I am in the process of moving one of my websites to another hosting service (1and1.com). While doing this I decided to activate the FREE SSL certificate they offer. I was having issues with the website automatically initializing in the secured mode. While troubleshooting, I discovered a website that makes this process much easier. That site is as follows:
NOTE: You may have have to wade through some CAPTCHA screens but it is well worth that inconvenience. Just follow the instructions and enter in your website address (i.e.,
https://yoursite.com) and hit ENTER to start the tests. You will go into a queue for the service but I haven't seen it over 3 or 4 ahead of me so the wait was only a few seconds each time.
Also, when entering your website to start the test, be certain to enter in the url without the "www.". For some reason if you enter the full url, the results can be different. Perhaps it was just my website but there was a difference in the results.
The resulting report gives you details on what is causing the non-padlock condition, including a description of the issue along with a line # of the offending code. They also give you hints on how to set-up your .htaccess file so it forces the SSL session. You'll see something like the following:
RewriteEngine On
RewriteCond %{HTTP_HOST} yourwebsite\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourwebsite.com/$1 [R,L]
This is for Linux based hosting. The process will be different for Windows based hosting.
EDIT: Here is a link from the 1and1.com website that has more detail about mixed content on ssl secured websites: