Mautic Community Forums

Mixed Content Warnings

I see through searching this forum that mixed content warning are a massive issue with Mautic. I’m a new Mautic user and this is my configuration. All are running latest versions.

Mautic:

  • sub-domain of my promary blog domain
  • installed on a separate VM Linux server on the same Hyper-V host on my local network
  • Properly setup over HTTPS with Let’s Encrypt SSL certs

Blog:

  • Wordpress
  • Properly setup over HTTPS with Let’s Encrypt SSL certs

I have setup the following in Mautic:

  • 2 segments for double-opt in
  • 1 landing page to confirm email subscription
  • 1 email that is sent to registrants
  • I am sharing resources between domain and sub-domain so I have setup the proper CORS headers on Nginx to allow for resource sharing (specifically for langing page that uses same format as my blog so there’s 1 look and feel)

When someone submits their email address for subscription, Mautic sends them an email. The user can then click on the link in the email and is taken to the landing page to confirm successful subscription.

The landing page is showing mized content warnings. This is the warning…

Mixed Content: The page at 'https://email.mydomain.com/blog-subscribe-confirm-landing-page' was loaded over HTTPS, but requested an insecure script 'http://email.mydomain.com/mtc.js'. This request has been blocked; the content must be served over HTTPS. <code></code>

Fummy thing is, when I look at my landing page Page URL and Public Page URL, they both only show HTTP even though the configuration states HTTPS.

Any thoughts on why this content continues to be served over HTTP? Is Mautic not ready for HTTPS?

The site url is setup with the proper HTTPS URL:

https://email.sylvainlanthier.com

@MxyzptlkFishStix

The landing page is hardcoded HTML. Here is the actual landing page URL that is shown inthe “Page URL” on Mautic setup for the landing page.

http://email.sylvainlanthier.com/blog-subscribe-confirm-landing-page

This is obviously the HTTPS version:

https://email.sylvainlanthier.com/blog-subscribe-confirm-landing-page

If you go to this landing page in your browser, you’ll see it complain about mixed content. Specifically referring to a js file.

@MxyzptlkFishStix

I should have mentioned this earlier. I tried clearing the cache and all it does is cause the server to become unresponsive then a browser error. Nothing I can do brings it back. All folder permissions still belong to Apache but nothing. So clearing my cache only serves to kill the server and I have to restore from backup.

@MxyzptlkFishStix

Unfortunately, I’ve already tried this method of clearing cache and all it does is causes Mautic to stop responding and the browser to produce a “ERR_TOO_MANY_REDIRECTS” error. I’ve already tried opening Mautic via both the domain name as well as the direct IP (since it’s located on my LAN) and neither option works. I’ve tried opening Mautic in incornito mode, deleting all history…etc. Nothing works. As soon as the cache is deleted, no matter which approach I take, it causes Mautic to fail to open the web management portal. I can see that files are being populated in the Prod folder of cache with today’s date and apache as the owner but still can’t access the portal. Tried rebooting the server after clearing cache…you guessed it…no access.

Lol, curiosity is good :wink:

Thanks for all your help so far.

You’re correct, I am now using Cloudflare for DNS. This change was just made this afternoon to try to fix this issue. It’s already using Full SSL (Strict) via Cloudflare since I’m already running Let’s Encrypt SSL on the local server.

After switching to Full SSL (Strict) has fixed the issue. If you go to the URL that I listed as problematic from my initial post, you’ll notice the mixed content warning is now gone.

I had preferred using my own certificate because anyone checking the certificate validity would see that it was issues to my domain but because of this issue, I may have to live with the CLoudflare SSL cert.

I won’t change the local server to standard HTTP since I still access it from outside the network via the internet and I want to avoid the possibility of man-in-the-middle tampering between my server and Cloudflare.