Certificate problem

Lefteris_D

Administrator
Staff member
The forum was changed to use HTTPS around 48 hours ago, does the message appear everywhere or at any specific topic/page?
 

Robert

Member
I only come to this page.
forums.emulator-zone.com

The certificate is only valid for:
Code:
DNS Name: galactica.visei.net
DNS Name: www.galactica.visei.net

The first URL redirects to the http version of this site, the other doesn't exist.

Strangely, the firefox on my other machine has no complaints.



EDIT: tried it on the home page (emulators downloads etc).
http works fine apart from an annoying popup about cookies.
https produces this:

Code:
This Connection is Untrusted

      

      
      
      

        

          

You have asked Firefox to connect
securely to www.emulator-zone.com, but we can't confirm that your connection is secure.

          

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

        

        
        

          
What Should I Do?

          

            

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

            
          

        

        
        
        

          
Technical Details

          

www.emulator-zone.com uses an invalid security certificate.

The certificate is only valid for the following names:
  galactica.visei.net , www.galactica.visei.net  

(Error code: ssl_error_bad_cert_domain)
 
Last edited:

GHDpro

Administrator
Staff member
galactica.visei.net is the hostname for the server; both that domain and the forum now use SSL.

I had a little problem with the configuration of the webserver configuration causing all traffic to be redirected to galactica.visei.net (oops). As I was working on other things I only found out about an hour later and quickly fixed it.

That might explain the problem, because it has otherwise been working fine for me.

Try the following:

- Clear your browser cache

or if that doesn't work:

- Go to "History" and right-click one of the entries for the forum and select "Forget this Site"

In both cases please close & relaunch the browser before trying again.

If that doesn't work I'll have to dig deeper. One of the other possible causes is that the server uses "SNI" (Server Name Indication) to allow multiple SSL certificates on a single server IP address, if you use an older version of Firefox or it is configured to use a proxy that doesn't support SNI you might also get this problem.

To check if Firefox uses a proxy, go to: Options > Advanced > Network > Settings button (in the "Connection" section)
 

Robert

Member
I think the problem is that this is an old version of Firefox. Since you've confirmed that the server name is correct I will simply accept and store the certificate offered, same as I did for the forum.

Out of interest I tried using IE6, and found that the site is not accessible at all. However it works fine with IE8.
 

Lefteris_D

Administrator
Staff member
IE6 can rot in hell, it is no longer targeted by any site because it does not support any of the modern standards without some really nasty code hacks to get compatibility.

If you need to target an old IE version make sure to have a bare minimum of IE7 (update for XP or default for Vista) or IE8 (default for win7).
 

GHDpro

Administrator
Staff member
One thing: I reread your post more carefully and should note: the main site (www) does not support SSL at this time.

However the webserver software gets a little confused if you try to access the site through HTTPS anyway. The webserver is listening on 443 (HTTPS) for the sites (forum & server hostname) that need it. I guess if you then request any other site (that technically is only configured for non-HTTPS port 80) it will serve that site but will just pick the first SSL certificate in its config to serve with it. Hence why you get the certificate error.

I do not want to make the site (www) HTTPS at this time as it technically means breaking all old links that still link to the HTTP (non-SSL) site. As users will be redirected they might not notice it really, but search engines will. However I may have to get an SSL certificate for the site anyway if only just to redirect any traffic that might stumble on it to the "proper" site (HTTP). A bit weird, but oh well.

Also for Firefox not to support SNI it would have to be ancient. SNI is supported since Firefox 2.0 (released in 2007).

And yeah, fuck IE, or at least on XP: no version of Internet Explorer on Windows XP supports SNI. You need at least Vista for SNI support in Internet Explorer. Other browsers (Firefox, Chrome) on XP are not affected by this (assuming they're somewhat recent versions). I have no problem with the forum not even loading in IE6 (or any IE on XP) anymore: people should stop using it anyway.

As Let's Encrypt will be nearly ready (free SSL certificates for everyone) and Firefox will probably mark login forms as insecure if not served via HTTPS from early 2016, you are probably going to see a lot more people use SSL and good chunk will also use SNI.

So to recap:

https://galactica.visei.net/ should work without errors or warnings (but will redirect you to http://www.emulator-zone.com)
https://forums.emulator-zone.com/ should work without errors or warnings
https://www.emulator-zone.com/ will not work and give errors -- use http://www.emulator-zone.com instead
 

Robert

Member
I have 2 computers on the net here.

The older one (this one) is running windows 2000, and IE6 is the maximum IE version that can run on it. I have Firefox 3.6.24, which is the browser I normally use.

The other machine is XP Sp 3 with all the latest patches. It has Firefox, latest version, and IE8 latest patches. As I pointed out above, IE8 can display the site without issue.

I'm unemployed, so there's no chance of "upgrading" to a newer OS any time soon.
 
Last edited:

malloc4096

New member
Another possibility. . . is he's using a host file that automatically directs to the IP

I noticed the server change because my old host setting failed. but didn't notice or care why, till i saw this thread. . . I did not encounter the certificat error tho that Robert mentioned using the standard web address. . . Till I tried connecting directly to the new IP under https instead(I only just tried that tho because i saw this thread).

I don't mention which versions of stuff i use, but its not as old as Robert buts not the latest FF version either. . I suspect Robert should not have any issue except if he did what i just mentioned. . . otherwise I'd suspect as U guys mentioned earlyer about him just not clearing out his old settings. may as well flush your DNS Cache while ur at it too.

side note, I believe i understand the reasoning behind SSL, however I personally don't care for the hole SSL Banwaggon, I would hope email and bank servers, etc are all SSL. . but everything else, especially non personal sites, I don't see the point. I think it just adds Overhead. unless the only reason u guys did it was for that reason u mentioned above about how future versions of FF and whatnot may give warning messeges on ANY non SSL site in the future ?

[EDIT]: another note for Robert, If its happens and is bothering you to know why. . . firefox(not sure exactly 4the version u use) but it supports multiple Profiles, If your affraid of screwing with the settings cause you have them settup exactly how you like. . . just create another profile, it will be isolated from all you other profiles Caches/Settings, so U'd beable to tell for sure if its your FF settings or not.

In a nutshel. . . In
Code:
%APPDATA%\Mozilla\firefox\profiles.ini

[Profile1]
Name=Watever
IsRelative=0
Path=D:\Path\To\Whereever

right click firefox shortcut
in the Target box add to the end of the path
 -P "Watever"
 
Last edited:

Robert

Member
Just started getting a lot of bad certificate errors for another domain, this time there's no option to accept it.

The result is the forum pages are badly formatted with half the stuff not showing or working.

Guess it's near the end for me here.
 

Lefteris_D

Administrator
Staff member
Which browser are you on? Latest firefox and chrome give me no errors.

Is the domain you are getting as an error one of these two? cdn-forums.emulator-zone.com ezforums-2926.kxcdn.com
 

Robert

Member
It was for the 2nd url.

No errors on this visit, but the formatting is still screwed up and no pictures show (avatars, smilies, banner etc).

Still using the old version of Firefox as noted earlier.
 

Lefteris_D

Administrator
Staff member
GHDpro was doing some late evening tweaking with a CDN system (using that domain) that is supposed to speed up things.

Also, I keep forgetting that you use that "ancient" firefox version. The problem is that the server is now using http/2 as well and according to this wiki firefox added support from version 34.
 

Touko White

I'm cute, aren't I?
IE6 can rot in hell, it is no longer targeted by any site because it does not support any of the modern standards without some really nasty code hacks to get compatibility.

If you need to target an old IE version make sure to have a bare minimum of IE7 (update for XP or default for Vista) or IE8 (default for win7).
It never did support web standards at its own time in 2001 either.
Oh, and no IE7 either, only 0.2% usage out of IE usage currently. IE8's still something like 10% but that's because of the people with XP and Vista without SP2 mainly, so that's probably a bare minimum.
Firefox 3.6 is probably worth supporting though because it was the last firefox which was actually good. FF4 and beyond turned it into a memory-leaking POS which is like one of those crappy pirate NES games, copying Chrome. (I'm not speaking of Hummer Team's pirate games though, they're pretty good).
 

GHDpro

Administrator
Staff member
Sorry about that. I recently implemented a CDN for the forum, which should hopefully speed things up.

Here is the technical explanation:

The initial domain for the CDN was ezforums-2926.kxcdn.com (which is the standard URL supplied by my CDN provider), but as that obviously doesn't look very pretty I changed it to cdn-forums.emulator-zone.com a few days later.

The problem is twofold: first as the forum is now HTTPS only, the CDN also needs to support HTTPS (which it does), second even though the URL changed, behind-the-scenes your browser is still being redirected to ezforums-2926.kxcdn.com (using a "CNAME" DNS record).

HTTPS is very strict as to what certificate is valid for which URL. So when I was using ezforums-2926.kxcdn.com as main CDN URL it a returned a SSL certificate valid for *.kxcdn.com (a so-called wildcard certificate), but when I switched the URL I supplied my own SSL certificate valid for cdn-forums.emulator-zone.com.

Due to the new URL essentially being redirected to the old URL in reality, it means ezforums-2926.kxcdn.com now returns the SSL certificate for cdn-forums.emulator-zone.com. This is fine if you access the CDN zone through the new URL, but using the old URL you will now get certificate errors. (If you copy the old CDN URL into Firefox you can see this for yourself)

--------------------

I have changed all references to the old CDN URL. If you refresh the page it should load all static assets (javascript and images incl. avatars) from cdn-forums.emulator-zone.com

If you find a page that even after reloading still references ezforums-2926.kxcdn.com please notify me, this really shouldn't happen.

Btw, while I did recently enable http/2 on this server (which should make things faster for browsers that support it), old browsers will continue to work just fine (but won't be able to benefit from http/2).
 

GHDpro

Administrator
Staff member
It never did support web standards at its own time in 2001 either.
Oh, and no IE7 either, only 0.2% usage out of IE usage currently. IE8's still something like 10% but that's because of the people with XP and Vista without SP2 mainly, so that's probably a bare minimum.
Firefox 3.6 is probably worth supporting though because it was the last firefox which was actually good. FF4 and beyond turned it into a memory-leaking POS which is like one of those crappy pirate NES games, copying Chrome. (I'm not speaking of Hummer Team's pirate games though, they're pretty good).
Firefox has done some things in recent versions I'm really unhappy with, including the style change and including crap nobody asked for ("Hello" and "Pocket"). But I still prefer it over Chrome, mainly because I've been using FF for such a long time (since 2003/2004, which is before version 1.0). And fortunately most of the new style can be reverted with the Classic Theme Restorer plugin.

My opinion as an independent developer: I'll try to make sure things work and look pretty on current browsers. On older browsers (to an extend) most things should still work but may not look pretty. However if they don't work: upgrade.

Firefox 3.6 on Windows 2000 should work, in theory. But sorry you can't expect me to make sure it works. I just hope it still does.
 

Robert

Member
OK. I just visited here (https://forums.emulator-zone.com), and received 3 popups for invalid certificate. The forum looks the same as before, no images.

I opened a new tab and went to https://cdn-forums.emulator-zone.com and the connection is untrusted. The error is:
cdn-forums.emulator-zone.com uses an invalid security certificate.

The certificate is only valid for the following names:
*.kxcdn.com , kxcdn.com

(Error code: ssl_error_bad_cert_domain)
It gave me the option to accept the certificate, which I did, and the images appeared.

So I think the best thing is to change my bookmark to point at this new URL.
 
Last edited:

GHDpro

Administrator
Staff member
First cdn-forums.emulator-zone.com should not be considered the "new" URL for the forum; it's the CDN URL mainly intended for serving static files. As it is a so-called "pull zone" (reverse proxy) it will display pages too, but some features of the CDN might cause weird things, such as possibly the inability to login as the CDN should strip all cookies from requests.

Now on to the issue: what you are seeing is weird and not what I'd expect. You see I get the exact opposite. cdn-forums works fine (SSL Server Test result), the old kxcdn.com URL no longer does:
Code:
ezforums-2926.kxcdn.com uses an invalid security certificate. 

The certificate is only valid for the following names: 
cdn-forums.emulator-zone.com, www.cdn-forums.emulator-zone.com

As you also had the same issue with the forum SSL certificate which also uses SNI (Server Name Indication), I suspect the problem is your browser doesn't support SNI. Either that or for some weird reason SSL certificates are being cached.

What does this site say? https://sni.velox.ch/ (SNI browser test)

Here are two other sites that use SNI, do you also get a certificate error on these sites? (content of these sites is otherwise unimportant)

https://visei.com/ (SSL Test)
https://community.letsencrypt.org/ (SSL Test)

If these tests suggest SNI isn't working, then sorry there isn't much I can do. In theory I could fix the forum (by making the forum SSL certificate the default for the server), but I can't fix the CDN as it is out of my hands.

And brace yourself as a lot more sites might start to break now that Let's Encrypt is in public beta and more people will deploy SSL on their sites, often using SNI.
 

Robert

Member
https://sni.velox.ch/
sni.velox.ch uses an invalid security certificate.

The certificate is only valid for the following names:
alice.sni.velox.ch , carol.sni.velox.ch

(Error code: ssl_error_bad_cert_domain)
Unfortunately, your client [Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24] did not send a TLS server name indication extension (RFC 4366) in its ClientHello (negotiated protocol: TLSv1, cipher suite: AES256-SHA), so you're probably getting warnings about certificate name mismatches.


https://visei.com
visei.com uses an invalid security certificate.

The certificate is only valid for defiant.visei.net

(Error code: ssl_error_bad_cert_domain)


https://community.letsencrypt.org
community.letsencrypt.org uses an invalid security certificate.

The certificate is only valid for the following names:
*.discourse.org , discourse.org

(Error code: ssl_error_bad_cert_domain)

Seems SNI not working on this browser.
 
Last edited:
Top