Skip to content

Fix · SSL & Security

How to Fix SSL & 'Not Secure' Warnings on Your Shopify Store

Shopify provisions a free TLS certificate automatically the moment a domain is connected — most stores never need to do anything to keep HTTPS working. But three specific edge cases can break it: mixed content from non-HTTPS assets, DNSSEC on third-party domains, and custom theme code with hardcoded http:// URLs. This guide diagnoses and fixes each of them.

20 minutesImpact · highDetection · dom

Last updated: May 12, 2026

Why this matters

Modern browsers warn aggressively on insecure connections. A 'Not Secure' badge in the address bar at the moment of purchase decision is one of the few signals that can stop a buyer mid-flow regardless of how much they otherwise trust the store. Even if the underlying issue is minor (one mixed-content image, an expired certificate), the visible warning is interpreted as 'this site might steal my card details.'

The hidden risk: many Shopify stores have SSL warnings they don't know about because the merchant always logs into their own admin (admin pages have different SSL handling) and rarely browses their own storefront from a fresh, incognito state. Mixed-content warnings tend to be introduced by custom theme code or third-party scripts and silently persist for months. The fix in most cases is a one-line change at the source of the bad asset.

How to check if you have this issue

Open your store in a private/incognito browser tab. Type https://yourdomain.com — note the explicit https:// prefix. Look at the address bar: do you see a padlock icon and 'Secure' text (or just a padlock with no warnings)? Or do you see 'Not Secure', an exclamation triangle, or a slashed padlock? If anything other than the green/clean padlock, you have this issue.

Also test the apex and www variants explicitly. Try https://yourdomain.com, https://www.yourdomain.com, and http://yourdomain.com. All three should land on the HTTPS primary URL with a clean padlock — if any variant breaks, that's a fixable redirect or certificate issue.

Or skip the manual check — run a free 30-second scan and we'll tell you.

Step-by-step fix

  1. 1

    Confirm SSL was actually provisioned

    1 min

    From your Shopify admin, go to Settings → Domains. Find your primary domain in the list. If you see a green checkmark next to 'TLS certificate' or 'SSL', the certificate is active. If you see 'TLS unavailable' or a warning icon, the certificate hasn't issued yet — wait up to 48 hours after first connecting the domain, then check again. If it's still failing past 48 hours, two specific causes follow.

  2. 2

    Verify your DNS records are correct

    5 min

    If SSL is unavailable after 48 hours, the most common cause is incorrect DNS at your registrar. Shopify needs an A record pointing to 23.227.38.65 and a CNAME pointing to shops.myshopify.com. Log into your domain registrar (Namecheap, GoDaddy, Cloudflare, etc.) and open the DNS settings. Verify both records exist with those exact values. If they're missing or pointing somewhere else, update them and wait 2-48 hours for DNS to propagate before SSL retries.

  3. 3

    Disable DNSSEC if your registrar enabled it

    3 min

    DNSSEC (Domain Name System Security Extensions) is a less common but legitimate cause of stuck SSL provisioning on Shopify. If you have a third-party domain and DNSSEC is enabled at the registrar, Shopify cannot complete certificate validation. Log into your domain registrar, find the DNSSEC setting (usually under Advanced DNS or Security), and disable it. Wait 24-48 hours for DNS to propagate, then check Settings → Domains in Shopify again.

  4. 4

    Find and fix mixed-content errors

    5 min

    If SSL is provisioned but you still see 'Not Secure', the cause is almost always mixed content — your page loads over HTTPS but includes assets (images, fonts, scripts, videos) loaded over plain HTTP. Open your store in Chrome → right-click → Inspect → Console tab → reload the page. Mixed-content warnings appear with 'Mixed Content' or 'was loaded over HTTPS but requested an insecure resource' in the message. Note each insecure URL.

  5. 5

    Update or remove the insecure assets

    5 min

    For each mixed-content asset identified in the console: if it's from a third party (custom font, embedded video, analytics script), find the HTTPS version of the URL and use that instead. Most modern services support HTTPS — just swap http:// for https://. If it's from your own theme code, edit the theme: from Shopify admin go to Online Store → Themes → ⋯ menu → Edit code → search for 'http://' across all files and replace with 'https://' (or protocol-relative '//'). If an asset doesn't have an HTTPS version, remove it — the trust cost of mixed content exceeds the value of that one image or script.

  6. 6

    If issues persist, contact Shopify support

    1 min

    Shopify support can re-issue TLS certificates for free, force a retry of provisioning, or diagnose edge cases like CAA records blocking certificate authorities. If you've verified the DNS, disabled DNSSEC, and resolved all mixed content but the warning persists past 48 hours, open a support ticket from your admin (the Help icon, usually bottom-left).

Common mistakes to avoid

  • Trying to install a third-party SSL certificate. Shopify does not allow third-party SSL certificates — only the auto-provisioned Shopify TLS works. Don't waste time buying one from Let's Encrypt or a CA; the platform won't accept it.
  • Editing theme code while logged in as admin and not testing in a private window. Admin pages have different SSL handling; mixed-content issues often only show up to logged-out visitors.
  • Ignoring console warnings about insecure assets because the page 'looks fine.' Browsers will eventually escalate from a yellow warning to a hard block — fix mixed content before that happens.
  • Hardcoding http:// URLs in custom Liquid templates instead of using Shopify's URL filters or protocol-relative URLs. The fix is one find-and-replace, but the bug recurs every time someone re-edits the template carelessly.
  • Assuming the SSL is broken when DNS propagation is just incomplete. Wait the full 48 hours after any DNS change before troubleshooting further.

What success looks like

  • Opening https://yourdomain.com in a private browsing tab shows a padlock icon with no warnings or errors.
  • Both apex (yourdomain.com) and www (www.yourdomain.com) variants resolve to HTTPS without certificate errors.
  • Visiting http://yourdomain.com (insecure) automatically redirects to https:// with no warning shown.
  • Chrome DevTools Console shows zero 'Mixed Content' warnings when loading any page on your store.
  • Settings → Domains in Shopify admin shows a green TLS certificate status for your primary domain.

Want the full reasoning behind why we score this signal? Read the methodology for SSL & Security

Related fixes

Custom Domain

SSL issues most often appear right after connecting a new custom domain. The two signals are tightly coupled — fix the domain connection cleanly and SSL usually follows.

Trust Badges & Security Indicators

A 'Secure Checkout' trust badge is meaningless if the page is showing a 'Not Secure' browser warning. Fix the real SSL state before adding trust-badge decoration.

You know how to fix SSL & Security.
But does your store actually have the issue?

You just read the playbook. 30 seconds to find out which of the 14 trust signals your store actually fails — including SSL & Security.

Find Out Free — 30 Seconds
No signup required All 14 signals scored Done in 30 seconds