How to Fix Your SSL Certificate on Shopify

You can do this

Shopify issues, installs and renews your SSL certificate for free, automatically. So if this check is failing, the cause is almost never the certificate itself. Here is what it usually is.

You do not buy, install or renew anything. Which means most SSL problems on Shopify are really domain problems or mixed content problems.

The short answer

Shopify handles SSL for you. The certificate is free, it is provisioned automatically when you connect a domain, and it renews itself. There is no button to press and nothing to pay.

So when an SSL check fails on a Shopify store, it is usually one of three things: the certificate has not finished provisioning yet, the domain is not connected properly, or the padlock is being broken by mixed content.

First: have you waited long enough?

When you connect a domain, certificate provisioning can take up to 48 hours. During that window the store is genuinely not secured and any checker will say so, correctly.

If you connected your domain in the last day or two, this is very likely all that is happening. Wait it out before you change anything. Fiddling with DNS mid-provisioning is a good way to restart the clock.

You cannot bring your own certificate

Worth stating plainly, because people try. Shopify's position is direct: you can't use third-party SSL certificates.

So if you bought a certificate elsewhere, or your old host issued you one, there is nowhere to install it. That is not a limitation you can work around, and honestly it is not one worth wanting. The free certificate Shopify provisions does exactly the same job in a browser, and it renews without you remembering to.

Mixed content: the real culprit

This is the one that catches most stores. Your certificate is fine, HTTPS works, but the padlock is missing or the browser complains anyway.

The cause is mixed content: a secure page loading something over plain http://. An image, a script, a font, a tracking pixel. The page is encrypted, the thing it pulled in is not, and the browser treats the whole page as compromised. Scripts loaded over http are usually blocked outright, which is why a broken padlock is sometimes accompanied by a broken feature.

Where it hides on a Shopify store:

  • Hardcoded http:// image URLs pasted into product descriptions or page content.
  • Third-party scripts added to your theme with an http:// source.
  • Old theme settings still holding http:// asset URLs.
  • External resources on someone else's site that simply does not offer HTTPS. If so, host the asset yourself or drop it.

How to find it

Open your store, open the browser console, and reload. Mixed content warnings name the exact URL causing the problem. Fix them by changing http:// to https:// wherever the URL is stored.

Avoid protocol-relative URLs like //example.com/thing.js. They were a reasonable trick years ago and are no longer recommended. Write the full https:// URL.

Get the order right

If you are setting a store up from scratch, sequence matters. Doing this out of order is how sites become unreachable.

  1. 1.Certificate first. Connect the domain and let Shopify provision. Up to 48 hours. Do not proceed until HTTPS actually serves.
  2. 2.Then force HTTPS so every visitor lands on the secure version rather than merely being able to.
  3. 3.Then, and only then, HSTS. Never before HTTPS works across the whole site.

About HSTS and preload

Good news: at the time of writing, Shopify already sends an HSTS header on storefronts, so this is largely handled for you. There is nothing to add, and there is no way to add it anyway, as covered on our Shopify security headers page.

On preloading, our advice is to leave it alone. The HSTS preload list requires a max-age of at least a year plus includeSubDomains and preload, a valid certificate, an HTTP to HTTPS redirect on the same host, and every single subdomain on HTTPS. The catch is the exit: inclusion cannot easily be undone, and removal takes months to reach users via a Chrome update. That is a long time to live with a mistake on a store that takes payments.

If you set CAA records

Most stores never touch CAA records. If you do, they matter here, because a CAA record tells certificate authorities who is allowed to issue for your domain. Get it wrong and you block your own renewals.

Shopify issues certificates through letsencrypt.org, pki.goog and ssl.com. If you publish CAA records, all three need to be allowed, or a renewal can fail at the worst possible moment.

A note on putting Cloudflare in front

Some guides suggest proxying a Shopify store through your own Cloudflare account. Shopify says otherwise, in its own words: Cloudflare proxy setups, including O2O, are not supported by Shopify, might appear to work, could break at any time, and any resulting issues are outside the scope of Shopify Support. One of the reasons they cite is interference with the ACME challenge, which is exactly the mechanism that renews your certificate.

So a setup like this can silently break the very thing this page is about. We would not do it on a store that takes money.

Confirm it

Once the padlock is back, run a free check to confirm the certificate is valid and serving, and to see whether anything else on the page is still loading insecurely.

Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Do I need to buy an SSL certificate for Shopify?

No. Shopify provisions a certificate for free, automatically, and renews it automatically. There is nothing to buy and nothing to install.

Can I install my own SSL certificate on Shopify?

No. Shopify states plainly that you cannot use third-party SSL certificates. There is no place to upload one. The free certificate Shopify issues does the same job in a browser and renews itself.

My Shopify SSL is pending. How long does it take?

Provisioning can take up to 48 hours after you connect a domain. If you connected recently, wait it out. Changing DNS while provisioning is in progress can restart the process.

Why is my padlock missing when SSL is working?

Almost always mixed content: a secure page loading an image, script or font over plain http. The certificate is fine, but the browser treats the page as insecure. Find the offending URLs in the browser console and change them to https.

Do I need to set up HSTS on Shopify?

No. At the time of writing Shopify already sends an HSTS header on storefronts, and there is no way for a merchant to set headers anyway. We would also avoid the HSTS preload list, since inclusion cannot easily be undone and removal takes months to reach users.

SSL certificate on other platforms

Other fixes for Shopify

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check