@denisegoldberg said:
I don't understand why the "issued to" isn't by default a smugmug url.
My site certificate also shows as issued to someone else, not smug, not me. That's wrong.
I expected to see the "issued to" as smugmug.
Just out of curiosity I checked my blog, and that certificate clearly shows as issued to Google (the owner of blogger); that one makes sense. And that implies that it is possible to have an "issued to" that reflects the organization that did the underlying certificate work as opposed to a site that is totally unrelated to my site.
Interesting mines for
www.viewsformycar.com and their site is correct
I read somewhere here on another post the https was expected to be implemented within January 26th, today.
But my site still appears as http and with browser's security warning
Hey SmugMug, you forgot to include Let's Encrypt's Intermediate Certificate in the certificate chain you're sending. This means that users will only be able to verify the certificate chain (and get a non-broken website) if their computer already has Let's Encrypt's intermediate certificate installed/cached from browsing other websites (it isn't installed by default). See the SSL Labs test of my site here:
@thenickdude, from a practical perspective what does the lack of the intermediate certificate mean?
More precisely, that I get a green lock symbol means what, I got the intermediate certificate elsewhere?
I tried going to a relatively unused linux system and using the openssl command, and I did not see anything about the intermediate certificate, what I saw was an error on the lead off name
ferguson@zm:~$ openssl s_client -connect origin.sherlockphotography.org:443 -servername origin.sherlockphotography.org
CONNECTED(00000003)
depth=0 CN = www.anaedwardsphotography.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.anaedwardsphotography.com
verify error:num=21:unable to verify the first certificate
verify return:1
But it still appears to have been happy with the connection, and the SSL site still gives it a "B". So it's "not trusted" but gets a "B"?
I did try it on a site of my own, and the above error did not occur (well, it shouldn't), and got an "A". That site is hosted and uses a utility to refresh the Lets Encrypt certificates, so it must provide the intermediate chain needed.
But is the intermediate chain causing the "unable to get local issuer certificates" seen in openssl's report, or is that because of all the additional names being listed? As so long as Smugmug keeps lumping many into one, will that not keep happening?
New question: when will the site maps switch to https? Internally mine is still showing explicit http links.
Robots.txt (probably dynamic) will switch dynamically, so it shows https://xxx/sitemap-index.xml if you access robots.txt by https (and vice versa for http). So I assume (a stretch when dealing with Google) that the site map will force it back to http for the crawl?
@Ferguson said:
They are not making it go to https automatically (yet), but are supporting both http and https.
I understand but when????? My site as of today is still shown as "Not safe" in Chrome.
You can tell your visitors to visit https://www.yourdomain.com and that will work fine and be secure. We'll start redirecting people from http to https soon but we need to make sure everything works
before we do it. We obviously don't want to rush this and cause issues for you or your visitors.
As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.
Is there anything that needs to get done from my side (IWantMyName settings wise)? I hope it does not (again) need special code somewhere in the hidden areas not officially available, like when the last redirect last year or so stopped working...
Hi @Lille Ulven, unfortionately the non-www to www redirect is a DNS level action that we have no control over at SmugMug. You'll have to work with your DNS provider (where you registered your domain most likely) to setup the proper redirection. In my case, my provider offers the option to get an SSL certificate for me, at which point the redirect works great. I've heard other SmugMug customers have had a much more difficult time getting this setup because their DNS provider did not offer an SSL certificate for the non-www direct. I wish we could help here but unfortunately that stuff is controlled by things before it comes to SmugMug.
@leftquark, thank you. While my DNS provider does not provide me with SSL certificates I could somehow (not clear about the details yet) add a SSL certificate after all. But the question now is: does SmugMug work with Let's Encrypt? It's not mentioned on the website, that I found earlier today (and cannot find again now, of course)...
And if it does work: does the automatic renewal work too?
@leftquark so in theory that means that I should be somehow able to use let's encrypt for the https://lilleulven.com redirect as well.
Unfortunately, I have to admit, the let's encrypt site does not make any sense to me. So how on earth to get that done and what settings to access to make it all happen...I don't know. Domain provider told me they could not help as they don't do SSL directly. Google hasn't been of any help either.
I'm reaching out to the Heroes to see if they have any experience with setting this up for other customers -- unfortunately I don't have enough experience myself and every domain provider does it a little differently I am thanking my stars that my domain provider just did it (and i keep getting emails when the certificate is automatically renewed).
The other place it can be done is if you are have a web site yourself, like a blog.xxxx.com. instead of trying to do a redirect at the DNS level, you can take the "A" address of your web site as the xxxx.com address, get a SSL cert on your web site (many web providers are tied to lets encrypt automatically), then manually in your web server redirect the xxxx.com to www.xxxx.com. A bit ugly but should work; someone actually goes through another web site to get to smugmug, but since one is without the www and one is with, the names should be OK? Speculation, I have not tried it.
BY the way, if your goal is to allow users to just type xxxx.com and end up on your site, most of those users are not going to type https:// in front of it if they are too lazy to twp www. So a regular http redirect will still handle most traffic, unless you actually send or post a link with https but without the www.
I managed to get it done (at least I believe that all redirects still work).
Problem number one: my beloved (I'd bring them cake if they were located anywhere near me!) domain host does not offer direct SSL certificate installation. And, of course, I could not find an understandable guide of how to install Let's Encrypt with them manually.
Problem number two: the guys hosting my blog do only offer free Let's Encrypt for sites where the domain setup is on their servers as well. (I could have gotten some paid version installed without the following mess, but I do need some money to pay my food and other bills too )
Since I could not get an A-record from SmugMug (they don't provide A-records, I was told) I had to get the following done:
1. change the nameservers on my domain host to those of the blog host.
2. get a redirect from lilleulven.com to www.lilleulven.com set up on my blog host (this is a maybe because I believe I had to kill the CNAME for that in order to get the step 3 CNAME set up...)
3. get a CNAME record to domains.smugmug.com set up on my blog host (previously on the domain host only)
4. wait for the world to be updated on the new settings
5. verify that everything is up and running as it should
6. get my blog host to install Let's Encrypt
And while this sounds pain-free: forget to type the "s" in domains.smugmug.com and you have a problem; do not know about the new CNAME and you have another problem. It basically took four days to get to step 5 being verified. Installing the Let's Encrypt SSL was then just another half an hour or so with a little bit of testing and a minor fix.
So maybe this setup helps someone else who is using a domain-provider and a blog-host in combination? If not...well it's a good documentation for myself should I ever decide to change anything in my setup ever again.
Comments
Getting this?
Looks like only this gallery?
https://www.photosbyat.com/Birds/2006-Birding/2006-Birds-of-Japan
... and only first photo in gallery, can move to any other photo and refresh and changes to secure?
Back to first and refresh and un-secure shows.
My Website index | My Blog
It's coming from the http://graph.facebook.com/1345998078764979/picture which is on the comment someone left, probably through whatever mechanisms allow facebook users to access smugmug for comments?
Interesting mines for
www.viewsformycar.com and their site is correct
Instagram
Twitter
I read somewhere here on another post the https was expected to be implemented within January 26th, today.
But my site still appears as http and with browser's security warning
Venice PhotoBlog
@fabthi, it's working, just put https:// in front of www.fabiothian.com
They are not making it go to https automatically (yet), but are supporting both http and https.
Hey SmugMug, you forgot to include Let's Encrypt's Intermediate Certificate in the certificate chain you're sending. This means that users will only be able to verify the certificate chain (and get a non-broken website) if their computer already has Let's Encrypt's intermediate certificate installed/cached from browsing other websites (it isn't installed by default). See the SSL Labs test of my site here:
https://www.ssllabs.com/ssltest/analyze.html?d=origin.sherlockphotography.org&s=34.236.73.11&latest
You can see the same result (only one certificate in the chain, no intermediate certificate present) using openssl:
Let's Encrypt provides intermediate certificates that you can serve here:
https://letsencrypt.org/certificates/
Please check out my gallery of customisations for the New SmugMug, more to come!
One of my domains (www.alyxcoby.com) is now using ssl.smugmug.com as the subject on the cert.
www.marcquinlivan.photography is still using www.livinglifephotography.com
I assume this means you are in the process of switching the rest of them over @leftquark ?
@thenickdude, from a practical perspective what does the lack of the intermediate certificate mean?
More precisely, that I get a green lock symbol means what, I got the intermediate certificate elsewhere?
I tried going to a relatively unused linux system and using the openssl command, and I did not see anything about the intermediate certificate, what I saw was an error on the lead off name
But it still appears to have been happy with the connection, and the SSL site still gives it a "B". So it's "not trusted" but gets a "B"?
I did try it on a site of my own, and the above error did not occur (well, it shouldn't), and got an "A". That site is hosted and uses a utility to refresh the Lets Encrypt certificates, so it must provide the intermediate chain needed.
But is the intermediate chain causing the "unable to get local issuer certificates" seen in openssl's report, or is that because of all the additional names being listed? As so long as Smugmug keeps lumping many into one, will that not keep happening?
New question: when will the site maps switch to https? Internally mine is still showing explicit http links.
Robots.txt (probably dynamic) will switch dynamically, so it shows https://xxx/sitemap-index.xml if you access robots.txt by https (and vice versa for http). So I assume (a stretch when dealing with Google) that the site map will force it back to http for the crawl?
The issue Nick mentioned was fixed a few days ago. Once the certs renew, they should be all set on that regards.
The sitemaps will get updated as part of the ongoing work to finish up SSL and start redirecting everything over.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
I understand but when????? My site as of today is still shown as "Not safe" in Chrome.
Photoshelter switched all its customers to https months ago...
Venice PhotoBlog
On the new https pages I click log out many times and it will not log out?
Logging out here doesn't work either.
https://www.smugmug.com/
My Website index | My Blog
You can tell your visitors to visit https://www.yourdomain.com and that will work fine and be secure. We'll start redirecting people from http to https soon but we need to make sure everything works
before we do it. We obviously don't want to rush this and cause issues for you or your visitors.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.
You can see my site, for example, http://www.aaronmphotography.com will automatically redirect to https://www.aaronmphotography.com
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
@leftquark I have been trying the redirect on your site https://aaronmphotography is properly redirected to https://www.aaronmphotography.com, but for my site (and at least one more that I checked) entering https://lilleulven.com does lead to an error message because "Safari is not able to establish a secure connection", while lilleulven.com is properly redirected to https://www.lilleulven.com.
Is there anything that needs to get done from my side (IWantMyName settings wise)? I hope it does not (again) need special code somewhere in the hidden areas not officially available, like when the last redirect last year or so stopped working...
Thanks in advance.
Hi @Lille Ulven, unfortionately the
non-wwwtowwwredirect is a DNS level action that we have no control over at SmugMug. You'll have to work with your DNS provider (where you registered your domain most likely) to setup the proper redirection. In my case, my provider offers the option to get an SSL certificate for me, at which point the redirect works great. I've heard other SmugMug customers have had a much more difficult time getting this setup because their DNS provider did not offer an SSL certificate for the non-www direct. I wish we could help here but unfortunately that stuff is controlled by things before it comes to SmugMug.Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
@leftquark, thank you. While my DNS provider does not provide me with SSL certificates I could somehow (not clear about the details yet) add a SSL certificate after all. But the question now is: does SmugMug work with Let's Encrypt? It's not mentioned on the website, that I found earlier today (and cannot find again now, of course)...
And if it does work: does the automatic renewal work too?
We are currently working with Lets Encrypt to issue the SSL certs and we do automatically renew them for you.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
@leftquark so in theory that means that I should be somehow able to use let's encrypt for the https://lilleulven.com redirect as well.
Unfortunately, I have to admit, the let's encrypt site does not make any sense to me. So how on earth to get that done and what settings to access to make it all happen...I don't know. Domain provider told me they could not help as they don't do SSL directly. Google hasn't been of any help either.
I'm reaching out to the Heroes to see if they have any experience with setting this up for other customers -- unfortunately I don't have enough experience myself and every domain provider does it a little differently
I am thanking my stars that my domain provider just did it (and i keep getting emails when the certificate is automatically renewed).
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
The other place it can be done is if you are have a web site yourself, like a blog.xxxx.com. instead of trying to do a redirect at the DNS level, you can take the "A" address of your web site as the xxxx.com address, get a SSL cert on your web site (many web providers are tied to lets encrypt automatically), then manually in your web server redirect the xxxx.com to www.xxxx.com. A bit ugly but should work; someone actually goes through another web site to get to smugmug, but since one is without the www and one is with, the names should be OK? Speculation, I have not tried it.
BY the way, if your goal is to allow users to just type xxxx.com and end up on your site, most of those users are not going to type https:// in front of it if they are too lazy to twp www. So a regular http redirect will still handle most traffic, unless you actually send or post a link with https but without the www.
I managed to get it done (at least I believe that all redirects still work).
)
Problem number one: my beloved (I'd bring them cake if they were located anywhere near me!) domain host does not offer direct SSL certificate installation. And, of course, I could not find an understandable guide of how to install Let's Encrypt with them manually.
Problem number two: the guys hosting my blog do only offer free Let's Encrypt for sites where the domain setup is on their servers as well. (I could have gotten some paid version installed without the following mess, but I do need some money to pay my food and other bills too
Since I could not get an A-record from SmugMug (they don't provide A-records, I was told) I had to get the following done:
1. change the nameservers on my domain host to those of the blog host.
2. get a redirect from lilleulven.com to www.lilleulven.com set up on my blog host (this is a maybe because I believe I had to kill the CNAME for that in order to get the step 3 CNAME set up...)
3. get a CNAME record to domains.smugmug.com set up on my blog host (previously on the domain host only)
4. wait for the world to be updated on the new settings
5. verify that everything is up and running as it should
6. get my blog host to install Let's Encrypt
And while this sounds pain-free: forget to type the "s" in domains.smugmug.com and you have a problem; do not know about the new CNAME and you have another problem. It basically took four days to get to step 5 being verified. Installing the Let's Encrypt SSL was then just another half an hour or so with a little bit of testing and a minor fix.
And yes, it also solved the https://lilleulven.com error, which I had before
So maybe this setup helps someone else who is using a domain-provider and a blog-host in combination? If not...well it's a good documentation for myself should I ever decide to change anything in my setup ever again.