Hello Redmine team!
I am writing with two questions about the site I help manage for SWIP-Analytic at swipanalytic.commons.gc.cuny.edu.
1) My facebook and twitter widgets that should display on the right sidebar are not displaying. I can't work out why not. Any suggestions? (dashboard pic attached)
2) Chris Caruso recently tried to go to the site during one of out Social Media Fellows meetings and got the attached message. Folks on here helped me set up the redirect through swipanalytic.org and I am wondering if there is some issue with that that is making this message appear? Is there anything that can be done?
Thank you very much for your help!
#2 Updated by Matt Gold over 6 years ago
- Category name set to Domain Mapping
- Status changed from New to Assigned
- Assignee set to Boone Gorges
Boone: Can you please address the security warning?
Scott: Can you please address the twitter issue?
Thanks to you both. Michelle, moving forward, please keep one issue to a ticket, as that helps us keep various troubleshooting issues straight. Thank you!)
#3 Updated by Boone Gorges over 6 years ago
Regarding the "Your connection is not private" message. This appears because you were redirected at some point to https://swipanalytic.org (note the 's'). The Commons server does not have an SSL certificate associated with that domain - we only support SSL for *.commons.gc.cuny.edu. However, because swipanalytic.org (and all other mapped domains) share the Commons IP address, the following happens:
1. the browser validates the SSL cert associated with the swipanalytic.org IP address
2. The certificate authority sends back info to the effect that the SSL cert is valid for *.commons.gc.cuny.edu
3. The browser sees that there is a mismatch between the domains associated with the cert and the requested domain, so it throws the security error.
At root, this is happening because the certificate authority handshake does not include information about the domain name being requested; on the vanilla configuration, SSL certificates are expected to be served from dedicated IP addresses. We can theoretically work around this requirement by installing and configuring the SNI extension for Apache. I'll open a thread with IT to see if this is possible.
In the meantime, we can attempt to skirt the problem by ensuring that redirects to https://swipanalytic.org never take place. Marilynn, do you remember exactly what you were doing that led you to this error notice? Where in the interface did you click?
#4 Updated by Boone Gorges over 6 years ago
- Status changed from Assigned to Resolved
- Target version set to 1.7.15
I spent a bunch of time playing whack-a-mole with SSL-relaed stuff today, and 1.7.15 will have a bunch of improvements to ensure that SSL requests aren't polluted with insecure assets.
More to the point of this ticket: I'm assuming that the path Marilynn took to get to the bad https address was through the My Sites menu. Fixing this was extremely unpleasant, but it should no longer happen after https://github.com/cuny-academic-commons/cac/commit/e4a5840cfae7a49ced5420387a3d23bd18b963a5.
Ray, added you as a watcher mainly so you could see how fun that commit was.
I'm going to mark this ticket as Resolved on the assumption that I've correctly diagnosed the bad redirect. We still have a larger issue to tackle regarding the hosting of non-SSL domains on this IP address, but we'll handle that in a separate ticket.
#6 Updated by Marilynn Johnson over 6 years ago
I am not sure exactly where I tried to go to the page from -- it is possible from the 'my sites' dropdown while loggged in on the commons. Sorry I don't fully understand some of the technical language above. Is whatever the issue was basically fixed for my site?
#9 Updated by Marilynn Johnson over 6 years ago
I am writing on this ticket again because the twitter and facebook widgets on the side of the site detailed here, swipanalytic.commons.gc.cuny.edu, seem to have disappeared again. Perhaps something got lost in an update? They were there for a while after this ticket was addressed but I noticed a few weeks ago they were gone.
#10 Updated by Matt Gold over 6 years ago
Hi Marilynn -- I'm seeing the widgets (screenshot attached). Perhaps the browser you are using is blocking them from loading? What are computer OS/browser are you using to view the site?