I have a website embedding another website with iframe. The first website has SSL with a certificate for *.something.com and let's say its domain is somethingelse.something.com. Can I use the same certificate for the embedded website as well even though there is no subdomain in something.com referring to it?
In other words, does the fact that I am originally coming from somethingelse.something.com count for the embedded website as well?
I hope this makes sense, I am quite new with this.
If the certificate is valid for the domain, the fact that it's an iframe doesn't count.
Be careful: A certificate for "*.example.com" is valid for "anything.example.com" but NOT for "example.com"
The iframe may be blocked for another reason:
CSP on the main page
X-FRAME-OPTIONS on the iframe
Related
Hoping this doesn't come across as a stupid question. Server and SSL stuff isn't my forte.
I've got a wildcard SSL cert and on my root domain it works. On one of my subdomains it show securely. But on a second subdomain I get the broken padlock.
www.mydomain.ca - secure
www.subdom.mydomain.ca - secure
www.subdom2.mydomain.ca - broken padlock
Now with the root domain I know its a particular CMS, the first subdom is a Drupal site and the one that is broken right now is hosted in Azure.
I suppose my question is do I need to install a seperate SSL cert on my subdom2? (For all I know it was done to the first subdom before my time). Or is the nature of a wildcard SSL cert to cover anything that's a subdomain - provided that all the content is being served securely on the website?
Update
If anyone comes across this, the issue was our vendor was serving an image that wasn't https. In the end in the issue had nothing to do with my wildcard SSL cert and it looks as though it does in fact cover all subdomains as long as content is being served securely!
If anyone comes across this, the issue was our vendor was serving an image that wasn't https. In the end in the issue had nothing to do with my wildcard SSL cert and it looks as though it does in fact cover all subdomains as long as content is being served securely!
URL in question: https://newyorkliquorgiftshop.com/admin/
When you open the above page, you can see in the console that there are lots of error messages saying "...was loaded over HTTPS, but requested an insecure stylesheet.."
This website was working well until all of a sudden this problem shows up. I am not very familiar with https, but I have contacted with Godaddy and the SSL certificate is valid, and there is no obvious problem with "https://newyorkliquorgiftshop.com". And I am stuck here, I've some experiences with HTTPS website before, if the URL of website's homepage is "https", then every resources it loads is via "https" too. I don't know why my website behave differently and I don't know where to start to solve the problem? Any hint is appreciated especially articles about HTTPS that is related to my problem.(I have done a brief research regarding HTTPS but most of the articles I found are about the basic concepts.)
If you have access to the code (not sure what you built the website using), try using https instead of http for the URL's you use to load your style sheets and script files.
For example one of the errors is
Mixed Content: The page at 'https://newyorkliquorgiftshop.com/admin/' was loaded over HTTPS, but requested an insecure script 'http://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js'. This request has been blocked; the content must be served over HTTPS.
You are requesting the .js file using HTTP, try using HTTPS like so:
https://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js
The problem:
I have 2 websites that have the same IP address (a domain and a subdomain), and I have an SSL certificate for each of them. The domain is a word-press site while the sub domain is a ruby on rails application. the subdomain has the certificate installed and works with no problems, but when I try to add the second certificate for the main domain, it works, but it prevents access to the subdomain.
In the web browser inspection page it shows this error :
“XMLHttpRequest cannot load https://giladparking.com/wp-content/plugins/wp-slimstat/wp-slimstat-js.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://monthly.giladparking.com' is therefore not allowed access.”
What I have tried:
I have followed this tutorial to allow for SNI support and it seems to work except for the previously mentioned issue.
I have taken a look at this post as well which explains that you can't make XMLHTTPRequests across domains. but this issue only arises when both certificates are in effect.
“XMLHttpRequest cannot load https://giladparking.com/wp-content/plugins/wp-slimstat/wp-slimstat-js.php....
The certificate for this sites is valid for monthly.giladparking.com and www.monthly.giladparking.com but not for giladparking.com. That's why any access to this site will fail with a certificate error. This problem is not restricted to XMLHTTPRequests.
I just installed an SSL Certificate on my domain. and then I noticed that Social buttons (Facebook, Google+, Twitter etc) are no more there.
When I uninstalled the SLL, those buttons were there.
Anybody knows how to fix this issue?
most likely your code for the buttons refers to a non-SSL (http:// instead of https://) URL and most browsers nowadays reject content that is not "secure".
To elaborate on cfrick's answer, which sounds spot on:
It isn't that they reject the content that isn't secure, it is that they reject mixed content. So you can't show secure and non-secure stuff on the same page.
The solution is that for any fully qualified URLs with a protocol prefix (http or https), simply leave that off and modern browsers will use the same protocol as the page was loaded with. So instead of including content with http://example.com/stuff.js you can use //example.com/stuff.js.
I have been searching the internet for two days and I am stuck. I understand that I can purchase an SSL certificate to make my site work for HTTPS so that it is more secure and all that jazz.
My question is do I have to do anything special on the HTML/PHP pages I create for this site, like some PHP call to open a session, or does the fact that there is an SSL Cert on the server mean I don't have to change anything on the HTML pages?
Sorry if this is a dumb question, but I can't find the answer anywhere.
Its primary the setup of the server, e.g. that you have to make the site accessible by SSL (port etc) and configure the certificates.
But maybe you need to make adjustments to your HTML etc too, so that all resources (images, script, css..) will be loaded by SSL too, e.g. all these includes should be either be done with site-relative links or with explicite https:// links. In case the site gets served with both https and http you might also use protocol-relative links, e.g. //www.example.com/index.html will be served with http if the current protocol is http and with https if you currently use https.