Why Chrome Flags Your HTTPS Site Red and How to Fix It

HTTPS protects a website, and Chrome shows a colored “traffic‑light” icon to indicate the certificate’s trust level.

Chrome’s indicators:

Green : the site is secure and trusted.

Yellow : a warning – the connection is still usable but not fully secure (e.g., mixed HTTP content or an outdated SHA‑1 certificate).

Red : the site is considered unsafe and Chrome may block access.

Google has been strict about moving from SHA‑1 to SHA‑2. Chrome shows a yellow triangle for SHA‑1 certificates that expire between 2016‑06‑01 and 2016‑12‑31, and a red warning for SHA‑1 certificates valid after 2017‑01‑01.

When a site loads mixed HTTP resources (JS, CSS, images), Chrome also displays the yellow warning.

Regarding symmetric encryption, AES‑128 is generally preferred over AES‑256 because it offers strong security with better performance and resistance to timing attacks.

Common issues encountered during the migration:

1. SHA‑1 to SHA‑2 upgrade problems

Developers may see “HTTPS service via API returns errors” because Chrome blocks the site as unsafe due to an expired SHA‑1 certificate.

2. Cipher suite optimization

Old cipher suites cause low grades in SSL‑Labs tests. Updating the server configuration immediately improves the grade.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'AES128+EECDH:AES128+EDH';

Or a more extensive list:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

3. Certificate chain mismatches

Different environments may present different certificate chains, leading to one side seeing a green icon while another sees a red cross. The issue often stems from cross‑root certificates that become obsolete when the CA obtains its own root.

Solutions include waiting for the cross‑root to expire automatically or manually removing the cross‑root from the local trust store.

By updating certificates to SHA‑2, fixing mixed content, choosing appropriate cipher suites, and ensuring consistent certificate chains, HTTPS sites can achieve a green status in Chrome.