Browser error using secured site


#1

Hi there.

I have just created an SSL certificate using your services - wow was that easy (thank you for that!). I’m running an Ubuntu Server with Apache2 redirecting to Tomcat 8 for site content. But when I navigate to my new site, some portions will not show up. In my browser (Chrome but similar on Firefox) I see a shield icon in the URL bar with the following error:

“This page is trying to load scripts from unauthenticated sources”.

I am given the option to “load unsafe scripts” but I would prefer my users not to have to look for this - they’ll never see the shield. What can I do? In /etc/apache2/sites-available/ I had a conf file for my site and a new file was created (ending -le.ssl.conf) … I append them here:

myapp.example.com.conf:

# domain: myapp.example.com
# public: /var/lib/tomcat8/webapps/myapp
<VirtualHost *:80>
ServerName myapp.example.com
ProxyRequests Off
ProxyPass / http://localhost:8080/myapp/
ProxyPassReverse / http://localhost:8080/myapp/
ProxyPassReverseCookiePath /myapp /
ProxyPreserveHost On
RewriteEngine on
RewriteCond %{SERVER_NAME} =myapp.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

myapp.example.com-le-ssl.conf:

<IfModule mod_ssl.c>
# domain: myapp.example.com
# public: /var/lib/tomcat8/webapps/myapp
<VirtualHost *:443>
    ServerName myapp.example.com    
ProxyRequests Off
ProxyPass / http://localhost:8080/myapp/
ProxyPassReverse / http://localhost:8080/myapp/
ProxyPassReverseCookiePath /myapp /
ProxyPreserveHost On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Is there any way I can configure the site to just work without any browser warnings? Thanks very much.


#2

@thestoat

usually I would ask for domain but you seem to know what you are doing

https://www.whynopadlock.com/

will analyse your site and give you the insecure components :smiley:

sometimes it’s thing like CDNs and images

Andrei


#3

Wow! Thank you for that, Andrei (and for the vote of confidence - I know bits but I’m more a developer with a little knowhow, which is usually a dangerous thing). In my code I was including links like

http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js

When I altered those to

https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js

the site you mentioned stopped complaining at me and all seems to work fine. Once again - thank you :smiley:


#4

You can use the format of "//ajax.google..". (i.e., without specifying either http nor https) to let the browser choose the protocol. When the site is loaded through http, the browser will use http for that resource, if the browser uses https for the site, it uses https for the resource too :slight_smile:

But using https:// for a HTTPS only site works too of course :wink:


#5

There’s always so much to learn. But thank you for the hint, Osiris. Good to know :smiley:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.