Https login form marked as insecure

svennd · March 23, 2017, 10:01am

My domain is: www.molgen.vib-ua.be
My web server is (include version): windows 2008 / IIS 7 (?)
I can login to a root shell on my machine (yes or no, or I don’t know): yes

If I browse from the frontpage : http://www.molgen.vib-ua.be/ to the login page (top right corner) : https://www.molgen.vib-ua.be/Private/loginform.cfm I get a “nonsecure form” messages, while the page is in fact https.

I also got an untrusted error when first trying this website on a fresh firefox. Once I visited another website using let’s encrypt it got fixed…

I think something is wrong with the certificate/chain. I haven’t set it up, and this was previously a self-signed kind of website so … go easy on us please. Is this the issue ? How can I find and fix the issue ?

Thanks

ahaw021 · March 23, 2017, 10:11am

hi @svennd

you have a double whamy going on :

a) https://www.ssllabs.com/ssltest/analyze.html?d=www.molgen.vib-ua.be&hideResults=on

you are serving a LetsEncrypt X1 intermediate when you ceritificate is issued from the X3 issuer

the easiest way to fix this is to download the x3 intermediate https://letsencrypt.org/certs/letsencryptauthorityx3.pem

rename it to .cer and install it on your server

you should see it in you intermediate store

B) if you run your site through this https://www.whynopadlock.com

it will outline insecure content that is being used on a secure page

most of it is a matter of updating your links from http to https as they are pointing to resources in your www.molgen.vib-ua.be domain

Andrei

Osiris · March 23, 2017, 10:12am

It’s probably not the change. I’m seeing a perfectly valid and trusted login form?

Why? This is why:

Your login form uses the HTTP referer header to fill in the destination of the form!

For example, when I went to the login form, directly from your hyperlink above, this was in the source:

		        <form name="frmLogin" id="frmLogin" action="https://community.letsencrypt.org/t/https-login-form-marked-as-insecure/30473" method="post" onsubmit="return _CF_checkfrmLogin(this)">

Wut…?

And as you said you visited the login form from a non-secure HTTP site, you’d get a non-secure HTTP site as the “action” of the form. And that will result in an insecure page. (Mixed content.)

If you go to https://www.molgen.vib-ua.be/ (notice the https) and try to log in, everything will be fine.

How to fix? Well, don’t use a referer as the action of a form, that’s for starters… NEVER trust user input and yes, a HTTP header = user input from the servers point of view. Use a static action for the form, not a dynamic one based on the referer header.

By the way, run your site through the whynopadlock-site like @ahaw021 said: your main site has a lot of non-secure elements.

svennd · March 23, 2017, 12:46pm

@ahaw021
Hey,
I downloaded that file and “installed” it, but the issue remains. I will send this to my windows colleague At-least we know the problem now. The mixed errors are fine.

@Osiris
Thanks for pointing that out as you might have suspected this site was made when animals still could talk. I’m not certified to update this beast

Osiris · March 23, 2017, 12:53pm

Well, if you keep linking to the login page from a non-secure HTTP page and you're not able to update the origin of the form action to something else than the referer, you're keeping the problem of not having a green padlock on the login page (b/c of the non-secure form action).

ahaw021 · March 23, 2017, 1:14pm

try restarting the page in iis

andrei

system · April 22, 2017, 1:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.