Having Forum SSL Troubles? Read This First.

Started by Shadowwolf, November 19, 2011, 11:03:59 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Shadowwolf

If you are having issues with the new SSL in place on the forum, you can try installing the Certificate attached to this post below. It is the Certificate Authority for where our SSL is issued from, which might resolve any older browser or operating system issues you might have with errors about "invalid" or "unknown" certificate.

[attachurl=1]

Windows Users: Once saved, you can right-click and select "Install Certificate" on Windows machines.

Mac users: Open the saved file, when Keychain Access launches, make sure the keychain says "System" and hit the "OK" button.

IF YOU ARE NOT GETTING SSL ERRORS YOU DO NOT NEED TO DO THE ABOVE STEPS!

In addition, if you receive an error that looks something like this:

[attach=2]

DO NOT PANIC! Your communication to our server is still secure. This error comes from people with custom signatures that load images from other sites, custom avatars not hosted on our server, or content of a post from other sites like YouTube. Unfortunately we cannot encrypt data that we dont control, so this error will appear now and then because of those reasons. This doesnt make your communication to the server any less secure, its just anything loaded from those other sites like Youtube is not secured and if someone were monitoring your traffic could see those things but nothing else.
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess


Grendeel

#1
Have had no issues browsing til now.  I got an error message. Im using an updated version of mozilla firefox.

I was viewing the thread about shadowmourne runs and could get the page fine and view it.  However i got the error message

:443 uses an invalid security certificate

its only valid for twguild.org or .twguild.org

Viewing it gave me the ssl source...the 2 valid domains above......a bunch of 2 combo alphanumeric numbers (i assume they were the authentication keys).

This doesnt affect my browsing of the site, but was an error notification.  It doesnt always occur either.  Sometimes i can repeat it..sometimes not

Seems like there is an issue between the old  twilightonalex and the new twguild.....though ive flushed my cache several times since that change


---edit

Thinking about this more it might just be my bookmark.  It still uses twilightonalex.com, though it was a thread i clicked on inside the forums that initiated the error message



Cottonbaler

#2
OK - I have both IE 9 and Firefox 8 on this PC. In both when I select the link " -()- Show me all of my unread forum topics -()- " I get certificate errors.

When I select the file you have listed from Firefox it is saved as "index.php" whether I Right-click save-as or if I just click on it and save it.

From IE I can save the file. I downloaded it, followed the instructions and when asked the Certificate Import Wizard where it wanted me to store it, I left it set for the default which is "automatically select the certificate store based on the type of certificate".

Rebooted the machine and still get the same errors when I try the link " -()- Show me all of my unread forum topics -()- "

So I went to my Mac. Firefox - that version was able to download RapidSSL-CA.crt and I installed it following the instructions. However same errors when I tried the link to unread forum topics. From Safari the error message was that the certificate is not valid.

[attach=1]

So I selected always trust. Now when I select the link to unread forum topics it sends me to the login page. Even though I have forever selected, each time I select the link to unread topics it sends me to the login page.

I hope this helps.

********************************************************

Update. I now get the following error on the PC. Seems to be something between Twilightonalex.com vs.twguild.org.

[attach=2]
Always remember to pillage BEFORE you burn!

Friends help you move...
...REAL friends help you move bodies.

I Believe In Making Sacrifices. Can I Start With You?

Lord Entropy

Same thing as Gren for me.  Running latest version of Firefox.

Shadowwolf

#4
The SSL certificate only works for the twguild.org domain name, so if you try to access the site using twilightonalex.com itll have a hissy fit. Ill try to remedy that. I used to rewrite the domain for everyone and since its been almost a year since I swapped us over to twguild.org, I thought it wouldnt impact anything removing that rewrite, so ill try and work it back in. That should make those errors go away. Judging by the screenshot supplied by Cotton, you're all getting an error similar to this:

[attach=1]
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess


Shadowwolf

I added the change back in, so now if you try and access the site via the twilightonalex.com domain it will automatically rewrite your address to the twguild.org address.

Sadly the way SSL certificates work you can either get one per domain name or a wildcard that covers <somethinghere>.twguild.org but one certificate cant cover multiple domains with different names. Since Im trying to move us off the twilightonalex.com domain since its long and kind of pigeon holes us to just being a WoW guild on Alexstrasza, I really didnt want to put up another 150 bucks for another cert for a domain seldom used anymore, hehe. I want you guys to be safe and secure, but Im not made of money these days, haha.

Anyhow, I think I fixed the issue you guys may have been having with my change on the server, if you have any other problems, keep letting me know.

For more details in what I did for a solution please have a peek at the comments here:

http://bugs.twguild.org/forum/issues/11

Again, let me know if this does not solve the problem so I can go back and look at trying something else.
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess


Cottonbaler

So what I really needed to to is not be lazy and upgrade my bookmarks to twguild.org and not cause you any extra work.

Sorry for the confusion.
Always remember to pillage BEFORE you burn!

Friends help you move...
...REAL friends help you move bodies.

I Believe In Making Sacrifices. Can I Start With You?

Shadowwolf

Meh, not really more work. The code was there before, just had to re-add it. If you followed an older link/bookmark here then there is no telling if some unknown person might follow one from Google or something out on the net somewhere and experience the same thing so it needed to be fixed =)

Should I take that as though its working then?
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess


Grendeel

The error message hasn't appeared for me since your change so I'm guessing its fixed.  I'm not sure why a bookmark would cause the error message though.

I click on the bookmark and it takes me to the homepage without any errors being shown to me.  Once on the homepage i was clicking on links to new posts and that's when the error message appeared.  The little address bar in the bottom left of firefox shows the new version "twguild"  address.  /shrug

Lord Entropy


Shadowwolf

Its basically how SSL works.

In basic terms, what happens is that the server is configured to respond to any requests for anyone looking for "forum.twilightonalex.com" or "forum.twguild.org" and it knows that both of those while different names resolve to the same website. So when you request the twilightonalex.com address, the server doesnt think there is anything wrong because there isnt, so it says "Oh, here you go this is the site".

The problem creeps in where the configuration is all one big series of code, so in that I told the server, "anytime someone visits this site, use this SSL certificate". So what happens, since its being told both addresses go to the same spot and anything going to that spot uses that one SSL Certificate, it tries to give you the SSL for twguild.org and then your web browser has a conniption. Basically the browser is telling you "hey wait a minute, this SSL is for "twguild.org" and you asked for twilightonalex.com, someone might be playing a trick on you!" even though its just because the webserver isnt smart enough to know that it cant give out that certificate for twilightonalex.com.

What I did before and re-added was I told the server "any time someone asks for this website, if the request they send isnt to "twguild.org" rewrite the request for them". When I first installed the SSL I took that out thinking it probably wasnt needed anymore and might cause issues of conflict with SSL and so the server basically stopped helping everyone out in automatically pointing them to the new domain name. So all I did was re-add that bit of instruction and the server is doing it again, so if you type "forum.twilightonalex.com", youll notice the address automatically changes to "forum.twguild.org". When you guys had that issue it wasnt doing that for you and hence the error on the browsers.
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess


Grendeel

OH i see i think.  The certificate is issued when i first visit the homepage and when i try to click on other links, its saying its invalid cause the certificate was being issued for the twilightonalex bookmark.  I assumed one was issued for every link we clicked on.  Makes sense to only do one.

thanks for the explanation


Shadowwolf

Yea, certificates are per domain only, you can do whats called a Wildcard which is what we have that covers anything under .twguild.org, so

bugs.twguild.org
forum.twguild.org
www.twguild.org

all use the same certificate, but if the domain doesnt match, it flags on the browser. Now for twpacks.net, I had to get a different certificate because its not twguild.org. That too is a wildcard cause all the blogs are sub-domains also.

SSL is basically an assurance that you are communicating with the server you are trying to and only that server. So if anyone tries to jump in between and intercept your traffic before it reaches the server, it will also flag. Plus, its encrypted, so if you use an open Wireless somewhere like in public, no one can sniff your password and stuff. Basically everything that goes across in HTTP traffic is sent plain text.

A lot of stuff over the web is sent plain text so any open wifi connection, someone sharing it can see a lot of stuff. POP3, IMAP, SMTP, even Instant Messages, all those go through plain text by default unless they use an SSL certificate to encrypt the data.

Not trying to scare anyone with this info, just making you guys aware that while open wifi's at McDonalds, Starbucks, etc are cool, anytime you check your mail and its not over an SSL connection (https://), someone can see what your credentials are.

[attach=1]
Come to the darkside, we have cookies.
"A flute with no holes is not a flute, and a donut with no hole is a danish" - Chevy Chase as Ty Webb in Caddyshack
"Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind."- Dr. Suess