Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Certificate problem

  1. #11
    Member Robert's Avatar
    Join Date
    Oct 2004
    Location
    Land of Oz
    Posts
    598

    Default Re: Certificate problem

    Just started getting a lot of bad certificate errors for another domain, this time there's no option to accept it.

    The result is the forum pages are badly formatted with half the stuff not showing or working.

    Guess it's near the end for me here.

  2. #12
    Forum Administrator Lefteris_D's Avatar
    Join Date
    Sep 2003
    Location
    Athens, Greece
    Age
    37
    Posts
    3,760
    Blog Entries
    2

    Default Re: Certificate problem

    Which browser are you on? Latest firefox and chrome give me no errors.

    Is the domain you are getting as an error one of these two? cdn-forums.emulator-zone.com ezforums-2926.kxcdn.com
    ...

  3. #13
    Member Robert's Avatar
    Join Date
    Oct 2004
    Location
    Land of Oz
    Posts
    598

    Default Re: Certificate problem

    It was for the 2nd url.

    No errors on this visit, but the formatting is still screwed up and no pictures show (avatars, smilies, banner etc).

    Still using the old version of Firefox as noted earlier.

  4. #14
    Forum Administrator Lefteris_D's Avatar
    Join Date
    Sep 2003
    Location
    Athens, Greece
    Age
    37
    Posts
    3,760
    Blog Entries
    2

    Default Re: Certificate problem

    GHDpro was doing some late evening tweaking with a CDN system (using that domain) that is supposed to speed up things.

    Also, I keep forgetting that you use that "ancient" firefox version. The problem is that the server is now using http/2 as well and according to this wiki firefox added support from version 34.
    ...

  5. #15
    I'm cute, aren't I? Touko White's Avatar
    Join Date
    Aug 2015
    Location
    Southeast England
    Posts
    72

    Default Re: Certificate problem

    Quote Originally Posted by Lefteris_D View Post
    IE6 can rot in hell, it is no longer targeted by any site because it does not support any of the modern standards without some really nasty code hacks to get compatibility.

    If you need to target an old IE version make sure to have a bare minimum of IE7 (update for XP or default for Vista) or IE8 (default for win7).
    It never did support web standards at its own time in 2001 either.
    Oh, and no IE7 either, only 0.2% usage out of IE usage currently. IE8's still something like 10% but that's because of the people with XP and Vista without SP2 mainly, so that's probably a bare minimum.
    Firefox 3.6 is probably worth supporting though because it was the last firefox which was actually good. FF4 and beyond turned it into a memory-leaking POS which is like one of those crappy pirate NES games, copying Chrome. (I'm not speaking of Hummer Team's pirate games though, they're pretty good).

  6. #16
    Forum Administrator GHDpro's Avatar
    Join Date
    Sep 2003
    Location
    The Netherlands
    Age
    40
    Posts
    493

    Default Re: Certificate problem

    Sorry about that. I recently implemented a CDN for the forum, which should hopefully speed things up.

    Here is the technical explanation:

    The initial domain for the CDN was ezforums-2926.kxcdn.com (which is the standard URL supplied by my CDN provider), but as that obviously doesn't look very pretty I changed it to cdn-forums.emulator-zone.com a few days later.

    The problem is twofold: first as the forum is now HTTPS only, the CDN also needs to support HTTPS (which it does), second even though the URL changed, behind-the-scenes your browser is still being redirected to ezforums-2926.kxcdn.com (using a "CNAME" DNS record).

    HTTPS is very strict as to what certificate is valid for which URL. So when I was using ezforums-2926.kxcdn.com as main CDN URL it a returned a SSL certificate valid for *.kxcdn.com (a so-called wildcard certificate), but when I switched the URL I supplied my own SSL certificate valid for cdn-forums.emulator-zone.com.

    Due to the new URL essentially being redirected to the old URL in reality, it means ezforums-2926.kxcdn.com now returns the SSL certificate for cdn-forums.emulator-zone.com. This is fine if you access the CDN zone through the new URL, but using the old URL you will now get certificate errors. (If you copy the old CDN URL into Firefox you can see this for yourself)

    --------------------

    I have changed all references to the old CDN URL. If you refresh the page it should load all static assets (javascript and images incl. avatars) from cdn-forums.emulator-zone.com

    If you find a page that even after reloading still references ezforums-2926.kxcdn.com please notify me, this really shouldn't happen.

    Btw, while I did recently enable http/2 on this server (which should make things faster for browsers that support it), old browsers will continue to work just fine (but won't be able to benefit from http/2).

  7. #17
    Forum Administrator GHDpro's Avatar
    Join Date
    Sep 2003
    Location
    The Netherlands
    Age
    40
    Posts
    493

    Default Re: Certificate problem

    Quote Originally Posted by Termingamer2-JD View Post
    It never did support web standards at its own time in 2001 either.
    Oh, and no IE7 either, only 0.2% usage out of IE usage currently. IE8's still something like 10% but that's because of the people with XP and Vista without SP2 mainly, so that's probably a bare minimum.
    Firefox 3.6 is probably worth supporting though because it was the last firefox which was actually good. FF4 and beyond turned it into a memory-leaking POS which is like one of those crappy pirate NES games, copying Chrome. (I'm not speaking of Hummer Team's pirate games though, they're pretty good).
    Firefox has done some things in recent versions I'm really unhappy with, including the style change and including crap nobody asked for ("Hello" and "Pocket"). But I still prefer it over Chrome, mainly because I've been using FF for such a long time (since 2003/2004, which is before version 1.0). And fortunately most of the new style can be reverted with the Classic Theme Restorer plugin.

    My opinion as an independent developer: I'll try to make sure things work and look pretty on current browsers. On older browsers (to an extend) most things should still work but may not look pretty. However if they don't work: upgrade.

    Firefox 3.6 on Windows 2000 should work, in theory. But sorry you can't expect me to make sure it works. I just hope it still does.

  8. #18
    Member Robert's Avatar
    Join Date
    Oct 2004
    Location
    Land of Oz
    Posts
    598

    Default Re: Certificate problem

    OK. I just visited here (https://forums.emulator-zone.com), and received 3 popups for invalid certificate. The forum looks the same as before, no images.

    I opened a new tab and went to https://cdn-forums.emulator-zone.com and the connection is untrusted. The error is:
    cdn-forums.emulator-zone.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    *.kxcdn.com , kxcdn.com

    (Error code: ssl_error_bad_cert_domain)
    It gave me the option to accept the certificate, which I did, and the images appeared.

    So I think the best thing is to change my bookmark to point at this new URL.
    Last edited by Robert; December 16th, 2015 at 02:29.

  9. #19
    Forum Administrator GHDpro's Avatar
    Join Date
    Sep 2003
    Location
    The Netherlands
    Age
    40
    Posts
    493

    Default Re: Certificate problem

    First cdn-forums.emulator-zone.com should not be considered the "new" URL for the forum; it's the CDN URL mainly intended for serving static files. As it is a so-called "pull zone" (reverse proxy) it will display pages too, but some features of the CDN might cause weird things, such as possibly the inability to login as the CDN should strip all cookies from requests.

    Now on to the issue: what you are seeing is weird and not what I'd expect. You see I get the exact opposite. cdn-forums works fine (SSL Server Test result), the old kxcdn.com URL no longer does:
    Code:
    ezforums-2926.kxcdn.com uses an invalid security certificate. 
    
    The certificate is only valid for the following names: 
    cdn-forums.emulator-zone.com, www.cdn-forums.emulator-zone.com
    As you also had the same issue with the forum SSL certificate which also uses SNI (Server Name Indication), I suspect the problem is your browser doesn't support SNI. Either that or for some weird reason SSL certificates are being cached.

    What does this site say? https://sni.velox.ch/ (SNI browser test)

    Here are two other sites that use SNI, do you also get a certificate error on these sites? (content of these sites is otherwise unimportant)

    https://visei.com/ (SSL Test)
    https://community.letsencrypt.org/ (SSL Test)

    If these tests suggest SNI isn't working, then sorry there isn't much I can do. In theory I could fix the forum (by making the forum SSL certificate the default for the server), but I can't fix the CDN as it is out of my hands.

    And brace yourself as a lot more sites might start to break now that Let's Encrypt is in public beta and more people will deploy SSL on their sites, often using SNI.

  10. #20
    Member Robert's Avatar
    Join Date
    Oct 2004
    Location
    Land of Oz
    Posts
    598

    Default Re: Certificate problem

    https://sni.velox.ch/
    sni.velox.ch uses an invalid security certificate.

    The certificate is only valid for the following names:
    alice.sni.velox.ch , carol.sni.velox.ch

    (Error code: ssl_error_bad_cert_domain)
    Unfortunately, your client [Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24] did not send a TLS server name indication extension (RFC 4366) in its ClientHello (negotiated protocol: TLSv1, cipher suite: AES256-SHA), so you're probably getting warnings about certificate name mismatches.

    https://visei.com
    visei.com uses an invalid security certificate.

    The certificate is only valid for defiant.visei.net

    (Error code: ssl_error_bad_cert_domain)

    https://community.letsencrypt.org
    community.letsencrypt.org uses an invalid security certificate.

    The certificate is only valid for the following names:
    *.discourse.org , discourse.org

    (Error code: ssl_error_bad_cert_domain)
    Seems SNI not working on this browser.
    Last edited by Robert; December 16th, 2015 at 14:29.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •