Ticket #920 (closed maintenance: fixed)
SSL weirdness?
| Reported by: | sam | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Live server | Keywords: | |
| Cc: | paul | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.35 |
Description
Hi Chris
So Paul put the site into maintenance mode, took a database dump and then tried to re-enable live mode using the drush command.
It seems it came out of maintenance mode OK, but we're now getting this certificate error.
I have changed the Zone file on Gandi in the meantime, but this doesn't seem to be propagating.
Any ideas?
Thanks
Sam
Attachments
Change History
comment:2 Changed 4 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
Sorry I wasn't able to look at this last night, there are 3 things that, I would suggest, should be addressed:
- For people who didn't visit the site when it had a HSTS header can now login using an unencrypted connection, thus sending their password in the clear, this is the first time that has been allowed since the Drupal site was set up. There should be a Redirect in place here: http://transitionnetwork.org/user/login (if you follow this link and get the HTTPS page it is because HSTS is causing your client to only request the encrypted version of the page, try with a new web browser and you can login using a unencrypted connection.)
- The intermediate certs are not sent by the server, see https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org and https://wiki.gandi.net/en/ssl/intermediate
- The HTTPS version of the site is no longer sending a HSTS header, the Header directive needed is documented here https://docs.webarch.net/wiki/HTAccess#Enforcing_HTTPS
comment:3 Changed 4 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.25 to 0.35
- People are going to be getting even more mixed content warnings than before, when the site was on PuffinServer there was an issue, which was never resolved with the slide show on the front page, see ticket:680, but now are additional images embedded in the HTTPS front page via HTTP, eg http://www.transitionnetwork.org/sites/default/files/imagecache/featured_image_thumb/sites/www.transitionnetwork.org/files/romaniafood.jpg
- Content loaded from the dev site, on the live front page, is not available via HTTPS, eg this image http://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg can't be accessed at https://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg
comment:4 Changed 4 months ago by paul
Thanks for the feedack Chris. I'll go through these now.
- Fixed.
comment:5 Changed 4 months ago by paul
@Sam
1 The website now has the canonical URL https://transitionnetwork.org
2 and 3. Would you like me to explore 2 and 3? This looks to be something that would be better managed by Chris?
4 This looks to be a problem with the slideshow module. The image is requested over HTTPS but is delivered over HTTPS. Let me know if this needs to be investigated further.
https://transitionnetwork.org/admin/content/node-type/slide/fields/field_slide_destination_link
https://transitionnetwork.org/node/46457/edit
5 http://www.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg is now redirecting to https://transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg.
