Why doesn't this work


#1

Hi,

On an Ubuntu system I ran the Letsencrypt script the following way:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --apache -d topsnoep.nl

The installation seemed to go ok - after a few false starts. If you look at the analysis website all scores are now 90% or higher:
https://www.ssllabs.com/ssltest/analyze.html?d=topsnoep.nl

However, if I try to call the website with https I get a crossed out https - signalling that it doesn’t work.

So something goes wrong. But I have no idea where to look.


#2

You are using the same certificate for topsnoep.nl and www.topsnoep.nl - for this to work you need to specify both names when requesting the certificate:

./letsencrypt-auto --apache -d topsnoep.nl -d www.topsnoep.nl


#3

Thank you for your reply.

Should I now run letsencrypt with only the www version. Or should I do it with both - like in your example - repeating the one without www?


#4

It’s probably best to do both, as in my example. That will give you a single new certificate that will cover both names.

You can do the www version separately, but that will give you a separate certificate for it. That’s not necessarily a problem but it does push you one certificate closer to the rate limit, which is something to consider if you have lots of subdomains.


#5

Thanks.

I did as you said. It now works… but still not really. It looks like when I call the https site now it somehow redirects to http. At least I don’t see a lock appearing.


#6

Well, your certificate seems correct now. The redirect is probably some existing Redirect or RewriteRule in your Apache configuration or .htaccess that’s redirecting everything to http://www.topsnoep.nl. You would want to change that to redirect everything to https://www.topsnoep.nl (unless that’s where the user is already), I guess. See https://wiki.apache.org/httpd/RedirectSSL and https://wiki.apache.org/httpd/RewriteHTTPToHTTPS for some examples.


#7

It appears that at the moment the site encrypts only some pages and sends others back to http. However, I am hesitant to send all to https as long as it doesn’t work correctly.

What I now have is this page that is on https
https://www.topsnoep.nl/quick-order

It stays on the https page. However, it doesn’t show the lock that signals a secure connection. What does this mean?


#8

That’s caused by mixed content, some of your images are loaded with plain HTTP. In addition the search form submits to a HTTP page which is also treated as an error by Chrome (Firefox warns only when the form is submitted).


#9

Someone mentioned https://www.whynopadlock.com/, which is a seemingly handy checking tool to diagnose these mixed content (and sometimes cert chain and other) issues. I might start suggesting it to people who have trouble getting the padlock to appear after installing their certs.