Potential Bugs with New SSL Certs (https)

2»

Comments

  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited January 25, 2018

    Getting this?

    Looks like only this gallery?
    https://www.photosbyat.com/Birds/2006-Birding/2006-Birds-of-Japan
    ... and only first photo in gallery, can move to any other photo and refresh and changes to secure?
    Back to first and refresh and un-secure shows.

    Al - Just a volunteer here having fun
    My Website index | My Blog
  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    It's coming from the http://graph.facebook.com/1345998078764979/picture which is on the comment someone left, probably through whatever mechanisms allow facebook users to access smugmug for comments?

  • Djm3006Djm3006 Registered Users Posts: 226 Major grins
    edited January 25, 2018

    @denisegoldberg said:
    I don't understand why the "issued to" isn't by default a smugmug url.

    My site certificate also shows as issued to someone else, not smug, not me. That's wrong.
    I expected to see the "issued to" as smugmug.

    Just out of curiosity I checked my blog, and that certificate clearly shows as issued to Google (the owner of blogger); that one makes sense. And that implies that it is possible to have an "issued to" that reflects the organization that did the underlying certificate work as opposed to a site that is totally unrelated to my site.

    Interesting mines for
    www.viewsformycar.com and their site is correct

  • fabthifabthi Registered Users Posts: 263 Major grins

    I read somewhere here on another post the https was expected to be implemented within January 26th, today.
    But my site still appears as http and with browser's security warning

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @fabthi, it's working, just put https:// in front of www.fabiothian.com

    They are not making it go to https automatically (yet), but are supporting both http and https.

  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins

    Hey SmugMug, you forgot to include Let's Encrypt's Intermediate Certificate in the certificate chain you're sending. This means that users will only be able to verify the certificate chain (and get a non-broken website) if their computer already has Let's Encrypt's intermediate certificate installed/cached from browsing other websites (it isn't installed by default). See the SSL Labs test of my site here:

    https://www.ssllabs.com/ssltest/analyze.html?d=origin.sherlockphotography.org&s=34.236.73.11&latest

    You can see the same result (only one certificate in the chain, no intermediate certificate present) using openssl:

    openssl s_client -connect origin.sherlockphotography.org:443 -servername origin.sherlockphotography.org
    

    Let's Encrypt provides intermediate certificates that you can serve here:

    https://letsencrypt.org/certificates/

  • MarcQuinlivanMarcQuinlivan Registered Users Posts: 56 Big grins

    @MarcQuinlivan said:

    I have four Smugmug accounts and two of them are listed below:

    www.marcquinlivan.photography shows as issued to www.livinglifephotography.com
    www.alyxcoby.com shows as issued to photos.gdupphoto.com

    One of my domains (www.alyxcoby.com) is now using ssl.smugmug.com as the subject on the cert.
    www.marcquinlivan.photography is still using www.livinglifephotography.com

    I assume this means you are in the process of switching the rest of them over @leftquark ?

  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited January 31, 2018

    @thenickdude, from a practical perspective what does the lack of the intermediate certificate mean?

    More precisely, that I get a green lock symbol means what, I got the intermediate certificate elsewhere?

    I tried going to a relatively unused linux system and using the openssl command, and I did not see anything about the intermediate certificate, what I saw was an error on the lead off name

    ferguson@zm:~$ openssl s_client -connect origin.sherlockphotography.org:443 -servername origin.sherlockphotography.org
    CONNECTED(00000003)
    depth=0 CN = www.anaedwardsphotography.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = www.anaedwardsphotography.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    

    But it still appears to have been happy with the connection, and the SSL site still gives it a "B". So it's "not trusted" but gets a "B"?

    I did try it on a site of my own, and the above error did not occur (well, it shouldn't), and got an "A". That site is hosted and uses a utility to refresh the Lets Encrypt certificates, so it must provide the intermediate chain needed.

    But is the intermediate chain causing the "unable to get local issuer certificates" seen in openssl's report, or is that because of all the additional names being listed? As so long as Smugmug keeps lumping many into one, will that not keep happening?

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    New question: when will the site maps switch to https? Internally mine is still showing explicit http links.

    Robots.txt (probably dynamic) will switch dynamically, so it shows https://xxx/sitemap-index.xml if you access robots.txt by https (and vice versa for http). So I assume (a stretch when dealing with Google) that the site map will force it back to http for the crawl?

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    The issue Nick mentioned was fixed a few days ago. Once the certs renew, they should be all set on that regards.

    The sitemaps will get updated as part of the ongoing work to finish up SSL and start redirecting everything over.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • fabthifabthi Registered Users Posts: 263 Major grins
    edited February 1, 2018

    @Ferguson said:
    They are not making it go to https automatically (yet), but are supporting both http and https.

    I understand but when????? My site as of today is still shown as "Not safe" in Chrome.
    Photoshelter switched all its customers to https months ago...

  • AllenAllen Registered Users Posts: 10,008 Major grins
    edited February 2, 2018

    On the new https pages I click log out many times and it will not log out?

    Logging out here doesn't work either.
    https://www.smugmug.com/

    Al - Just a volunteer here having fun
    My Website index | My Blog
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    @fabthi said:

    @Ferguson said:
    They are not making it go to https automatically (yet), but are supporting both http and https.

    I understand but when????? My site as of today is still shown as "Not safe" in Chrome.

    You can tell your visitors to visit https://www.yourdomain.com and that will work fine and be secure. We'll start redirecting people from http to https soon but we need to make sure everything works
    before we do it. We obviously don't want to rush this and cause issues for you or your visitors.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.

    You can see my site, for example, http://www.aaronmphotography.com will automatically redirect to https://www.aaronmphotography.com

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • Lille UlvenLille Ulven Registered Users Posts: 567 Major grins

    @leftquark I have been trying the redirect on your site https://aaronmphotography is properly redirected to https://www.aaronmphotography.com, but for my site (and at least one more that I checked) entering https://lilleulven.com does lead to an error message because "Safari is not able to establish a secure connection", while lilleulven.com is properly redirected to https://www.lilleulven.com.

    Is there anything that needs to get done from my side (IWantMyName settings wise)? I hope it does not (again) need special code somewhere in the hidden areas not officially available, like when the last redirect last year or so stopped working...

    Thanks in advance.

    https://www.lilleulven.smugmug.com - The Photos of my travels
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    Hi @Lille Ulven, unfortionately the non-www to www redirect is a DNS level action that we have no control over at SmugMug. You'll have to work with your DNS provider (where you registered your domain most likely) to setup the proper redirection. In my case, my provider offers the option to get an SSL certificate for me, at which point the redirect works great. I've heard other SmugMug customers have had a much more difficult time getting this setup because their DNS provider did not offer an SSL certificate for the non-www direct. I wish we could help here but unfortunately that stuff is controlled by things before it comes to SmugMug.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • Lille UlvenLille Ulven Registered Users Posts: 567 Major grins

    @leftquark, thank you. While my DNS provider does not provide me with SSL certificates I could somehow (not clear about the details yet) add a SSL certificate after all. But the question now is: does SmugMug work with Let's Encrypt? It's not mentioned on the website, that I found earlier today (and cannot find again now, of course)...
    And if it does work: does the automatic renewal work too?

    https://www.lilleulven.smugmug.com - The Photos of my travels
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    We are currently working with Lets Encrypt to issue the SSL certs and we do automatically renew them for you.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • Lille UlvenLille Ulven Registered Users Posts: 567 Major grins

    @leftquark so in theory that means that I should be somehow able to use let's encrypt for the https://lilleulven.com redirect as well.
    Unfortunately, I have to admit, the let's encrypt site does not make any sense to me. So how on earth to get that done and what settings to access to make it all happen...I don't know. Domain provider told me they could not help as they don't do SSL directly. Google hasn't been of any help either. :neutral:

    https://www.lilleulven.smugmug.com - The Photos of my travels
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    I'm reaching out to the Heroes to see if they have any experience with setting this up for other customers -- unfortunately I don't have enough experience myself and every domain provider does it a little differently :( I am thanking my stars that my domain provider just did it (and i keep getting emails when the certificate is automatically renewed).

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited May 2, 2018

    The other place it can be done is if you are have a web site yourself, like a blog.xxxx.com. instead of trying to do a redirect at the DNS level, you can take the "A" address of your web site as the xxxx.com address, get a SSL cert on your web site (many web providers are tied to lets encrypt automatically), then manually in your web server redirect the xxxx.com to www.xxxx.com. A bit ugly but should work; someone actually goes through another web site to get to smugmug, but since one is without the www and one is with, the names should be OK? Speculation, I have not tried it.

    BY the way, if your goal is to allow users to just type xxxx.com and end up on your site, most of those users are not going to type https:// in front of it if they are too lazy to twp www. So a regular http redirect will still handle most traffic, unless you actually send or post a link with https but without the www.

  • Lille UlvenLille Ulven Registered Users Posts: 567 Major grins

    I managed to get it done (at least I believe that all redirects still work).
    Problem number one: my beloved (I'd bring them cake if they were located anywhere near me!) domain host does not offer direct SSL certificate installation. And, of course, I could not find an understandable guide of how to install Let's Encrypt with them manually.
    Problem number two: the guys hosting my blog do only offer free Let's Encrypt for sites where the domain setup is on their servers as well. (I could have gotten some paid version installed without the following mess, but I do need some money to pay my food and other bills too :wink: )
    Since I could not get an A-record from SmugMug (they don't provide A-records, I was told) I had to get the following done:
    1. change the nameservers on my domain host to those of the blog host.
    2. get a redirect from lilleulven.com to www.lilleulven.com set up on my blog host (this is a maybe because I believe I had to kill the CNAME for that in order to get the step 3 CNAME set up...)
    3. get a CNAME record to domains.smugmug.com set up on my blog host (previously on the domain host only)
    4. wait for the world to be updated on the new settings
    5. verify that everything is up and running as it should
    6. get my blog host to install Let's Encrypt
    And while this sounds pain-free: forget to type the "s" in domains.smugmug.com and you have a problem; do not know about the new CNAME and you have another problem. It basically took four days to get to step 5 being verified. Installing the Let's Encrypt SSL was then just another half an hour or so with a little bit of testing and a minor fix.

    And yes, it also solved the https://lilleulven.com error, which I had before :smiley:

    So maybe this setup helps someone else who is using a domain-provider and a blog-host in combination? If not...well it's a good documentation for myself should I ever decide to change anything in my setup ever again.

    https://www.lilleulven.smugmug.com - The Photos of my travels
Sign In or Register to comment.