How To Force HTTP to HTTPS

Started by Skhilled, May 05, 2017, 09:03:53 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

davejo

Thanks Steve, I'll repost again at the weekend.

davejo

As I cant set up the https on my site for some reason, I get the error message that ssl_error_rx_record_too_long

I tested it on a sub forum and thats the error I get.

One question, does the main site 'davejohnson.co.uk' have to be set up for https for the subforum to work in https?

The subforum would be davejohnson.co.uk/test this is in place but registration is disabled to prevent spammers.

In order to play about some more want to see if I can get it working before I do it on the main site, but if it wont work on a sub forum then I'd be wasting my time.

Just done a check on the SSL cert and according to the checker it's not installed correctly, see attachment. So that answers the question of why I'm getting the error.

I have to be honest also and say, because I have never had issues with the site before I have never tried to contact the help desk at Justhost but I did the other evening an it told me I had to wait 85 mins in one session and 50 mins in another which I obviously wasn't very happy with. So I will have to contact them again to see if I can resolve this now.

So you were right about them being bad Steve.

The annoying thing about them is you cannot raise a support ticket to get an issue resolved, it has to be either telephone call or chat.



Skhilled

I believe you should be able to configure how you want your domains configured. But I'm not sure if you MUST have your primary domain as HTTPS or not. I understand that you'd want to test things on a test site first. But in this case, you would have to test it on a separate secondary domain instead of your primary domain.

One thing I do know is that it may take a day for it to fully resolve...depending on the SSL cert and how your hosting has configured it.

As far as the hosting goes, I think the parent company (EIG) has done away with tickets for all of their hosting now. They did the same to me on my last hosting and is one of the reasons why I left. Tickets are great if you don't have the time to stand around for awhile and the issue is still not resolved! It will just frustrates you especially if you are a busy person if you have to stay in one spot.


And for posting, make sure you use the login in the block on the left and select "Forever". Or, if you click the Login on the main menu check the box for stay logged in. Then you shouldn't be timed out for your session. One trick I've got in a habit of doing a long time ago is to click "Preview" every so often when I make a lengthy post. I will also highlight my post and use CTRL+C (copy shortcut on the keyboard) so if you hit the wrong button or your session times out you can just paste it into a new one using CTRL+V (paste). ;)

davejo

Thanks for the reply Steve, I'll get to see what the issues are with the host this weekend.

Skhilled

I just hope they can or will fix it LOL. If not, ask them if they are willing to install Lets' Encrypt. so, far that has worked well for me on this server, on Ken's and on my VPS. Underdog uses it too.

lurkalot

Quote from: davejo on June 08, 2017, 02:19:24 PM

One question, does the main site 'davejohnson.co.uk' have to be set up for https for the subforum to work in https?


Good question, and it saves me asking the same one.  As I think I'll have a similar scenario to deal with when I switch my sites. 

Skhilled

When I look into my settings it does not specify if I must use my primary domain or not. All of my domains are list and I chose all 3. I've never tried to just use any of the subdomains without the primary one. But it appears as though you can.

davejo

Quote from: lurkalot on June 11, 2017, 04:14:17 AM
Quote from: davejo on June 08, 2017, 02:19:24 PM

One question, does the main site 'davejohnson.co.uk' have to be set up for https for the subforum to work in https?


Good question, and it saves me asking the same one.  As I think I'll have a similar scenario to deal with when I switch my sites.

No it doesn't.

I now have the certificate authorised and it is now on the server. So off I went and did all the .htaccess and repair_settings changes only to find that when I went to my sub-domain it just linked direct to the main domain. I tried using repair_settings in the sub-domain folder but it doesn't work, the repiar_settings will only run in the main domain. So with that knowledge I ran it again and set all the parameters for the sub and thought great but no it sytill didn't work.

One thing I will say at this point is thank goodness for backups, as I have mine running every other day with a cron job using XCloner3.5.

Anyway back to the point.

It seems you have to get a SSL cert with a wildcard, I do understand it now but instead of me writing it out I have copied and pasted it from another article below.

Quote
Do You Need an SSL Cert for Each Subdomain

Yes and No, it depends. Your standard SSL certificate will be for single domain, say 'www.domain.com'. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.

A wild card cert will be issued for something like '*.domain.com' and clients will treat this as valid for any domain that ends with 'domain.com', such as 'www.domain.com' or 'ws.domain.com'.

A multi domain cert is a cert that is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for 'domain.com' and 'ws.mysite.com'. This would allow it to be used for both domain names.

If neither of these options work for you, then you would need to have two different SSL certs.

Do I Need a Dedicated IP for Each Subdomain

Again, this is a yes and no...it all depends on you web/application server. I am a Windows guy, so I will answer with IIS examples.

If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to an single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.

If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind a SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.

If you use a single IP, then you can configure websites to respond to requests for specific hostnames.

I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.

Bottom Line

Depending on you application/web server and what type of SSL certs you are able to obtain will dictate you options.

My only problem now is that the SSL cert I have is only for my main domain, if I want one for sub-domain also then I have to pay £8.25 PM which equates to about $10.50 at current rates. I should add that this is with my host maybe other hosts might be cheaper or even allow it as part of the hosting deal.


Now I wonder if the info about should be posted on the main SMF site gents? I know I have done the homework and found out about this but I'm more than happy for one of you to post it on there. I think it probably should be set as a sticky too and as lot of people are probably going to be switching to HTTPS if they haven'y  done it already, and as you know the more info that can be given the better far everyone. I am suggesting you guys do it as you are more well known than I am and perhaps more trusted

Skhilled

1.  You must upload repair_settings to each domain/subdomain and run it separately on each one. It will only work for the site you've uploaded it to. It cannot control multiple sites at once.

2.  For cert with a wildcard...that is probably why I've seen all of my domains when I tried to enable it. Makes sense. Your hosting should be able to enable it for use with a wildcard.

3.  Sounds like your hosting is trying to pick your pockets for more money. They should allow you to set them all up especially if you've already paid for it. But I'm thinking they may have it setup so you must buy a dedicated IP for each domain. Personally, I'd try new hosting. Many of them now have free certs installed on their server and are very easy to setup. They would rather you be secured as well as their servers secured than to lose customers to another company.

davejo

Quote from: Skhilled on June 11, 2017, 07:19:58 AM
1.  You must upload repair_settings to each domain/subdomain and run it separately on each one. It will only work for the site you've uploaded it to. It cannot control multiple sites at once.

I think I probably got messed up as I had repair_settings in both the main folder and the subfolder.

Quote from: Skhilled on June 11, 2017, 07:19:58 AM
2.  For cert with a wildcard...that is probably why I've seen all of my domains when I tried to enable it. Makes sense. Your hosting should be able to enable it for use with a wildcard.

My subdomain address is www.rszone.davejohnson.co.uk (FYI. it's a private site and existing members recommend new members and can only join by referral) No they are not pedo's or anything like that I wouldn't allow anything like that on my site.

If your sites have their own domain names then they will show up, but as mine is a subdomain of my main domain it doesn't work. Unless I'm missing your point Steve.

When I run the SSL checker from here https://www.sslshopper.com/ssl-checker.html you see the list below, as you can see this does not include the subdomain

Quote
www.davejohnson.co.uk resolves to 50.87.89.29    
Server Type: nginx/1.12.0    
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).    
The certificate was issued by Comodo.     
The certificate will expire in 364 days.        
The hostname (www.davejohnson.co.uk) is correctly listed in the certificate.
   Common name: www.davejohnson.co.uk
SANs: www.davejohnson.co.uk, davejohnson.co.uk
Valid from June 9, 2017 to June 10, 2018
Serial Number: 258a4d1d754fdd20bb5c5167ffa85d74
Signature Algorithm: sha256WithRSAEncryption
Issuer: COMODO RSA Domain Validation Secure Server CA


Quote from: Skhilled on June 11, 2017, 07:19:58 AM
3.  Sounds like your hosting is trying to pick your pockets for more money. They should allow you to set them all up especially if you've already paid for it. But I'm thinking they may have it setup so you must buy a dedicated IP for each domain. Personally, I'd try new hosting. Many of them now have free certs installed on their server and are very easy to setup. They would rather you be secured as well as their servers secured than to lose customers to another company.

Strangely enough I have just done a search for hosting with SSL for sub domains here http://www.techradar.com/news/internet/web/best-web-hosting-services-1328078 and none of the hosts supply wildcard/sub-domain as standard with the hosting, they all charge extra for it and from what I could see most are more expensive than my hosting company too.




Skhilled

1.  You should have repair_settings.php in each root folder of each domain/subdomain. But, you must run each separately for each forum. Each forum must be treated separately. If you are having one forum link to another then your settings are wrong or you have it redirected to another domain.

2.  For your subdomains to function properly, you should be able to run it as www.rszone.com and not just www.rszone.davejohnson.co.uk..."IF" it is a separately registered domain. If it is a separately owned domain and does not run that way then you do not have your addon/subdomains set properly. You did not specify so I'm guessing here.

3.  That is not true! My hosting, Ken's and others do allow for this for free! They will usually have OpenSSL or Let's Encrypt installed on the server. I've done this one, my VPS and helped Ken with his and Underdog has it on his VPS...all separate hosting using Let's Encrypt!

So, sites that post "the best of something" usually show their slant on it and may even be paid or otherwise compensated for it. Here's a list of hosting that use Let's Encrypt (free!):

https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

davejo

I take all your points on board Steve but as I said the rszone is a subdomain of my main site, you cannot get to it via ww.rszone.com etc.

I will conitnue to look at other options but in the mean time we will have to stay as plain old http.

Skhilled

Ok, now I see what you mean. A subdomain can be a separately owned domain or not. If it is not a separately own domain but if it is under your primary domain you should be able to choose it unless your hosting does not allow for the wildcards. My hosting does allow for it and all of my test sites (10 or so) are all setup as https by default because of it. My separate domains were added when I enabled the cert and work the same way.

Keep me posted as to what's going on. :)


EDIT: For many years hosting only used paid certs. But that is something that is rapidly changing in the industry. Google and other search engines are now rating sites based on how secured they are...thus the big change. This has been in the news for about a year now how it was coming and with the Russian hackings, etc. it is a bigger issue now that it ever was!


HTTPS was always touted as being more secure but was only used for financial things like using a credit card to purchase something. You can run your site without it. But if you are looking to make it something big then you'll want to use it. It is not necessary but many people are worried about securing their information and may only go to sites that use it. It's your choice. ;)

Ronald

Just did the repair settings and changed all the url to https://. Then I also made a redirect from http:// to https://, works like a charm..

Skhilled

Excellent! See...you are learning. ;)