TLS certificates or server misconfig?

feedback, comments and suggestions pertaining to the stardot forum
Post Reply
User avatar
sweh
Posts: 2597
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

TLS certificates or server misconfig?

Post by sweh »

These days browsers are starting to default to https; so if a user types "x.y.example.com" then the browser will try to go to "https://x.y.example.com".

Why does this matter to us? Because this server hosts various sites, and their TLS cert doesn't match or there isn't a vhost config for them.

e.g bbcmicro.co.uk; if a user just types that into the address bar (at least with chrome) then it gives the cert mismatch error page:
cerr-err-1.png
If I click through then I get the stardot home page and not bbcmicro.co.uk

Obviously the site works with http:// but that's not what chrome defaults to any more.

And although it may not matter today, but some newer browser functionality is only available with https; https://www.digicert.com/blog/https-onl ... n-browsers

It's probably worth getting https fully working with virtual hosts. Apache can handle this easily enough; you can specify the cert values in the vhost config.
eg

Code: Select all

<VirtualHost *:443>
  ServerName foo.bar
  SSLCertificateFile ...path_to_cert_for_foo.bar
  SSLCertificateKeyFile ...path_to_keyfile_for_foo.bar
  SSLCertificateChainFile ...path_to_intermediate_chain_for_CA
  ...
</VirtualHost>
Now the LetsEncrypt supports it, you can even configure Apache to handle ECDSA and RSA certs at the same time. I've documented how I did it here.
Rgds
Stephen
User avatar
lurkio
Posts: 3950
Joined: Wed Apr 10, 2013 12:30 am
Location: Doomawangara
Contact:

Re: TLS certificates or server misconfig?

Post by lurkio »

I’ve noticed this problem, particularly with bbcmicro.co.uk which is somewhat hard to get to if you remember the domain name but don’t have a clickable link to hand because, as you say, your browser will probably default to https:// and fail to find the Complete BBC Micro Games Archive website.

I confess I don’t really understand the technicalities or how hard it would be to fix but I have to say I think it would be a huge benefit if it could possibly be done.

:idea:
User avatar
leenew
Posts: 4683
Joined: Wed Jul 04, 2012 4:27 pm
Location: Doncaster, Yorkshire
Contact:

Re: TLS certificates or server misconfig?

Post by leenew »

I have had this too!
I assumed it was my ancient computer playing up.
Who can fix it?

Lee
User avatar
flaxcottage
Posts: 4854
Joined: Thu Dec 13, 2012 8:46 pm
Location: Derbyshire
Contact:

Re: TLS certificates or server misconfig?

Post by flaxcottage »

Interesting. I use Opera and haven't noticed this as a problem.
- John

Check out the Educational Software Archive at www.flaxcottage.com
User avatar
1024MAK
Posts: 11126
Joined: Mon Apr 18, 2011 5:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: TLS certificates or server misconfig?

Post by 1024MAK »

I don’t have anything that runs Chrome. I will have to try using Firefox.

Although on Firefox, if I using a trusted site and not dealing with personal/private/financial information, I just click through ignoring all the warnings if it’s about it being mixed http/https or it’s a non https site.

Don’t do this for sites where you download PC applications or software though.

Mark
User avatar
lurkio
Posts: 3950
Joined: Wed Apr 10, 2013 12:30 am
Location: Doomawangara
Contact:

Re: TLS certificates or server misconfig?

Post by lurkio »

1024MAK wrote:
Sun Nov 21, 2021 9:52 am
on Firefox, if I using a trusted site and not dealing with personal/private/financial information, I just click through ignoring all the warnings if it’s about it being mixed http/https or it’s a non https site.
The problem is that if you’re trying to get to bbcmicro.co.uk and if your browser has stuck https:// on the front of the domain, then even after you click through all the warnings you’ll be taken to what looks like this page rather than the actual Complete BBC Micro Games Archive site.

:!:
User avatar
1024MAK
Posts: 11126
Joined: Mon Apr 18, 2011 5:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: TLS certificates or server misconfig?

Post by 1024MAK »

lurkio wrote:
Sun Nov 21, 2021 10:06 am
The problem is that if you’re trying to get to bbcmicro.co.uk and if your browser has stuck https:// on the front of the domain, then even after you click through all the warnings you’ll be taken to what looks like this page rather than the actual Complete BBC Micro Games Archive site.
Yes, I understand. I was just (trying to) say that with some sites (typically when there is a problem with certification, e,g, it’s expired) and where the URL is otherwise correct, I click through.

Obviously in this case, that’s not helping due to the browser taking you to a URL you don’t want.

Mark
User avatar
KenLowe
Posts: 2207
Joined: Mon Oct 18, 2004 5:35 pm
Location: UK
Contact:

Re: TLS certificates or server misconfig?

Post by KenLowe »

Hmmm. I'm running Chrome 96.0.4664.45 and it doesn't seem to be defaulting to https on my setup. If I just type bbcmicro.co.uk it still defaults to http and loads the page just fine with a Not Secure label next to it. If I prefix the URL with https:// then I get the certificate mismatch error. Perhaps I've previously accepted setting that allows an unsecure connections to bbcmicro.co.uk. The point that sweh makes about making bbcmicro.co.uk secure is still valid, though.
User avatar
1024MAK
Posts: 11126
Joined: Mon Apr 18, 2011 5:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: TLS certificates or server misconfig?

Post by 1024MAK »

As I understand it, different Chrome versions treat unsecured sites differently, as they (Chrome) are gradually increasing the restrictions over time. But keep in mind this is me regurgitating information that I picked up from another forum. I have not checked it myself, as I don’t use Chrome on any of my systems.

Mark
User avatar
BeebMaster
Posts: 4671
Joined: Sun Aug 02, 2009 5:59 pm
Location: Lost in the BeebVault!
Contact:

Re: TLS certificates or server misconfig?

Post by BeebMaster »

I get this a lot in Firefox, even when visiting official Government websites, which I always thought was a bit perverse. I have an add-on called HTTPS Everywhere, which I thought was a sensible precaution when I installed it a long time ago. With that enabled, for example, I get this:
Screenshot from 2021-11-21 12-10-21.png
but bizarrely, the URL then shows https: at the beginning when it does let me in. With HTTPS Everywhere off, I have to click advanced before I get the option to continue:
Screenshot from 2021-11-21 12-11-17.png
I don't use favourites or bookmarks, I always type the URL into the URL bar. I don't use saved passwords either.
Image
User avatar
sweh
Posts: 2597
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: TLS certificates or server misconfig?

Post by sweh »

1024MAK wrote:
Sun Nov 21, 2021 10:46 am
Obviously in this case, that’s not helping due to the browser taking you to a URL you don’t want.
More accurately, the browser is taking you to the correct URL, but the server is returning the wrong content.
Rgds
Stephen
Post Reply

Return to “stardot FORUM”