SSL certificates installation raises XMLHttpRequest cannot load exception - ssl

The problem:
I have 2 websites that have the same IP address (a domain and a subdomain), and I have an SSL certificate for each of them. The domain is a word-press site while the sub domain is a ruby on rails application. the subdomain has the certificate installed and works with no problems, but when I try to add the second certificate for the main domain, it works, but it prevents access to the subdomain.
In the web browser inspection page it shows this error :
“XMLHttpRequest cannot load https://giladparking.com/wp-content/plugins/wp-slimstat/wp-slimstat-js.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://monthly.giladparking.com' is therefore not allowed access.”
What I have tried:
I have followed this tutorial to allow for SNI support and it seems to work except for the previously mentioned issue.
I have taken a look at this post as well which explains that you can't make XMLHTTPRequests across domains. but this issue only arises when both certificates are in effect.

“XMLHttpRequest cannot load https://giladparking.com/wp-content/plugins/wp-slimstat/wp-slimstat-js.php....
The certificate for this sites is valid for monthly.giladparking.com and www.monthly.giladparking.com but not for giladparking.com. That's why any access to this site will fail with a certificate error. This problem is not restricted to XMLHTTPRequests.

Related

How to change the http into https for my domain name?

I recently bought a domain name at OVH for an app I hosted on Heroku. I then paid for the dynos in order to set an automatic SSL certificate.
Everything seems to me working fine:
Domain Status Last Updated
─────────── ─────────── ────────────
mpjrigot.eu Cert issued 2 minutes
mpjrigot.fr Cert issued 2 minutes
But my URL is still in HTTP. What am I missing?
EDIT
I'm using React.js for this app
I also have a Ruby on Rails back but for nom i'm keeping that on the heroku.app, works fine
2nd EDIT
Using react-https-redirect, force-https or react-ssl-redirect...
Basically, chrome tells me that "this is not a safe space", and that this is a fake https that might want to steal the user's passwords and stuff
So I got an SSL that is set on my HerokuApp,
I got a domain on OVH that points to the IP of the app
But the http isn't secure somehow
I really think I missed something obvious as I'm new to this...
You can add HTTPS to your app with the following methods.
Method1 (Recommended)
Since, you're using rails for the backend, you can configure your rails app to always use HTTPS.
in your production.rb add
config.force_ssl = true
More Info: https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
ActionDispatch SSL: https://api.rubyonrails.org/v6.1.4/classes/ActionDispatch/SSL.html
Method2 (Easy Setup)
You can also signup for cloudflare's free plan and easily setup https redirects with cloudflare's 'Always Use HTTPS' or 'Automatic HTTPS Rewrites' feature.
The 'Always Use HTTPS' feature will redirect all http requests on your site to https address.
The 'Automatic HTTP Rewrites' feature will change the HTTP links on your site to HTTPS links.
More Info here:
Always use HTTPS: https://blog.cloudflare.com/how-to-make-your-site-https-only
Automatic HTTPS: https://www.cloudflare.com/website-optimization/automatic-https-rewrite/
Cloudflare's SSL: https://www.cloudflare.com/ssl/
cloudflare dashboard
What am I missing?
Heroku provides a certificate, so you should be able to access your application using https://. However it does not redirect HTTP requests to HTTPS for you:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
Exactly how you do that depends on the language and libraries or framework that you are using. Several common examples are listed in the link I provided above.
If you edit your question to tell us what technology you have used to build your application I'll be happy to add those details to this answer. In case you are using Scala, please see How to disable HTTP requests on Heroku and/or auto-redirect to HTTPS?
solution
I eventually read about Heroku needing a specific host that takes in the address they tell you to point to when setting a domain name...
So I switched to Gandi for my domain name and set the ALIAS to point to said adress
Works like a charm

SSL and iframe - Does the same certificate work for iframe?

I have a website embedding another website with iframe. The first website has SSL with a certificate for *.something.com and let's say its domain is somethingelse.something.com. Can I use the same certificate for the embedded website as well even though there is no subdomain in something.com referring to it?
In other words, does the fact that I am originally coming from somethingelse.something.com count for the embedded website as well?
I hope this makes sense, I am quite new with this.
If the certificate is valid for the domain, the fact that it's an iframe doesn't count.
Be careful: A certificate for "*.example.com" is valid for "anything.example.com" but NOT for "example.com"
The iframe may be blocked for another reason:
CSP on the main page
X-FRAME-OPTIONS on the iframe

Subdomain not working with https, but works with http

I have the following problem:
I'm using letsencrypt to obtain ssl-certificates for my sites.
Recently I registered a subdomain, which is working fine. Say my subdomain is called test and my main site is called website, then https://www.website.com works, as well as http://www.website.com (which redirects to the https-site), as well as https://website.com. Now http://test.website.com or test.website.com works well, but https://test.website.com delivers me the main site (so https itself seems to work, but i get the content of the main site, not of the subdomain. Does anybody know what the problem could be?
I'm using apache2 on Ubuntu14.04
Just check the certification installed for load balancer or not?
If this is the problem, Just add this certificate to it and it will resolve the problem.

SSL error while opening WordPress Admin

I am having a domain chansek.com, hosted in Openshift through a Wordpress application. But the problem is, when I am trying to open my Wordpress Admin, it's always trying to connect through https instead of http. As I don't have any SSL certificate, it gives me some warning message. Please see the below screenshot for better understanding.
How do I make it go through http? I don't want any SSL certificate for my website as it's a personal blog.
I am also trying to use JetPack plugin. But it gives following error.
Your website needs to be publicly accessible to use Jetpack: site_inaccessible Error
Details: The Jetpack server was unable to communicate with your site
https://www.chansek.com [IXR -32300: transport error: http_request_failed SSL:
no alternative certificate subject name matches target host name 'www.chansek.com']
You have a couple of options:
1.) Disable using SSL for the admin in your wp-config.php file. (Openshift redirects wp-admin to https)
2.) Upgrade to the bronze plan and the purchase a custom ssl certificate and install it
You are getting that error from jetpack because the ssl certificate is not valid for your custom domain, only for your app-domain.rhcloud.com address.

why no 403;4 error in IIS6 when user connects to SSL-secured site using plain HTTP

I was under the impression that if a user attempted to visit a website that had been secured with an SSL certificate, but did not use HTTPS and instead used plain HTTP in the address box, a 403;4 error would be generated, and that an errormessage something like this would be presented:
"This page must be viewed over a secure channel"
"The page you are trying to access is secured with Secure Sockets Layer (SSL)."
But that's not happening on our website. You can use http://secure.oursite.com or https://secure.oursite.com and both work fine.
The company that issued the SSL certificate says our certificate checks out OK in their certificate checking tool and that it's "chaining properly" and that this is an IIS configuration issue.
Does this SSL over HTTP error checking have to be explicitly enabled?
I was planning on creating a custom error for the 403;4 condition, pointing to a file, which redirects to https://secure.oursite.com. But the error condition is not being trapped by IIS.
EDIT: I've stopped and restarted the server. Not solved.
Thanks
As per this article have you checked the "Require secure channel (SSL)" box in the properties for your site? This is what triggers the error. You can then create the redirect using a custom error page.
a 403;4 error would be generated
That's not what happens in my site. My site automatically redirects to the HTTPS port. It's done free of charge by Tomcat.