Mixed content warning but nothing in source - wordpress

My client has a Wordpress site with an SSL certificate. Riht now I'm trying to figure out any solution.
The site address is https://illustro.pl
When entered on the front page you'll get the un secure connection warning.
I've tried to find what causes this with any luck, solutions that have not worked
replace http with https
change all http to https with Mixed Content/Insecure Content SSL
In the process I've also changed all the URLs to HTTPS in the database on sites where the was the need to.
I'iv inspected the site with multiple developers tools all of them show the problem at line one.
At this point any suggestion would be appreciated.

Try the below code placing at wp-config.php
define('FORCE_SSL_LOGIN', true);

There could be multible reasons:
Main reason is currently that your webserver is not sending the full certificate chain (intermediate certificate is missing). That's the current reason why the browser tells you "unknown issuer".
The next reason could be or will be that your certificate doesn't have subject alternative names. Browsers will stop checking for common name in future.

Related

How to create a HTTPS->HTTPS subdirectory redirect using subdomains?

I am currently having issues with setting up an HTTPS domain redirect. I have a DNS URL redirect entry that points a few sub-domains to same-server URLs. For example:
docs.kipper-lang.org -> kipper-lang.org/docs/
play.kipper-lang.org -> kipper-lang.org/playground
The issue I am currently experiencing is that when using the subdomains, it mostly works, but it can only use HTTP. If I attempt to use HTTPS (like for example https://docs.kipper-lang.org) the redirect won't work and will get stuck apparently waiting for the HTTPS certificate (I think, but I don't know for sure, since it loads forever and gets a time-out).
So my DNS provider does its job for the most part as I want, but I am not sure how to add the HTTPS encryption to these redirects. Is there maybe even some DNS configuration or even middle-man service for redirects I can use, where these HTTPS encryptions are built-In? Since receiving a "Warning: Insecure connection" every time someone uses the sub-domains is a massive problem for me.
Note though that considering I am hosting on a GitHub Pages server, I am unable to do these redirects on the server side myself, as I can't use any code in this case.
I would greatly appreciate any ideas for fixing this or what I could use to achieve this another way.
Thanks in advance!

How to determine exactly why chrome flags site as not secure

I just moved several interrelated sites from a server that does not support TLS 1.2 to one that does to specifically stop chrome's site is insecure message. There a 4 separate websites one of which has 2 pages Demo.aspx and Rater.aspx. All sites use https:// and the server supports TLS 1.2 and has a valid certificate chain. All sites load without any security warning, including Demo.aspx, but Rater.aspx does not (it is the only one).
Rater.aspx is a older and somewhat large one page asp site, so I figured there must be a http:// reference somewhere, and I found a few which I converted to https://.
I have gone over the site many time, and there is nothing I can see that should be causing the insecure flag.
Your Connection to this site is not secure.
Certificate (valid)
Cookies (1 in use)
Is there a tool that will tell me what chrome is picking up on so I can fix it?
If it would be helpful I can provide a link to the page, just did not want to do it here.
Thanks!
As #mason pointed out Chrome's Security Tab in developer tools provides information on what is causing the Not Secure message and ultimately led to the discovery of an unused iframe pointing to a less secure domain.
I found the offending domain name on the Application tab under Local and Session storage (no actual data was being stored). A project search for that name found the iframe.
Of note is that the insecure server was https:// and has a valid SSL certificate but it does not support TLS 1.2.

AMP HTML amp-ads - Blocked Frame, Protocols, domains, and ports must match

I'm attempting to resolve an error that is preventing me from showing google-adsense ads on an amp-html site that I built and am hosting on an nginx server. I have searched and read through quite a few similar questions on Stack Overflow, Google Adsense and Amp By Example documentations.
I placed an amp-ad, per Google's instructions. The page itself loads properly, but with for whitespace where the ad should be. In the console, I get this error (twice):
Blocked a frame with origin "https://d-1234567890.ampproject.net" from accessing a frame with origin "https://example.com". Protocols, domains, and ports must match.
I recently moved the Nameservers to a new server, which now supports https instead of http. The site appears to still be verified in Adsense, but is it trying to send the ads via the wrong protocol?
Protocols must match -- seems to be the case, as both sites are https.
Domains and ports must match -- ok, but how to verify these?
Beyond this, I'm not quite sure how to troubleshoot the issue, other than blindly turning off security measures. Should I be looking at my headers (X-Frame-Options, X-Content-Type-Options, etc.)? Or my Content-Security-Policy header? Or is Google Adsense still using the old http protocol?
FWIW, I am also getting these (related) warnings in the console:
[Warning] The resource https://3p.ampproject.net/234567890/f.js was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it wasn't preloaded for nothing.
[Warning] The resource https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it wasn't preloaded for nothing.
Thank you in advance for your help.

IIS app pool caches wrong url

I have my production site's app pool to recycle every 2 hours or so. I noticed that when the first call to the site is made, the App Pool caches the base url (e.g. www.mysite.com). This makes sense as this is used to resolve relative paths in ASP.NET e.g. ~/MyFolder/MyPage.aspx, which is resolved to:
http://www.mysite.com/MyFolder/MyPage.aspx
However since the site can be reached via our host name e.g.
http://masdfg.my.provider.net
IIS thinks the url is
http://masdfg.my.provider.net/MyFolder/MyPage.aspx
As you can image, this causing an issue with SSL as well as others. How can I prevent this from happening?
UPDATE: The work around was to create a url redirect. If anyone knows how to prevent this let me know.
I hope I've understood your question correctly, but please do let me know if I haven't.
It sounds like the sole issue you have is that when you write the links to the response they sometimes reference the wrong root URL.
I notice that you use ~/ . This would resolve and write the entire URL to the response I think. It is better to use only / when writing links to the response.
So in your example you would write /myfolder/mypage.aspx. The browser would then resolve the / to mean that it's from the root address of the site, whichever that may be.
Like I said, I hope I've understood your question correctly and apologies if I haven't.
I know it's a long shot, but I've had a similar problem with my IIS setup. I solved it by going to the already mentioned "bindings" window through "Edit Bindings".
Then I removed all the not wanted bindings, then adding the hostname www.mydomain.com the server should answer to.
Finally I edited the windows hosts file at
%windir%\System32\drivers\etc\hosts
Adding the line
127.0.0.1 www.mydomain.com
This ensures that www.mydomain.com always resolves to the local computer.
After executing iisreset.exe as administrator my problem was over.
HttpContext.Current.Request.Url is not a cacheable item. That value comes from the HOST value of the HTTP headers. Which means it is passed in to the application from the request.
The only time it should take that second URL is if the requests HOST value was masdfg.my.provider.net
There are three possible fixes here. The first is to set your bindings and have any requests to masdfg.my.provider.net be forwarded over to www.mysite.com
The second, because your primary issue appears to be about SSL is to get a unified communications (UC) SSL certificate and install that on your server. This would be to cover the mysite.com and masdfg.my.provider.net domain names.
The third is to simply create a separate IIS site which points to the exact same production directory as the first one. Each site would have only 1 domain name it's responsible for.

How do I correct the name of the security certificate does not match the name of the site?

My IIS site is giving browsers problems. They pop up a security warning that the security certificate does not match the name of the site. I'm using a self-signed certificate for testing. I view the certificate. It has the name.
DnsName.mydomain.com
but the browser is using
MachineName.mydomain.com
There is a CNAME entry pointing DnsName.mydomain.com to MachineName.mydomain.com.
Even so, they are obviously different. Can you tell me how I can get a new self-signed certificate with the name MachineName.mydomain.com, and how to install it on my test web server such that browsers can use either name without getting this security warning?
I can have the browser install any certificate a self-signed cert from my web server, that's not the problem. The problem is the warning. Here's a screen shot of what I mean.
You can only have one cert per site.
There are a couple of heavy-handed ways of getting around this:
Completely duplicate your site and have a cert on each
Use SSL-Acceleration and have two different external IPs on a load balancer that both point to the same internal.
There's also one easy way since you're already self-signing: Just wildcard it (*.mydomain.com). Generating this on a Windows box is explained here and Generating this on a Linux box is explained here.
If you really don't want to do that, I'd just have a forced redirect from one URL to the other instead of a CNAME alias.

Resources