Ticket #920 (closed maintenance: fixed)

Opened 4 months ago

Last modified 4 months ago

SSL weirdness?

Reported by: sam Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: paul Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.35


Hi Chris

So Paul put the site into maintenance mode, took a database dump and then tried to re-enable live mode using the drush command.

It seems it came out of maintenance mode OK, but we're now getting this certificate error.

I have changed the Zone file on Gandi in the meantime, but this doesn't seem to be propagating.

Any ideas?




Screen Shot 2016-07-14 at 20.08.05.png (116.4 KB) - added by sam 4 months ago.
mixed-content.png (13.9 KB) - added by chris 4 months ago.

Change History

Changed 4 months ago by sam

comment:1 Changed 4 months ago by sam

  • Status changed from new to closed
  • Resolution set to fixed

comment:2 Changed 4 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

Sorry I wasn't able to look at this last night, there are 3 things that, I would suggest, should be addressed:

  1. For people who didn't visit the site when it had a HSTS header can now login using an unencrypted connection, thus sending their password in the clear, this is the first time that has been allowed since the Drupal site was set up. There should be a Redirect in place here: http://transitionnetwork.org/user/login (if you follow this link and get the HTTPS page it is because HSTS is causing your client to only request the encrypted version of the page, try with a new web browser and you can login using a unencrypted connection.)
  1. The intermediate certs are not sent by the server, see https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org and https://wiki.gandi.net/en/ssl/intermediate
  1. The HTTPS version of the site is no longer sending a HSTS header, the Header directive needed is documented here https://docs.webarch.net/wiki/HTAccess#Enforcing_HTTPS

Changed 4 months ago by chris

comment:3 Changed 4 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.25 to 0.35
  1. People are going to be getting even more mixed content warnings than before, when the site was on PuffinServer there was an issue, which was never resolved with the slide show on the front page, see ticket:680, but now are additional images embedded in the HTTPS front page via HTTP, eg http://www.transitionnetwork.org/sites/default/files/imagecache/featured_image_thumb/sites/www.transitionnetwork.org/files/romaniafood.jpg
  1. Content loaded from the dev site, on the live front page, is not available via HTTPS, eg this image http://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg can't be accessed at https://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg
Last edited 4 months ago by chris (previous) (diff)

comment:4 Changed 4 months ago by paul

Thanks for the feedback Chris. I'll go through these now.

  1. Fixed.
Last edited 4 months ago by paul (previous) (diff)

comment:5 Changed 4 months ago by paul


1 The website now has the canonical URL https://transitionnetwork.org

2 and 3. Would you like me to explore 2 and 3? This looks to be something that would be better managed by Chris?

4 This looks to be a problem with the slideshow module. The image is requested over HTTPS but is delivered over HTTPS. Let me know if this needs to be investigated further.


5 http://www.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg is now redirecting to https://transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg.

Note: See TracTickets for help on using tickets.