I recently enabled SSL for my Heroku-hosted website, wildcodemonkey.com, but when I visit it in Chrome I see the error "ERR_SSL_PROTOCOL_ERROR".
My research indicated that the SSL connection terminates at Heroku's router, which then passes the request along via HTTP to my express/node site. Consequently, I did not set up 'https' in my server and have been expecting standard HTTP connections.
My SSL configuration is such that my CSR, key and cert were passed along to Heroku. I'm using the SSL option baked into Heroku, not a third-party resource/addon. After enabling SSL in my app's settings I changed my DNS to reflect the new endpoint (wildcodemonkey.com.herokudns.com instead of wildcodemonkey.com.herokuapp.com), this is the endpoint I was told to use when I configured SSL on Heroku, directly copied and pasted from the settings page after setting up ssl.
I do see morgan logging GET requests when I hit the domain, so it does look like everything is making it end to end, so I'm not sure where the issue is occurring.
Any assistance would be greatly appreciated. Thanks ahead of time.
According to the SSLLabs report the certificate chain of this site is incomplete. While desktop browsers often but not always will work around this problem mobile browsers and other applications will usually not. Check the documentation provided by your CA which chain certificates need to be configured.
Related
I'm developping an intranet, to do so I'm using Node.JS without Express and until now I was using the http module with createServer but I noticed when I connect using localhost everything is fine, but when I connect to my server using the IP instead (from my machine or another device on the network) I get a warning in Chrome in the top-left corner saying that my site is not secured. I think this is because I'm using http instead of https but in order to use https.createServer I need to provide a SSL certificate, and I don't have one because I'm making an Intranet so it's not a website that need to be hella-secured since it will be deployed on a personal network only accessible from like 6 people.
I saw on tutorials that the options needs to look like :
options = {
pfx: fs.readFileSync("ssl/crt.pfx"),
passphrase: "password"
}
But I don't have any and I don't quite get how those work, I just want the message to disappear.
You can't create HTTPS server without a SSL certificate, but you can use tools to do so, like OpenSSL, but the certificate will appear invalid.
I am working on a 2-player card game. The two client facing pages are hosted on Github pages and the node server is running on AWS.
Everything works fine when I view my client side pages locally, but when I try to open them on Github pages I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
So then I change the connection url to include https like this:
var socket = io.connect("https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000");
And I get this error:
index.js:83 GET https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000/socket.io/?EIO=3&transport=polling&t=N71Cs6c net::ERR_SSL_PROTOCOL_ERROR
Here are my security groups:
Do I need to do something with an SSL certificate? Is it even possible with my current setup as I don't have access to the domain I am hosting on (Github Pages). If it's not possible are there any online services I can host my client code on and get an SSL certificate, or do I have to buy a domain and hosting? Any help welcome, but please try to explain it because I am very new to all this. Thank you.
Ec2 doesn't support https like this ("out of the box").
There is several way of doing it, but I suggest you should create a application load balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) and then configure https on it (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html).
Other solution can be using Cloudfront, or configure https directly on the instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html).
Hope that makes sense.
As mentioned by alcyon, changing from HTTP to HTTPS does not enable your application to run over HTTPS. There are many ways to achieve this. Checkout the detailed guide by AWS for your use-case at https://aws.amazon.com/premiumsupport/knowledge-center/configure-acm-certificates-ec2/ .
The way the appfog documentation reads is that as long as you use their provided domain you will get free SSL.
But as far as I understand things you need a .KEY and a .CERT file in order for NodeJS to start a https server.
Am I missing something or do they really only support https on custom domains...?
Thanks gals and guys!
Appfog Documentation in question: https://docs.appfog.com/customize/ssl
You can use https right away with their provided domain name, e.g., myapp.aws.af.cm. When using their provided domain name, then AppFog handles SSL termination so your app doesn't need to do anything.
Also, if you need to know the protocol that was used on the request, then you can look at the X-Forwarded-Proto header that is added by AppFog during routing.
The info for SSL for Custom Domains is for when you are using your own custom domains. Then you will need to go through more setup, ssl certs, etc.
I want to make my app public, but I don't have validate SSL cert and hosting with unique IP for it. I read that the changes ommiting https:// will come in October. How can I change my app to working by http until October's changes?
Generally problem for now is: when i enter to facebook via https and go to app, there is a error about untrust cert and apps isn't loaded.
If there is no way to avoid "migration" changes, can any1 tell me is there any chance to run MySQL database on Heroku?
When setting in the developer console a secure url (https), and trying to load the canvas under facebook:
https://apps.facebook.com/fanta-seriea/
I get the error saying that facebook received an empty responde.
Am I doing something wrong? The certificate is allright:
https://fanta-seriea.com
So why is this happening?
L.
If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., https://www.ssllabs.com/index.html) to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see "Empty response received" error when you load your FBML canvas app."
From https://developers.facebook.com/blog/post/567/
Sorry for offtopic.
New Developer Roadmap says that FBML will die on 1st June 2012. Better go on iframe mode.
Have you definitely added a secure canvas URL in your app configuration? On the developer app, go to edit your app and under basic settings you should have URLs in both 'Canvas URL' and 'Secure Canvas URL'
I'm showing the HTTPS version as resolving correctly (although it doesn't fail gracefully if you access that url directly, it pukes errors all over the place) - https://www.fanta-seriea.com/fbfsapro/ - but when I try to access the HTTPS version of the canvas app, it redirects me back to the HTTP version. Is the SSL url set correctly in the SSL url section of your application settings?
You are referencing non-secure assets on that page. Facebook may be providing you with an invalid error message.
You should relativize all URLs that are simple assets.
If you need assets from other domains that are not yours, you can use protocol relative URLs : http://paulirish.com/2010/the-protocol-relative-url/