SSL not working on various modern browsers (Fine on others)

I've installed the free certificate on the Windows 2012 server I look after for the domain listed below. The site is one simple page that at the moment just contains a pre-registration form noted by type form.

The site appears as secure and the padlock appears on Mac: Latest Chrome, Firefox & Safari
It does not appear as secure on

Latest iOS Mobile Safari, Latest PC Edge or Chrome

My domain is: www.iyameducation.com

It produced this output: On the effected browser the page appear blank because TypeForm does not show on insecure sites. The address bar also shows Not Secure on these sites but Secure on the working browsers.

Any help would be greatly appreciated. Thanks

My web server is (include version): Windows Server 2012

The operating system my web server runs on is (include version):Windows Server 2012

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I see your website fine if I manually go on httpS. (Chrome 99 on Android 11)

You should add a redirect from http to https.

The problem is probably because the affected browser/os combos are loading the http site, and the working browser/os combos are loading the httpS version. That can happen due to browser setting or bookmark/history. The redirect suggested by @9peppe will fix both scenarios.

Indeed.

What I don't know is how to make such a redirect on IIS 8.5 (or any IIS, for that matter).

Also note that server sends the "short chain" so will not be supported on older Android devices (pre 7.1) or other systems that do not have ISRG Root X1 in the trust store.

The post did not mention needing to support older devices so perhaps this is not a problem. I just thought it worth mentioning since it is questioning browser support.

Maybe see below topics if the HTTPS url is the one that is failing. But, I agree you should ensure they are not using an HTTP url first.

Thanks for the feedback. I would have sworn in my test I was actually typing the full URL including the HTTPS:// and getting the issue but this morning after trying it it all works fine. Guess I must just be mis-remembering?

Thanks again
Chris

To automatically rewrite http URLs to https on IIS, install the URL Rewrite module (may already be installed) URL Rewrite : The Official Microsoft IIS Site

Then in your web.config for the specific site, configure a URL rewrite rule, such as the rewrite section of the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>

    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
      </rules>
    </rewrite>
      
  </system.webServer> 
</configuration>

Se also: Using the URL Rewrite Module | Microsoft Docs

Thanks for that. I've copy and pasted into web.config and restarted the site but I'm still getting the same issue. (no errors just showing as not secure still) Are there any other issues I'd need to check for thisredirect to work?

Are you sure that you placed that file in the correct folder?

curl -Ii http://iyameducation.com/
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 580
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDSCABQCQR=NEDPNLIDEEFOFJKDAAEIAFBG; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Mar 2022 09:56:22 GMT

curl -Ii http://www.iyameducation.com/
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 580
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDSCABQCQR=OEDPNLIDDOBGPCLJODGOJAFF; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Mar 2022 09:56:34 GMT

No redirection is being provided.

Thanks for the continued help. The site is about as simple as it can get. There is the default page and the web.config file with in the same directory. I've uploaded screen shots of all the key screens.

files586×1088 62.3 KB

I can assure you that the redirection is not being served:

curl -Ii http://iyameducation.com/default.asp
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 580
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDQCAATDRQ=GADHBIJDDNDLLLPPHCCEEHKF; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Mar 2022 10:31:05 GMT

curl -Ii http://www.iyameducation.com/default.asp
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 580
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDQCAATDRQ=HADHBIJDHAPDLOHCEOHMJGKN; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Mar 2022 10:31:12 GMT

Sorry I wasn't doubting you at all, just supplied the above incase it cast any light on why it wouldn't be. I can't currently see what I have missed. I know the web.config I've pasted the rules into is the correct one because I can break it and get an error in the browser.

This is the web.config as it stands

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>

    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
      </rules>
    </rewrite>
      
  </system.webServer> 
</configuration>

Interesting, is this classic ASP? I actually don't know if web.config url rewrite works with classic ASP, as there's a chance the asp.net handlers may not be installed on that site.

The asp file is a red herring.It can just be a html file (there is no code just html in it)

The web.config is definitely being called because I can introduce errors into it and I can the usual web.config error message when you hit the site.

Chris

I'm not a fan of IIS.
I'm less a fan of putting nginx on Windows.
And even less with Apache on Windows...

But, since you are running Windows Server 2012, maybe there is a way to use Hyper-V to run nginx on Linux and put IIS entirely "behind" that.

The 'Test' button works ok on the URL section but when I used the 'Test' button on the conditions rule I get this.

Screenshot 2022-03-08 at 14.57.05942×602 83.2 KB

The {HTTPS} server variable is given a value of either ON or OFF, so your test would be either of those values (in upper or lower case). The rules says if HTTPS is off then redirect to the original url with https:// instead of http://

Note as an aside:

• The https pattern is a regular expression so technically it should be ^OFF$ but just using off works ok for me. Maybe try the regex version instead? Also do a restart if you haven't done one recently. you might get away with just restarting IIS but either way this URL rewrite module needs to be loaded by IIS.
• The example redirect pattern https://{HTTP_HOST}/{R:1} would redirect http://anything.microsoft.com to https://anything.microsoft.com so you need both http and https bindings for all your site name combinations for that to work. Personally I also like to force requests to a canonical url e.g. https://microsoft.com/{R:1} would redirect http://anything.microsoft.com/test.aspx to https://microsoft.com/test.aspx

It seems more like that zoomed-in section is being taken completely out of context.

@IYAM
Please zoom out and show more/all of that page.
Normally "regex" patterns tests are to check the matching on the data provided just above it.
[NOT an ON or OFF selector switch]
In your post we can see that "off" doesn't match "www.iyameducation.com" via the result:
"The input data to test does not match the pattern"
But we have no idea who/what/when/where/why that data is being used.

Here are two "regex" examples that match only when the email address is @ an IP.

This one matches:

This one doesn't match:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.