HTTPS is now enabled for the forum

glyn.hudson · 1 May 2016 18:28

After 8hrs of casual slightly stressful Sunday afternoon server config HTTPS is now enabled for the new forum

Please report any HTTP issues to this thread…

The pain points came from having the move HTTPS from Apache to Nginx and then reverse proxy via socket to docker instance for the Discourse forum and to Apache for PHP requests on our old sites. I wrote more about this here:

I have had to re-create all the SSL certificate for all our sites. I have gone for using a free cloud flare SSL certificate to secure the connection between our server and cloudflare. Cloudflare then presents it’s own certificate to users:
https://blog.cloudflare.com/universal-ssl-encryption-all-the-way-to-the-origin-for-free/

borpin · 1 May 2016 19:12

I’m getting a warning in Firefox that some parts of the site are not secure such as images and if I mouse over the padlock I get a warning that ‘This website does not supply identity information.’.

Paul · 1 May 2016 19:15

I’m thinking something’s not right too as I don’t see the green padlock - usually caused by mixed content. I’ll do a little digging!

Jon · 1 May 2016 19:17

no padlock for me even though I do see the https://

Paul · 1 May 2016 19:17

…in fact it’s the Oem favicon which is being served http and not https, and which is causing the problem (mixed content).
@glyn.hudson the Oem favicon needs moving to the https://community.openenergymonitor.org sub-domain, instead of linking to it from http://guide.openenergymonitor.org/images/favicon-144.png

Paul

borpin · 1 May 2016 19:27

I note that I get a similar issue when I view a topic/thread on the old forum as well.

Paul · 1 May 2016 19:56

I’m also seeing a browser error that;
https://community.openenergymonitor.org/discourse/components/home-logo
module is missing or not accessible.
(Don’t know if it’s connected, but number of changes were made to the home-logo.js.es6 in discourse’s github repo just 2 days ago)

Paul

glyn.hudson · 1 May 2016 20:44

…in fact it’s the Oem favicon which is being served http and not https, and which is causing the problem (mixed content).
@glyn.hudson the Oem favicon needs moving to the https://community.openenergymonitor.org sub-domain, instead of linking to it from http://guide.openenergymonitor.org/images/favicon-144.png

Thanks for debugging, should be fixed now. You may need to clear your cache.

glyn.hudson · 1 May 2016 20:45

What browser are you using? I don’t see any errors in Chrome. Could you post a screen grab?

Paul · 1 May 2016 20:54

I’m using Chrome also - in developers mode (F12)

Paul · 1 May 2016 20:59

…and in Firefox

glyn.hudson · 1 May 2016 21:15

Thanks for the info. The header logo error should now be fixed. Thanks to the info on this thread it was due to a recent upgrade to Discourse header which required a change in the way we do the redirect to /latest on the top logo is clicked

Paul · 1 May 2016 21:19

All looks good now!

Paul

glyn.hudson · 1 May 2016 21:56

Also just managed to fix the mixed content issue on OpenEnergyMonitor.org by adding <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to the Drupal header. This automatically tells the browser to upgrade http content e.g .images requests to https before serving. Thanks Google developers

glyn.hudson · 1 May 2016 22:51

mixed content on the old forum show now also be fixed, see my post above. Please confirm. You may need to clear browser cache.

Bill.Thomson · 3 May 2016 15:01

Glyn,

Opera v36.0.2130.65 gives me this error:

and

Chrome v49.0.2623.112 m gives this one:

glyn.hudson · 3 May 2016 17:05

Interesting…

Universal SSL should work fine with Opera 8 and above, from the Cloud Flare page on Universal SSL

Universal SSL uses Server Name Indication (SNI) certificates using Elliptic Curve Digital Signature Algorithm (ECDSA). SNI and ECDSA certificates work with the following modern browsers:

Desktop Browsers installed on Windows Vista or OS X 10.6 or later:

Internet Explorer 7
Firefox 2
Opera 8 (with TLS 1.1 enabled)
Google Chrome v5.0.342.0
Safari 2.1

Update: just installed Opera and the forum works fine for me on Opera 36.

Do you have any issues with any other SSL sites?

Could you post the output of some SSL testers:

https://www.howsmyssl.com/
https://www.ssllabs.com/ssltest/viewMyClient.html

Paul · 3 May 2016 18:23

@Bill.Thomson - can you access my ‘poor excuse for a site’ - https://www.digitalnut.co.uk/
I’m also using Cloudflare, similar as Oem (not full -strict though).

Paul

Bill.Thomson · 4 May 2016 01:48

Thanks for the cross-check, Paul
I get the same results with your site as I do with the new OEM site, i.e no joy with Opera or Chrome.
Firefox works OK.

This check was performed with my home desktop machine. The earlier test was with a laptop at my office.
I’m going to try with another laptop/OS combo.

Update…

Looks like the issue is Win XP. Opera and Chrome work OK with Win 7, Win 10 and Linux.
I know, I know, should have ditched XP, but I don’t like the W7 UI, and like the W10 UI even less.
At least the solution is easy (for me, anyway) - switch to Slackware, Debian, etc. etc.

Paul, thanks again for the help!

bidouilleur · 5 May 2016 19:06

with all changes from last hours the ssl link doesn’t seem to be clean anymore