for other readers of this thread: the extended code for the wpconfig fixed the issue. In the next update this will be integrated in the plugin. The change has been committed to github.

[Author]

Posts