Web based family history software

This Help forum is for issues relates to the latest release (1.7.9). For issues related to beta or github version please use their own Help forum.
Before asking for help please read "How to request help" by clicking on that tab above here."

Question [SOLVED] How to use with an SSL Certificate with 1.7.9/10

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago - 5 years 7 months ago #1 by snakeeyes
Hi!

I am trying to figure out how to use an SSL certificate with my existing webtrees installation. When i create an .htaccess file to redirect everything on the site to https:// i get the following error as well the address for the site get rewritten to include port 80

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I have another site where I am using an SSL certificate and was able to get it set up rather straight forwardly. The tech support at my hosting company is assuring me that what I am doing should be working, but that they have no idea why the port number is being automatically added, nor why the redirects are failing, aside from telling my that there must be something in the site causing the issue.

Does anybody have any experience with this? And if so can some please help me to figure out what I am missing?

Additionally, when i manually type in the https:// it will work, but I am getting the error message that some parts of the site are not secure. As far as I am aware, nothing is being served from a source other than my site.

Thank you

Andrew
Last edit: 5 years 7 months ago by snakeeyes.

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #2 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
> but that they have no idea why the port number is being automatically added

webtrees needs to generate URLs.

It does this from information provided by the webserver. This link will show you how to see the information that webtrees uses.

www.webtrees.net/index.php/en/forum/help...dless-ssl-loop#66070

Your webserver is presumably telling PHP that it is fetching HTTP over port 433 (or HTTPS over port 80).
Therefore webtrees is generating URLs containing a port number.

webtrees 1.7 is pretty strict on this. It will assume your server config is correct, and will generate URLs exactly as requested.

webtrees 2.0 uses an external library which is more tolerant. If you tell it you are using HTTP at port 443, it will ignore you and assume you really meant HTTPS, etc.

If this isn't enough help, can you post the output of the script I referenced above.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #3 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
See also this post for how to add X_FORWARDED_*** headers to a .htaccess file

www.webtrees.net/index.php/en/forum/help...n-menu-sign-in#66195

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #4 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
Thank you for the quick reply. i modified the server url entry in the site setting table to the http:// version of my address and am now getting the following error.

ERR_TOO_MANY_REDIRECTS

This error also happens if I have the https:// version of the address as well

but the redirect is rewriting the address to include the https now and it is not including the port number anymore so some progress.

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #5 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
Have you set a "SERVER_URL" setting in your control panel?

If so, delete it.

If you can't access the control panel, look in the wt_site_setting table in the database

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #6 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
> i modified the server url entry in the site setting table to the http://

Sorry - just read this.

Do not use this setting. It is removed in the next version, because it is frequently misused.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago - 5 years 7 months ago #7 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
ok, I have deleted that entry and am now getting the following for an error message. It is also now putting the port number back into the address in the redirect somehow.

An error occurred during a connection to gene.alteredpixels.ca:80. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

my .htaccess file, which i took from another site of mine on the same host that is working properly for me.

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

with regards to the page you referred me to about HTTP_X_FORWARDED_PORT and it is showing both ports 80 & 443 already being in place, so i'm not sure if I should change anything there?
Last edit: 5 years 7 months ago by snakeeyes.

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago - 5 years 7 months ago #8 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
i think i got it figured out finally.

i commented out line 174 in /includes/session.php

// $port = Filter::server('SERVER_PORT', null, '80');

Now the redirect works, but I get a partial secure message when i click on the padlock in the address bar of my browser. How do I resolve this issue?
Last edit: 5 years 7 months ago by snakeeyes.

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #9 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
> i commented out line 174 in /includes/session.php

You would have been better setting X_FORWARDED_PORT in your apache config. I showed you how to do this earlier.

> How do I resolve this issue?

Use the browser's "developer tools". e.g. CTRL-SHIFT-I in firefox and chrome.

Or post the URL here so we can take a look.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #10 by mp
Hi, I use webtrees 1.7.10 with a LetsEncrypt certificate and it was much more easier to use webtrees mit SSL:

- no changes in .htaccess necessary
- Control panel > Sign-in and registration > Sign-in URL set from http to https
- Control panel > Website preferences > check "Website URL" is set to https
done

Martin - ffp.bauschaffen.de

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #11 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
for sign in and registration i have gene.alteredpixels.ca/login.php
for web site preferences I have gene.alteredpixels.ca/

with these two entries and the .htaccess file, on the main page ( gene.alteredpixels.ca/index.php?ctype=gedcom&ged=tree1 ) I get a partially secure message, wether I am logged in or not. On every other page I tested whether logged in or not, I got a properly secured message in the browser address bar.

With the .htacess file removed I get the same results as above.

If i uncomment line 174 in /includes/session.php ->$port = Filter::server('SERVER_PORT', null, '80'); including removing the .htaccess fle, but leaving the other two settings in place I get a ERR_TOO_MANY_REDIRECTS when i try to go to gene.alteredpixels.ca. However the redirect does seem to function correctly and not append port 80 fora random reason i cant understand. And it is showing as secure in the browser address bar

Please Log in or Create an account to join the conversation.

More
5 years 7 months ago #12 by kiwi

snakeeyes wrote:
with these two entries and the .htaccess file, on the main page ( gene.alteredpixels.ca/index.php?ctype=gedcom&ged=tree1 ) I get a partially secure message, wether I am logged in or not. On every other page I tested whether logged in or not, I got a properly secured message in the browser address bar.


"Partially secure" usually means you are serving content that is not https on an https page. In your case, it is the image displayed via a link from www.irishsurnames.com . Either persuade the Irish Surnames site to update their site to https or (far better) store a copy of the image locally and use that instead.

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 7 months ago #13 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
Thank you! That fixed the partial secured page error.

But I am still getting the ERR_TOO_MANY_REDIRECTS if i do not have line 174 in /includes/session.php commented out. This is with or without the .htaccess file

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 6 months ago #14 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
So with a fresh install of 1.7.10, with a fresh database I am still having issues with webtrees somewhere somehow appending :80 to https:// address when trying to use an SSL cert. on this fresh installI have only enabled the sign in URL to be mydomain.ca/login.php and am seeing it getting redirected to https://mydomain:80/login.php. This is of course breaking the site. Does anyone have any suggestions as to how to modiify the webtrees code so as to allow SSL certs to work properly?

Please Log in or Create an account to join the conversation.

More
5 years 6 months ago #15 by fisharebest
Replied by fisharebest on topic How to use with an SSL Certificate with 1.7.9/10
The setting for "sign in URL" was designed for people who want to write their own login script, to integrate with other applications.

You almost certainly want to leave it blank. Same goes for the "server URL" setting.

(I removed these settings in webtrees 2.0, since they caused more problems than they solved. I'll probably remove them in the 1.7 branch as well).

Most problems with getting SSL to work are that your webserver config listens on 443/HTTPS, but tells PHP that it is listening on port 80.

Create a phpinfo file - see www.webtrees.net/index.php/en/forum/help...dless-ssl-loop#66070 - and view it in your browser using your SSL configuration.

If there's nothing in here to indicated HTTPS and 443, then webtrees won't know about it.

You can set X_FORWARDED_PORT and X_FORWARDED_PROTO in your apache configuration to tell PHP/webtrees exactly what to use.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 6 months ago - 5 years 6 months ago #16 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
this is the output of the script with https enabled. I don't understand why though a simple redirect using an .htaccess file will not work properly. it does with other web sites I maintain.
Code:
PHP Variables Variable Value $_REQUEST['WT_SESSION'] l3sbrih0an7hl1l1ba4f8jp4q1 $_COOKIE['WT_SESSION'] l3sbrih0an7hl1l1ba4f8jp4q1 $_SERVER['DOCUMENT_ROOT'] /home/alteredp/gene $_SERVER['GATEWAY_INTERFACE'] CGI/1.1 $_SERVER['HTTPS'] on $_SERVER['HTTP_ACCEPT'] text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 $_SERVER['HTTP_ACCEPT_ENCODING'] gzip, deflate, br $_SERVER['HTTP_ACCEPT_LANGUAGE'] en-US,en;q=0.9 $_SERVER['HTTP_CONNECTION'] close $_SERVER['HTTP_COOKIE'] WT_SESSION=l3sbrih0an7hl1l1ba4f8jp4q1 $_SERVER['HTTP_DNT'] 1 $_SERVER['HTTP_HOST'] xxxxx.ca $_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] 1 $_SERVER['HTTP_USER_AGENT'] Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 $_SERVER['HTTP_X_FORWARDED_FOR'] 162.219.176.20 $_SERVER['HTTP_X_FORWARDED_PROTO'] https $_SERVER['HTTP_X_REAL_IP'] 162.219.176.20 $_SERVER['PATH'] /bin:/usr/bin $_SERVER['PROXY_ADDR'] 31.22.4.24 $_SERVER['QUERY_STRING'] no value $_SERVER['REDIRECT_STATUS'] 200 $_SERVER['REMOTE_ADDR'] 162.219.176.20 $_SERVER['REMOTE_PORT'] 55779 $_SERVER['REQUEST_METHOD'] GET $_SERVER['REQUEST_URI'] /1.php $_SERVER['SCRIPT_FILENAME'] /home/alteredp/gene/1.php $_SERVER['SCRIPT_NAME'] /1.php $_SERVER['SERVER_ADDR'] 31.22.4.24 $_SERVER['SERVER_ADMIN'] webmaster@xxxxxx.ca $_SERVER['SERVER_NAME'] xxxxxx.ca $_SERVER['SERVER_PORT'] 80 $_SERVER['SERVER_PROTOCOL'] HTTP/1.0 $_SERVER['SERVER_SIGNATURE'] <address>Apache Server at xxxxxxx.ca Port 80</address> $_SERVER['SERVER_SOFTWARE'] Apache $_SERVER['SSL'] on $_SERVER['UNIQUE_ID'] W403L7kCqA8ACW18nqoAAAAe $_SERVER['no_gzip'] 1 $_SERVER['PHP_SELF'] /1.php $_SERVER['REQUEST_TIME_FLOAT'] 1535981359.7056 $_SERVER['REQUEST_TIME'] 1535981359 $_ENV['DOCUMENT_ROOT'] /home/alteredp/gene $_ENV['GATEWAY_INTERFACE'] CGI/1.1 $_ENV['HTTPS'] on $_ENV['HTTP_ACCEPT'] text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 $_ENV['HTTP_ACCEPT_ENCODING'] gzip, deflate, br $_ENV['HTTP_ACCEPT_LANGUAGE'] en-US,en;q=0.9 $_ENV['HTTP_CONNECTION'] close $_ENV['HTTP_COOKIE'] WT_SESSION=l3sbrih0an7hl1l1ba4f8jp4q1 $_ENV['HTTP_DNT'] 1 $_ENV['HTTP_HOST'] xxxxxx.ca $_ENV['HTTP_UPGRADE_INSECURE_REQUESTS'] 1 $_ENV['HTTP_USER_AGENT'] Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 $_ENV['HTTP_X_FORWARDED_FOR'] 162.219.176.20 $_ENV['HTTP_X_FORWARDED_PROTO'] https $_ENV['HTTP_X_REAL_IP'] 162.219.176.20 $_ENV['PATH'] /bin:/usr/bin $_ENV['PROXY_ADDR'] 31.22.4.24 $_ENV['QUERY_STRING'] no value $_ENV['REDIRECT_STATUS'] 200 $_ENV['REMOTE_ADDR'] 162.219.176.20 $_ENV['REMOTE_PORT'] 55779 $_ENV['REQUEST_METHOD'] GET $_ENV['REQUEST_URI'] /1.php $_ENV['SCRIPT_FILENAME'] /home/alteredp/gene/1.php $_ENV['SCRIPT_NAME'] /1.php $_ENV['SERVER_ADDR'] 31.22.4.24 $_ENV['SERVER_ADMIN'] webmaster@xxxxx.ca $_ENV['SERVER_NAME'] xxxxxxx.ca $_ENV['SERVER_PORT'] 80 $_ENV['SERVER_PROTOCOL'] HTTP/1.0 $_ENV['SERVER_SIGNATURE'] <address>Apache Server at xxxxxx.ca Port 80</address> $_ENV['SERVER_SOFTWARE'] Apache $_ENV['SSL'] on $_ENV['UNIQUE_ID'] W403L7kCqA8ACW18nqoAAAAe $_ENV['no_gzip'] 1
Out of curiosity I went to another of my sites with https enabled and functioning correcting and ran the same script and got the same result for the server address of
Code:
$_SERVER['SERVER_PORT'] 80 $_SERVER['SERVER_PROTOCOL'] HTTP/1.0 $_SERVER['SERVER_SIGNATURE'] <address>Apache Server at xxxx.ca Port 80</address> $_SERVER['SERVER_SOFTWARE'] Apache $_ENV['SERVER_PORT'] 80 $_ENV['SERVER_PROTOCOL'] HTTP/1.0 $_ENV['SERVER_SIGNATURE'] <address>Apache Server at xxxx.ca Port 80</address> $_ENV['SERVER_SOFTWARE'] Apache
this suggests to me that somewhere in your code that there is a bug perhaps as both sites provide the server port 80 as part of the address when being accessed with https:// instead of http://
Last edit: 5 years 6 months ago by snakeeyes.

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 6 months ago - 5 years 6 months ago #17 by snakeeyes
Replied by snakeeyes on topic How to use with an SSL Certificate with 1.7.9/10
was able to solve this by including the following line in the includes/sessions.php (the last line is the one added, the rest is shown for clarity) Once this line was added a simple redirect using an .htaccess file allows everything to work properly as far as I am able to see
Code:
// Calculate the base URL, so we can generate absolute URLs. $https = strtolower(Filter::server('HTTPS')); $protocol = ($https === '' || $https === 'off') ? 'http' : 'https'; $protocol = Filter::server('HTTP_X_FORWARDED_PROTO', 'https?', $protocol); $host = Filter::server('SERVER_ADDR', null, '127.0.0.1'); $host = Filter::server('SERVER_NAME', null, $host); $port = Filter::server('SERVER_PORT', null, '80'); $port = Filter::server('HTTP_X_FORWARDED_PORT', '80|443', $port); $env_https = strtolower($_ENV['HTTPS']);


for reference here is the .htaccess file i am using
Code:
RewriteEngine On #redirect http to https RewriteCond %{ENV:HTTPS} !on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Last edit: 5 years 6 months ago by snakeeyes.

Please Log in or Create an account to join the conversation.

  • snakeeyes
  • Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 6 months ago #18 by snakeeyes
Problem solved.

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum
}