Server Migration II: Revenge of the Something-Or-Other (SOLVED)

[Haiz]

Minor thing, but every time im going on forum on my phone since the server move, a message telling me the website may be unsafe or that it doesnt have some sort of certificate pops up. I just click "ok, continue anyway" but yeah. Shrugs

[JoB]

Minor thing, but every time im going on forum on my phone since the server move, a message telling me the website may be unsafe or that it doesnt have some sort of certificate pops up. I just click "ok, continue anyway" but yeah. Shrugs

The server's using the same cert as before ... Qualys would like the CA chain reordered and longer, self-generated DH moduli, but neither should prompt a browser popup ... ? ???

[hushpiper]

This is most likely a mixed-content error, I fiddled a bit with some of the rewrites I had previously been using to force https on links that had been written with http. Which is to say, the cert itself is fine, the browser's just complaining. Thanks for letting me know Haiz, I'd forgotten about that one! It'll get fixed as soon as I figure out how I want to handle that.

[Haiz]

It looks like this (sorry for the norwegian):

[viola]

It looks like this (sorry for the norwegian):

Security warning
There are problems with the security certificate for this site.
The name of the site does not agree with the name on the certificate.

[JoB]

Security warning
There are problems with the security certificate for this site.
The name of the site does not agree with the name on the certificate.

Haiz, it would be helpful if you were to use that "view certificate" button the next time and tell us what's shown as the cert's "subject"/"issued to". The forum server's cert would report a "common name" (CN) of "www.ssssforum.com" and/or a "distinguished name" (DN) including that CN.

I currently see three possibilities, but neither seems to match the symptoms 100%:

• Bookmarked start page has the wrong server name - that wouldn't have changed with the server swap. (Also, what other names would be listed in the DNS so that Haiz would eventually land on the forum nonetheless?)
• Some config / link wrong within the login process - but why would only Haiz have the problem, then?
• Actual content page loading parts of the content from other servers and the cert problem is with them - but that shouldn't happen every time, nor have started with the server switch.

[scratches head]

[Haiz]

(The "sideinfo" just says that this page is ssssforum.com but I think you know that)

might be my phone is just old or something. It's really no problem, just a thing that happens

[JoB]

[Checks DNS and WHOIS]

Well, that still doesn't tell us which part of the forum's content refers to the external content in question and under what differing name, but it's 99% certain that it's the cert of some other server that causes this warning. (Also, you shouldn't see this warning during the login process or in the board/thread listings but only once you look at actual content within a thread - correct?)

[hushpiper]

Huh, that is completely not what I thought it was. So--basically what's happening here is your phone is complaining that something is trying to load using the forum host's SSL certificate, rather than the one that's installed on our website. Which... shouldn't be happening. The host cert shouldn't even be accessible, considering it's installed on a whole other IP. Maybe there's something in there that's hard coded to the old IP address? *scratches head*

[JoB]

Huh, that is completely not what I thought it was. So--basically what's happening here is your phone is complaining that something is trying to load using the forum host's SSL certificate, rather than the one that's installed on our website. Which... shouldn't be happening. The host cert shouldn't even be accessible, considering it's installed on a whole other IP. Maybe there's something in there that's hard coded to the old IP address? *scratches head*

If it were the old IP address, Haiz wouldn't get the server cert of the new host ... ?

I note that both alternate functional "hostnames" I can dig up (162.144.176.230 and ssss.personaldefensecenter.org - the IP's PTR RR points to 162-144-176-230.unifiedlayer.com, but there's no further RR for that), when used for HTTPS, take you to the SSSS forum without redirecting the browser to one of the "proper" hostnames (www.ssssforum.com and ssssforum.com) first, complete with "wrong cert" warnings. Maybe Haiz somehow bookmarked a URL with one of those?

(Dunno how much we want to care about SEO, but both in that context and generally, having a website nudge the visitors to one "official" hostname is considered a good thing.)

If you have logs that record either the HTTP 1.1 "Host:" header or the "Referer:" header, you should be able to find out what hostname Haiz is actually using (because the reverse proxy apparently rejects HTTP 1.0) ...

[Haiz]

uuuuhhh i don't know what you guys are saying but it's REALLY ok, i was mostly just alerting you guys in case of a bug, but it's honestly not an actual problem. it's just a popup i can easily click ok on.

[hushpiper]

No worries! I'm glad you're still able to use the forum without problems. We're just chewing over it because it could indicate another problem I hadn't noticed--it doesn't do to have the forum behaving unexpectedly!

Well seeee, the cert in that screenshot could refer to either the old server or the new one--both have the same host, and the server-wide cert installed by the host is identical. So that's no help.

As far as using the IP to access the website--well, yes, that would certainly cause those errors, among many others. I did have some things in place on the old server to handle redirecting requests like that, but they got changed in the move. It doesn't quite fit, but since that did change during the server move it's a good place to look for the culprit. The forum software trends to be very finicky when it comes to SSL and its related rewrites.