SSL not working for dologin.php and clientarea.php help needed

hairyharry · December 19, 2019, 11:02am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:nnserver.website

I ran this command:

It produced this output:

My web server is (include version):apache2 2.4.18

The operating system my web server runs on is (include version):Ubuntu 16.04

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

please have a look at the below error

https://www.whynopadlock.com/results/ffe06ef2-367f-43c9-8752-6e13cf2b661a

https://www.whynopadlock.com/results/70df0908-885c-4799-a181-4bbbd0cbd717

JuergenAuer · December 19, 2019, 11:11am

Hi @hairyharry

please read the output and fix your errors. Or check the output of https://check-your-website.server-daten.de/?q=nnserver.website#html-content to understand your errors.

PS: Now the check is ready. There is no problem visible. And no form element. Looks like a default page of a CMS or something else.

Osiris · December 19, 2019, 11:26am

That’s because your (very, very unreadable and cluttered if I may say so) test didn’t test the same pages as the whynopadlock tests did.

clientarea.php and dologin.php apparently have a unsafe form action.

hairyharry · December 19, 2019, 11:51am

How do I deal with it mate ?

I can see on that test

Fatal error: http result with http-status 200, no encryption. Add a redirect http ⇒ https, so every connection is secure. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop.

Is my http to https redirection looks good in etc/apache2/sites-enabled/000-default.conf ?

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.nnserver.website

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html




    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.nnserver.website
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

hairyharry · December 19, 2019, 11:55am

there is obviously mixed content error Idk how to deal with this error dologin.php and clientarea.php not being redirected to https after denying port 80 in the firewall can’t reach these pages anymore

JuergenAuer · December 19, 2019, 1:51pm

If you have such a redirect and it doesn't work: That vHost isn't used.

What says

apachectl -S

PS: Tested offline, now you have a redirect.

D:\temp>download http://www.nnserver.website/ -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 19 Dec 2019 13:50:58 GMT
Location: https://www.nnserver.website/
Server: Apache/2.4.18 (Ubuntu)

Status: 301 MovedPermanently

Looks like you have found already a solution.

PS: Now checked the clientarea.php - https://check-your-website.server-daten.de/?q=nnserver.website/clientarea.php#html-content

There you have two errors:

You use http and you use an ip address. That's wrong if you don't have a certificate with an ip address as domain name. Currently you can't create certificates with ip addresses via Letsencrypt.

It's your ip address, so use your domain name + https instead.

Your certificate

CN=*.nnserver.website
	16.12.2019
	15.03.2020
expires in 87 days	*.nnserver.website - 1 entry

isn't so good.

Create one certificate with both domain names:

*.nnserver.website
nnserver.website

Then nnserver.website is secure.

JuergenAuer · December 19, 2019, 2:03pm

Thanks. First checked only the main page. Now checked one of the detail pages. There is the error visible.

The defined, but not working redirect in the "/" shows, that additional config checks are required.

hairyharry · December 21, 2019, 12:02pm

thanks Guys solved changed links in WHMCS admin panel SystemURL under Setup >> General Settings to https and re-issued ssl cert and all good here

system · January 20, 2020, 12:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.