Skip to main content
Brand User

647 Messages

 • 

44K Points

Mon, Feb 26, 2018 10:46 PM

Can I Secure My Homestead Website With HTTPS?

For SITEBUILDER PLUS ONLY. Do not use if you have Website Builder.

If you have a Simplestore using Sitebuilder Plus, DO NOT PROCEED WITH THIS PROCEDURE.
For more information please read this topic
:

https://community.homestead.com/homestead/topics/cloudflare-common-cloudflare-issues


Important: When we update the nameservers, it is possible to see some interruption with the website and email as the settings propagate. This is to be expected, but if it has been more than 24 hours, please contact support and we can assist.

*click on images to enlarge*

This topic addresses displaying a "secure" rating in the address bar. Currently your site shows an information icon to the left of your URL. If you click it, the message will say the site is not secure.


If you have a contact form this is important. As soon as you begin filling in a field in the form, the browser will display a more obvious message in the address bar.


To secure your site you will need to update your nameservers using Cloudflare. Below are detailed instructions on correctly configuring this so your website will be secure and your customers will feel more confident providing you their contact information.

1) Go to http://www.cloudflare.com and click on the sign up link.


2) Please enter your email address and password you wish to use for your Cloudflare account. If possible, please do not use an email address connected to your domain.
We strongly recommend you read the term and conditions. To continue you must agree to the terms and conditions by clicking on create account.


3) Enter your domain name and click on Add site

4) Select the FREE plan and click Confirm Plan.



5) Cloud flare will scan your current DNS settings and automatically populate the found DNS records. When the scan is complete, and you see all records present, click continue .




6) Compare the DNS records Cloudflare scanned to your existing DNS records. These can be found in your Homestead account, under Domains > Advanced DNS settings. They should match. If they do, click Continue.


If they don't, you can click on the name or value inside of Cloudflare that is incorrect and edit it. If you need help viewing your current DNS records, please see our topic, How can I view and edit my DNS records using Homestead nameservers.



NOTE: Please make sure to verify that the MX record has been added inside of CloudFlare's DNS settings. If you do not see a record with MX next to it, then we will need to add the MX record.


Click MX in the drop down, then click Name and type @, then Click to configure just right of that box. It will open a new window, please confirm your MX record.
If you are using email with Homestead, for server you will add mx.YOURDOMAIN.com, and for Priority you can put 10. Click save, then click Add Record.


7) Cloudflare will now provide you the new nameservers for your domain. If you do not see your nameservers, proceed to the DNS page inside of Cloudflare, and scroll down until you see Cloudflare Nameservers.

Important: When we update the nameservers, it is possible to see some interruption with the website and email as the settings propagate. This is to be expected, but if it has been more than 24 hours, please contact support and we can assist.



8) Log into your Homestead account and click the domains tab on the left. Under the domain you are working on, click Edit your nameservers. You will need to click delete next to ns3.mdnsservice.com and then change the other 2 nameservers to the ones provided by Cloudflare. You can't change and delete in the same step, so you will need to click edit twice. Click Submit


9) Return to Cloudflare and click done check nameservers.



10) The first part is now completed. Now, please review and confirm that the SSL is set to Flexible and always use HTTPS is turned on. 



11) Over the next 24 hours, try manually typing in your site with https. If it isn't set up yet, you'll get an error page. Just type https://www.yourdomain.com  and when you see your site load with HTTPS, please proceed to the next step.


NOTE: Do not proceed to the next step until you can view your website when using HTTPS (https://www.yourdomain.com) When you see your site load with HTTPS, continue to step #12.

12) Click on the SSL/TLS button at the top and select Edge Certificates. 



13) Scroll down on this page and look for the section entitled "Always use HTTPS" Turn it on. Also scroll to the bottom and find "Automatic HTTPS Rewrites" Turn it on. All other settings you can leave as default.




In a few minutes, your site will show secure.


If your site is not showing fully secure, please go republish your site.


Note: This solution is for Sitebuilder Plus sites only.

Responses

21 Messages

 • 

1.6K Points

2 years ago

Guys & Gals,

I have been going around in circles for days now trying to follow the Cloudflare https changeover instructions for an old (test) site:


http://www.moreinformation4u.com/index.html


Dealing with Cloudflares support staff is an absolute nightmare ... they all speak high tech gobbledegook ...and don't help at all!


Could Homesteads ... as the "experts" who manage our sites and gladly take our subscriptions, not in their infinite wisdom have found a way to look after this transition for us (... and long before now by the way ... Firefox has been marking none https sites as "high risk" for a couple of years now) ... instead of forcing none IT savvy small businesses to "do it themselves" through a FREE service ... which is far from satisfactory, frustratating  and very time consuming.


Any thoughts Homesteaders?

32 Messages

 • 

6.3K Points

Agree 100%. The whole thing has been a complete fiasco not unlike the "Duda Mobile" deal awhile back...
Brand User

634 Messages

 • 

50.3K Points

We looked into being able to provide this service for customer on Sitebuilder Plus. It was not possible, which is why we are offering a 3rd party solution. Since is it 3rd party, we cannot do it for you. If you want Homestead to secure your site for you, you would need to rebuild your site in our newer builder Website Builder, because very soon we will be offering SSLs through those sites.

I see your site can use HTTPS. I recommend going back and finishing the instructions from Step 12. Also, please remove the hitcounter from your site as the site will not be able to display secure with that on there. Then please republish your entire site.

21 Messages

 • 

1.6K Points

Please see my note below ... and explain exactly what the Cloudflare guy is saying.

I dare you!

Regards

Steve

21 Messages

 • 

1.6K Points

2 years ago

Guys & Gals,

Following my earlier comment, here is a communication I've just recieved from Cloudflare ...
one of their simpler responses ... but I think it supports the point I'm making:

tcloonan (Cloudflare)

Aug 21, 1:59 PM PDT

Hi Steve,

Sorry you're still having issues, my name is Tim and I'll assist you today. I visited the site and the account and can see that ssl is enabled and the certificate is in place. Image attached. But, there are mixed content issues to address. I'll include detail on mixed content in the ps of this note, but basically you want to login to your cloudflare account and on the Crypto tab, turn on Always use HTTPS? That will force folks to https, even if they type http. Next, we need to correct the http calls to make sure that works.

I can see you have Automatic HTTPS rewrites enabled, that's good and addresses a lot of mixed content issues. But not all of them. Some, like the calls on your site, need to be changed manually. This is because automatic rewrites don't work with Javascript and css files. And, you're calling both Javascript and a css stylesheet using http, not https. Details on how to change in the ps of this email.

You can visit this test site to check your domain, https://www.cloudflare.com/lp/ssl-test/?utm_medium=website&utm_source=blog&utm_campaign=chrome68. I've attched an image of what I am seeing right now. And, it is showing the errors that I'll include in the text of the ps.

We will mark this as solved for the moment. After you make the above changes, clear your cache and visit the site. And then, let us know if you have any further questions or issues by replying to this e-mail or ticket to have it immediately reopened.

Thank you & kind regards,

Tim

PS - Here is the background on the mixed content errors that you'll need to address. Mixed content errors mean that your website is being loaded over HTTPS (because you've told it in the setting to always use https), but some of the resources are being loaded over HTTP. To fix this you will need to edit your source code and change all resources to load over a relative path, or directly over HTTPS.

For example, if you load your images with a full URL:

<img src="http://example.com/image.jpg" />

You would want to change this to:

<img src="//example.com/image.jpg" />

By removing the http:, the browser will use whichever protocol the visitor is already using. See this article for more information.

An alternative option would be to enable the Automatic HTTPS Rewrites feature that can potentially fix these errors for you automatically. Do be aware that resources loaded by JavaScript or CSS will not be automatically rewritten and mixed content warnings will still appear. This is the issue you're seeing and here are the errors to correct:

index.html:30 Mixed Content: The page at 'https://www.moreinformation4u.com/index.html' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.homestead.com/~media/elements/Text/font_styles.css'. This request has been blocked; the content must be served over HTTPS.

index.html:1 Mixed Content: The page at 'https://www.moreinformation4u.com/index.html' was loaded over HTTPS, but requested an insecure image 'http://www.homestead.com/~site/Scripts_HitCounter/HitCounter.dll?CMD=CMDGetImageInternal&HCID=16166028&style=Odometer&dw=160&dh=38&digits=6&borders=1'. This content should also be served over HTTPS.
index.html:1 

Mixed Content: The page at 'https://www.moreinformation4u.com/index.html' was loaded over HTTPS, but requested an insecure script 'http://www.moreinformation4u.com/~site/javascript/site_statistics.ffhtml?RTK=http%3a%2f%2fweb4%2erealtracker%2ecom%2fnetpoll%2fjs%2fibc90006%2ejs'. This request has been blocked; the content must be served over HTTPS.
favicon.ico:1 GET https://www.moreinformation4u.com/favicon.ico 404 ()

Join the Cloudflare Community


Brand User

634 Messages

 • 

50.3K Points

This means they can see you followed part of Step 13 and turned on Automatic HTTPS Rewrites but haven't turned on Always use HTTPS. They also mentioned that there are elements on your site that are not secure. ("mixed content") That is the hitcounter and HTML I mentioned. Delete the hitcounter and edit the code to either delete http: and just leave // or change it to https://. This is basically all they are talking about.

18 Messages

 • 

546 Points

This is all making sense to the management at Homestead?  Seriously, this is what they have their customers doing because they used the software THAT IS STILL AVAILABLE ON THE WEBSITE to create their website?

Guys, c'mon, this can't be real.

Or they just said, "let 'em leave, we have enough people that are using the web based site builder we don't care enough to make a tool to re-compile someone's site in the new format."

That's really what it comes down to.  A money decision.    It's really a shame.  BTW, I've done all the steps four days ago and it still says "not secure."  I'm signed up, it's active, I even had a Homestead rep bless her soul go through everything and fix it for me and . . . zip, zilch, nada.

I'm now going to recreate "index" in the new web based browser because I'm done with this silliness.  When I do I'm hoping it will say "secure."   
Brand User

634 Messages

 • 

50.3K Points

I'm glad we were able to get this taken care of and your sites are showing secure. Let me know if there is anything else I can help you with!

18 Messages

 • 

546 Points

Elyzabeth solved my problem in five minutes, but I'm not sure if "1" or "5" was good so I may have done a bad thing by putting in "5's."  Sorry if my ADD was kicking hard and I missed the instructions when I fumbled the phone.
Brand User

634 Messages

 • 

50.3K Points

Oh thank you! 5 is good, so I appreciate that.

5 Messages

 • 

244 Points

2 years ago

Can't find a spot to create a new problem situation, hopefully this does so.
I followed all your instructions, I have Secure on my browser.
But, as a result of the changes, I have not received an incoming email for 10 days. Not on my iPhone, iPad or Mac. I was out of the country on vacation and did not notice all emails received were from the other email addresses
This is my work account...people are no doubt wondering how responsive I am.
Also, it is 4pm. I have to leave at 4:30am to volunteer at an event. I do not know where to go, who to see, etc. 
Several people have been receiving "Can't deliver" when sending me an email. 
How do I resume getting my emails?
Brand User

634 Messages

 • 

50.3K Points

Hello Darryl3174

If the email stopped working once Cloudflare was set up,  make sure the MX records are correct within the DNS page in the Cloudflare account. They are suppose to match the records in this article.

20 Messages

 • 

664 Points

2 years ago

I updated my settings and republished but am still seeing error on top of page. The information shows that there are cookies enabled. How do I fix this?
Brand User

634 Messages

 • 

50.3K Points

Hello tmsound716

Your site is already secure, there is just content on the site that is interfering with the SSL. There is an embeded HTML element on your page that has non secure links in it, this is likely what is causing the issue. I would recommend editing that code to either remove the http or change it to https,  I can't tell you which you should do, it depends on the code. I would contact the company that provided the code.

20 Messages

 • 

664 Points

Do you know which element is causing this issue? I have a few embed codes throughout my site.
Brand User

634 Messages

 • 

50.3K Points

It would be any of them that have http:// within the code. I don't have a way to pinpoint a specific one. It would be a matter of going through the code to check that they have secure links within the elements.

20 Messages

 • 

664 Points

Understandable. I'll check this evening. Thanks!

3 Messages

 • 

192 Points

2 years ago

followed all the directions last week and now the nameservers have reset themselves to default.  
Brand User

634 Messages

 • 

50.3K Points

Hello  Kristina6139

I'm not sure if you have changed them back since you posted this question, but I see Cloudflare nameservers.

8 Messages

 • 

460 Points

2 years ago

We are very remote and as a result sometimes the changes I make via WebsiteBuilder don't always propagate very quickly.  I've followed the instructions to secure our site through CloudFlare up to step 11, but after 48 hours, I still can't load the secured version of our site (https://www.cotwcanada.com).  Can someone check to see if I'm still just slow to propagate the changes or if there's something I need to fix in the DNS settings?  Thanks!


Brand User

634 Messages

 • 

50.3K Points

Ah, turn on the cloud next to the records for your domain name and www please.

8 Messages

 • 

460 Points

Ok.  Didn't realize you could turn those on and off!  Thank you!
Brand User

634 Messages

 • 

50.3K Points

Sure. It might take an hour or so to work after you do that.

8 Messages

 • 

460 Points

All finished!  Thanks for your help!

24 Messages

 • 

880 Points

Johnnie5933  ll as  Elyzabeth  , kindly mention the step by step procedure to secure my site . Kindly send me an email at arcplacements@gmail.com. My websites are www.onirecruitments.com and www.oniconsultants.net . I cannot make changes at the back end of www.onirecruitments.com as I am not a Technical Person and do not know coding. Is any coding necessary?

Waiting 

ANIRUDDHA ROY CHJOUDHURY

14 Messages

 • 

704 Points

2 years ago

it's been 48 hours, it's now downgraded to a red "not secure." is there a number i can call to wlak me through this? i followed above directions.
Brand User

634 Messages

 • 

50.3K Points

Hi Michael8668

I see there are two domains on your account, and the one that is pointing to Cloudflare nameservers is mocofootball.com. I see that it is not fully secure. What causes that is there are elements within your site that are not secure. We usually recommend checking for any outdated elements like a visitor counter or weather app. Otherwise, it is usually HTML on the site that has http:// in the code. You would need to edit that. Unfortunately, I see there are probably over 200 HTML boxes throughout your site. It will be a lot of work, but you would need to fix any HTML boxes with nonsecure code.

5 Messages

 • 

260 Points

2 years ago

First I want to thank you for the information you sent me it helped and renewed my ability to get things done as I had before!!
My next question is: I have used homestead for a few years and a few different computers. I now have a computer with windows 10. Do I need to upgrade homestead?
I am also trying to scan and put a document on my site but it comes out scrambled.
How do I take a scanned document and insert it into my site??
I am now 76 yrs and maybe I just forgot how.
Thank you for your help
Brand User

634 Messages

 • 

50.3K Points

Hi there frankbusby6351
Are you using the older downloadable builder, or the online Sitebuilder Plus? If you are using the downloadable builder, it tends to break with Windows 10, so I would recommend using Sitebuilder Plus Otherwise, no upgrade is necessary.

Once you scan a document, you should be able to add it as an image on your site. Is that not working? What do you mean when you say it is scrambled? Are you able to take a picture or screenshot to show me?

5 Messages

 • 

260 Points

The only way that I figured out how to put a document on my site is to take a picture of it and use it as an image.
I Changed “ADVENTURESOFMYLIFE.com

5 Messages

 • 

260 Points

How do I ACTIVATE my GOFUNDME link so it works? You are soooo helpful and have answered all my previous questions!
Brand User

634 Messages

 • 

50.3K Points

You should be able to get HTML code from GoFundMe that you can place into an HTML element on your site. (Insert > More > HTML. Then just copy and paste)

5 Messages

 • 

260 Points

You are the BEST!! Thank you

12 Messages

 • 

534 Points

2 years ago

This reply was created from a merged topic originally titled How can I make my site Htpps compliant.

My site is showing as "note secure" I have followed a number of threads but I couldn't see a way of fixing this.  Any advice please?
Brand User

634 Messages

 • 

50.3K Points

Hello MaurizioF
If you scroll up, you will find instructions on how to secure your site.

12 Messages

 • 

534 Points

Frankly it's such a convoluted process I thought you'd just provide an onsite certificate which could be activated through the dashboard. I agree with some of the comments above that this is now an expected standard that you should provide to your customers. 
Brand User

634 Messages

 • 

50.3K Points

MaurizioF

Cloudflare is the current option for getting a secure site. It is not a difficult process if you follow the step by step picture instructions that we have provided.

14 Messages

 • 

396 Points

I used Cloudflare and it was very easy.  

1 Message

 • 

130 Points

2 years ago

I deliberately didn't do the cloudflare thing as I knew it would be a nightmare. Finally decided I needed to, and true to form, it hasn't worked.
I followed the steps, I have changed the nameservers to the cloudflare ones given, my cloudflare page shows SSL as flexible,  but nothing has changed on my website.
It stills come up as "not secure" and if I try to type in https, then I get can't be reached error message.

Any chance of some help or advice?
Brand User

634 Messages

 • 

50.3K Points

One common issue I have seen is, in the DNS tab in your Cloudflare account, there are records for www and your domain. To the right, you will see a cloud that should be turned on (it should be orange) If this cloud is grey for the www and domain record, then it will not work. Please turn those on, and it may take up to an hour to update. Let me know if that was the issue. If not, please screenshot your DNS page and post it here so I can see if anything else needs to be corrected.

3 Messages

 • 

210 Points

Thank you, Elyzabeth! The DNS toggles did the trick for me. 

47 Messages

 • 

2.9K Points

2 years ago


Hi Peter. Sorry to hear that you're having problems. The office is closed on weekends, so you might have to wait until Monday for an authoritative reply. Wish I could help, but I don't think I can even attempt the change myself. Best of luck!

3 Messages

 • 

210 Points

2 years ago

I just followed the steps listed above until the "STOP" section advising to wait 24 hours for HTTPS to become active. It has been 48 hours at this point, and browsing to HTTPS gives me a "This site can't be reached" error message. The steps have been clear and easy to follow. Is there something I did wrong? Is this an issue with Homestead?
Brand User

634 Messages

 • 

50.3K Points

Hello Margaret7791

Please post a screenshot of your DNS tab in your Homestead account. I will see if there is anything that needs to be updated.

51 Messages

 • 

1.7K Points

2 years ago

This reply was created from a merged topic originally titled Not Secure.

My site is listed as Not Secured.   Can you provide me with the steps to secure the site.  Thank you 
Brand User

634 Messages

 • 

50.3K Points

If you scroll up, you will see the instructions to secure your site.

47 Messages

 • 

2.9K Points

2 years ago


Hi Elyzabeth!

Since it's highly unlikely that I'll be doing the Cloudfare thing at least for now, I'd like to make an announcement on my website to warn readers about the upcoming message they might see which warns them that my site is no longer secure. They might think they'll get a virus from visiting the site, so I want to allay their fears. Do you have any suggestions what I should tell them?

Thank you very much and best wishes.
Brand User

634 Messages

 • 

50.3K Points

Hello R.9229

I would just probably let them know that since they aren't entering personal data through your site, they don't need to worry.

47 Messages

 • 

2.9K Points

Excellent. Thank you! :o)

6 Messages

 • 

270 Points

2 years ago

How does this affect email hosting that is set up through Microsoft? I know when we switched to Homestead from our previous provider our email quit working and I'm concerned about that happening again.

1.4K Messages

 • 

262.9K Points

stephanie1968, Cloudflare will scan and prepopulate your DNS records and there should be no problem. Also, after you enter your domain and it scans your DNS, you can review the DNS it found and compare it to the DNS you currently use. If there is no difference between the two, there will be no issues when you switch the nameservers. If any changes are needed on the Cloudflare side, you can make those before you change the nameservers. Once the DNS in your Cloudflare account matches your current settings exactly, then you can update the nameservers safely.