This Help forum is for issues relates to the latest release (1.7.10/11/12). For issues related to development versions please use their own Help forum.
Before asking for help please read "How to request help" by clicking on that tab above here."

TOPIC: Not Secure

Not Secure 5 months 4 weeks ago #1

  • thomas52
  • thomas52's Avatar
  • Online
  • Frequent
  • Western North Carolina
  • Posts: 811
My website has begun showing "Not secure" before the URL. Should I be concerned? What should I do?
"Failure is an amazing teacher." (L'échec est un professeur extraordinaire.)
The administrator has disabled public write access.

Not Secure 5 months 4 weeks ago #2

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
I'm guessing this is because you do not use HTTPS on your server.

Web-browsers are increasingly showing this warning on HTTP sites that contain forms (e.g. login).
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #3

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
Good afternoon,

I have the same issue, but only when I want to log-in.
The redirecting from port 80 to port 443 is OK. The site is shown as secure in the URL-field.

When I then want to log in (any user) then I get the message "Not secure form" and the log-in fails.

I was upgrading from WT1.7.9 to 1.7.12 on a Mac (High Sierra)
PHP is 7.1.16
My certificate is Letsencrypt
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #4

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
> When I then want to log in (any user) then I get the message "Not secure form" and the log-in fails.

I just tried to login to your site, and did not see any "insecure" message.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #5

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
Thanks for your support.
I had restored the old situation.

If you like try again. The site is now pointing to the 1.7.12 version

By the way!: I did the upgrade manually as described in the Wiki, this worked in the past.
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #6

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Gold
  • Greetings from Utrecht, Holland
  • Posts: 1572
fisharebest wrote:
> When I then want to log in (any user) then I get the message "Not secure form" and the log-in fails.

I just tried to login to your site, and did not see any "insecure" message.

In Chrome there's this exclamation mark with some more info:





I can submit the form, but since I have no credentials ofcourse I cannot get in.

Digging somewhat deeper with curl:
$ curl -v https://koopmans-family.com/login.php
*   Trying 176.127.29.98...
* TCP_NODELAY set
* Connected to koopmans-family.com (176.127.29.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=koopmans-family.com
*  start date: Oct 18 11:22:24 2018 GMT
*  expire date: Jan 16 11:22:24 2019 GMT
*  subjectAltName: host "koopmans-family.com" matched cert's "koopmans-family.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /login.php HTTP/1.1
> Host: koopmans-family.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Fri, 21 Dec 2018 12:12:29 GMT
< Server: Apache
< X-Powered-By: PHP/7.1.16
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< MS-Author-Via: DAV
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: WT_SESSION=445r9ipbjbao0stp55b0jjo9c2; path=/; HttpOnly
< Transfer-Encoding: chunked
< 
<!DOCTYPE html><html lang="en-US"><head>

I'm not a SSL expert enough to spot what Chrome thinks can be more secure. Maybe someone else can...
stamboom.BertKoor.nl runs on webtrees v1.7.9
Last Edit: 5 months 3 weeks ago by bertkoor.
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #7

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
1) Do you have an entry for LOGIN_URL or SERVER_URL in the table wt_site_settings? If so, remove them. (You can do this from the control panel in 1.7.9)

2) Go to Control panel, Website, Server Information. Scroll down to the section "PHP Variables".

webtrees will detect the URL from the information here. Do they look correct (e.g. port 443, SSL enabled, https, etc.) If you're not sure what they mean, post them here.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #8

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
> I'm not a SSL expert enough to spot what Chrome thinks can be more secure. Maybe someone else can...

You are being redirected from https to http for the login page. This is what chrome objects to.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.
Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 

Not Secure 5 months 3 weeks ago #9

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
I really appreciate your help.

I have looked at my redirection, but nothing has changed. However
I am also not a SSL specialist (just an an interested amateur), and the enabling of the LetsEncrypt certificates is complicated, but that redirection seems to work.

What I have done:
My original document base for webtrees is koopmans_genealogy
I downloaded and unpacked the webtrees-1.7.12 folder. The name of the folder is web trees-1.7.12.
I copied the Folder /Data to the folder web trees-1.7.12 (my media files are also under the /Data folder)
I checked ownership and rights. Made them for web trees-1.7.12 exactly the same as for koopmans-genealogy
I renamed koopmans_genealogy to web trees-1.7.9
I renamed web trees-1.7.12 to koopmans-genealogy
I checked my document roots and restarted apache.

The redirect to the https seems to work, except when you do a login.

Now i only changed in the web server the document-root to webtrees-1.7.9 (the old folder)
and everything is working again, even login, but of course it is still version 1.7.9

I repeated the whole exercise for web trees 1.7.11 same result.

I appreciate any hint. Thanks
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #10

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
> The redirect to the https seems to work, except when you do a login.

webtrees is generating a link to http:....login.php instead of https:....login.php

If you need to see this for yourself, go to the login page and look at the HTML source.
You will see that the login form is submitting to a URL beginning http:

It is doing this for one of two reasons, which I mentioned in post #7

FYI,
webtrees 1.7.9 used some old/custom logic to detect the URL.
webtrees 1.7.10 uses a well-respected third-party library to detect the URL.
This may explain why you only get the problem after you upgrade.

But to investigate, we need to

a) confirm that you are not attemting to use the SERVER_URL or LOGIN_URL settings in webtrees (which override the detection logic)

b) look at the server/request variables, to see why it is detecting http instead of https.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #11

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
In the admin page of web trees 1.7.9 I found the following:

Sign in and registration: Sign-in URL is empty
Website preferences: Website URL is also empty.

Looking in the extended web server info :

Hostname:Port genealogy.koopmans-family.com:443
HTTP_REFERER points to https
REQUEST_SCHEME https
X-Forwarded-Proto is https
X-Forwarded-Host genealogy.koopmans-family.com
X-Forwarded-Server genealogy.koopmans-family.com
HTTP_X_FORWARDED_PROTO https

In the Apple web server I have set a redirect for all traffic going to "This website" (= genealogy.koopmans-family.com port 80) to genealogy.koopmans-family.com (port 443)

I hope this is the information you asked for.
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #12

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
When I log into verso 1.7.9 and then change my document root to 1.7.12 I am still logged in, but now it says version 1.7.12.
Looking at the PHP variables I do not see a difference
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #13

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
In your apache config, are you able to add an "HTTPS" header.

There are lots of ways to do this, depending on your version of apache and which modules you have installed.

This is a common way to do it.
Header add HTTPS "on"
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #14

  • HenkK
  • HenkK's Avatar
  • Offline
  • New
  • Posts: 20
I am not (yet) familiar with Apache. So far I use the Apple server with its web components.
I know Apple configured Apacahe in an "unusual" way. Anyhow soon I have to change the complete set up of my web server anyhow. Apple stopped to support that.
Probably this problem is due to Apple's set up of Apache.

As for the login problem. The workaround is to set the Sign-in-URL to the https://XXX//login.php.
This works. (So far I did not notice any problem)

Thanks for your support. Have a merry christmas.
webtrees is 1.7.9
Mac Server
Php is 7.1.16
Apache 2.0 (? not sure Mac High Sierra 10.13.6)
The administrator has disabled public write access.

Not Secure 5 months 3 weeks ago #15

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Posts: 11102
> The workaround is to set the Sign-in-URL

FYI, this setting will be removed in a future version of webtrees.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.
Powered by Kunena Forum