SSL certificate installed but site still showing "Not Secure" or mixed content warning.
SSL & CertificatesVerified: Jul 14, 2026
Resolution Steps
- Confirm the SSL certificate is installed and active in the customer's SSL dashboard.
- Verify the certificate is issued for the correct domain — check for www vs. non-www mismatch.
- Check if the site is forcing HTTPS — without a redirect, browsers may still load HTTP.
- Add a 301 redirect from HTTP to HTTPS in .htaccess or the hosting control panel.
- Identify mixed content: open browser DevTools (F12) → Console tab — look for "Mixed Content" warnings.
- Mixed content means the page loads over HTTPS but references HTTP resources (images, scripts, stylesheets).
- For WordPress: use the Better Search Replace plugin to update all HTTP URLs in the database to HTTPS.
- Check the SSL Labs test result — a grade below A usually indicates a configuration issue, not a certificate issue.
- For certificate errors: check the expiration date and renew if within 30 days.
- After making changes, clear the browser cache and CDN cache before retesting.
Say This
"I can see your SSL certificate is installed and valid — so the "Not Secure" warning isn't a certificate problem, it's a configuration issue. The good news is this is fixable. What's happening is your site has what's called "mixed content" — your page loads securely over HTTPS, but some of the images or scripts on the page are still being loaded over the old HTTP address. Browsers flag this as insecure even though your certificate is fine. Here's what we'll do: I'm going to walk you through checking your browser's developer tools to see exactly which resources are causing the warning. It takes about 3 minutes and we'll know exactly what needs to be updated. [walk through DevTools steps] Once we identify the resources, [for WordPress: we can fix all of them at once with a plugin / for custom sites: we'll update the URLs in your code]. Does that sound good?"
Quick Links
Escalate When...
- Certificate installation has failed three or more times — escalate to hosting technical team.
- Customer has a Wildcard or EV certificate with validation issues — requires manual review.
- Certificate Authority (CA) has revoked the certificate — requires reissuance.
- SSL is installed but the site is still unreachable over HTTPS after 24 hours.
- Customer's site is on a third-party host and GoDaddy SSL installation is not supported.