Multisite trying to activate Simple SSL before Multisite addition and failed

Home Forums Multisite Multisite trying to activate Simple SSL before Multisite addition and failed

This topic contains 12 replies, has 3 voices, and was last updated by  Rogier Lankhorst 4 days, 23 hours ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #51295 Reply

    Shelley Powers
    Participant

    I have a multisite installation with several domains. I purchased your multisite Pro plugin.

    I added certificates for all my domains.

    I installed Really Simple SSL plug-in per instructions. This is required before the multisite.

    I couldn’t even log in. I couldn’t do a thing.

    I found your instructions for force de-activating the Really Simple SSL plug-in and can now log in. But I haven’t a clue what I’m supposed to do to get either of the plug-ins to work.

    #51298 Reply

    Shelley Powers
    Participant

    Never mind.

    After deactivating, logging in, and then reactivating, this time it worked.

    Painful, though.

    #51301 Reply

    Hi Shelly,

    Strange you had trouble activating the first time. Did you get a redirect loop?

    Maybe another plugin was redirecting back to http? If you have any additional info, we can look into it.

    If you need any other assistance, let me know!

    #51601 Reply

    Shelley Powers

    No it’s working fine.

    I did want to let you know that you’re spelling network as netwerk in several places. Next time you do code changes, might want to fix that.

    Also, I’m getting the following in each site

    The mixed content fixer is not active on the admin panel. Enable this feature only when you have mixed content on the admin panel.

    This is enabled, so I’m not sure why I’m getting this message.

    Lastly, and this one demonstrates the dangers of expression matching when I did a scan on my main site, which has been around for years, you noted that a link to an external JavaScript file was given as HTTP and I’d have to fix the page manually.

    Actually, the link was to an old URL from over a decade ago, and was to a JSP page with a .jsp extension. One of the mixed content fixers found .js, and then stopped matching didn’t get that it was a .jsp page. This is more of an FYI, as I find it unlikely this type of issue will happen again.

    #51602 Reply

    Shelley Powers

    Sorry, for mangled comment. Hopefully, you can read.

    #51618 Reply

    Shelley Powers

    I spoke too soon, there is another issue.

    One of your options is to enable HSTS, but you’re not doing anything. You’re not generating the header, and you don’t provide an option to submit the domain to the HSTS Preload list.

    What do I need to do to get this to work, other than enable HSTS?

    #51632 Reply

    Hi Shelley,

    Thanks for the feedback on the network/netwerk, I’ll make a note.
    As for the “false positive” This kind of results can come up, that’s the reason it still needs to be done manually, the scan can’t account for any possible situation. But thanks for mentioning it.

    HSTS: if you enable the HSTS option, assuming you’re on Apache, the HSTS header should be inserted in your .htaccess. On NGINX it is a php header. Can you send me your .htaccess file so I can take a look?

    I’m looking into the preload list option, I’ll get back to you on that. It should appear after enabling HSTS on the network settings page.

    #51741 Reply

    Shelley Powers

    I tested my site, and it’s not ready for HSTS anyway. Not all of my subdomains are served via HTTPS, and doing so may be a problem for one of them.

    But the .htaccess file has

    # BEGIN Really_Simple_SSL_HSTS
    <IfModule mod_headers.c>
    Header set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    </IfModule>
    # END Really_Simple_SSL_HSTS

    However, when I tested the site with the HSTS preload org, I’m getting

    Error: No HSTS header
    Response error: No HSTS header is present on the response.

    Regardless of subdomain issue, shouldn’t the header be working?

    #51742 Reply

    Shelley Powers

    Does look like the header should be

    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    I can modify that myself in the .htaccess file. First, though, I’ve got to think about the subdomain issue. I may wait on all of this until Lets Encrypt puts out the wildcard certificate.

    Thanks

    #51744 Reply

    Hi Shelly,

    Your current HSTS header is the “basic” HSTS header, which only activates when the site is loaded over https, and does not include subdomains, which is why you can activate it on multisite without risk of other sites being forced over https. The preload directives are inserted when the “hsts preload” option is enabled. This option is not visible at the moment on the settings page, I have corrected this in an update which I will release tomorrow.

    Please note that the env=https directive is also required for preload.

    The main issue here seems that the HSTS header does not seem to work, which is strange. Adding the preload directive won’t solve that. Possibly your hosting company does not allow setting headers in the .htaccess?

    If you have a redirect chain which aims to limit the number of redirects, this might be a problem for HSTS. The redirect should always be “http://domain.com -> https://domain.com -> https://www.domain.com for example.

    #51863 Reply

    An update to the Really Simple SSL multisite pro plugin has been released, including the hsts_preload option, which was not showing correctly. You should not get a preload option when you have enabled the HSTS option.

    Your HSTS header should already work, but if it still doesn’t this can be caused by server settings. For exmple, if the url in plesk is http://www.domain.com, this can cause problems with HSTS.

    #51865 Reply

    Shelley Powers

    It was my bad. I moved to a new server with a fresh software install and forgot to enable Apache headers. Just one of the many things to remember when you start up a new server.

    Thanks for your help and quick responses.

    #51896 Reply

    Thanks for the update, great it’s working now!

Viewing 13 posts - 1 through 13 (of 13 total)
Reply To: Multisite trying to activate Simple SSL before Multisite addition and failed
Your information: