Complaints about mixed content with HTTPS

(Mark Moorcroft) #1

I just got my certs installed this morning. I get a secure connection with Safari and IE. But Chrome and Firefox complain about active mixed content. Is this inherent in the current version? Or could I be causing it? I’m using the discourse-omniauth-gitlab plugin.

Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup
(Jeff Atwood) #2

This means you have references to non https content in your setup. Logo images or what have you. Press f12 click the security tab, then refresh your browser via f5 or by pressing the refresh button at the upper left of your browser.

(Mark Moorcroft) #3

Well, it doesn’t seem to be the plugin at least. I can’t seem to get Chrome to tell me what elements are bad. Security says to look at the Network tab, but I see nothing there. I have no external http references anywhere. But I am leaving some fields blank and letting Discourse load the defaults. That could be the issue I suppose, but I would think the defaults would be https capable.

(Jeff Atwood) #4

Press f12, click on the security tab and then refresh the page using the refresh button at the top of the browser.

(Mark Moorcroft) #5

It’s a Mac first of all. f12 seems to do nothing. But clicking on the lock symbol gets you to the Security tab. Refreshing the page does nothing other than continue to display:

Active Mixed Content
You have recently allowed insecure content (such as scripts or iframes) to run on this site.
View requests in Network Panel

Nothing displaying in the Network panel is http upon refresh.

(Jeff Atwood) #6

Try using these keys to open the F12 panel on Mac:

Do that then click on the Security tab, then refresh the page. (Assuming Google Chrome)

(Mark Moorcroft) #7

Yeah, I was already there by clicking on the lock in the URL bar. Same story. Not seeing any errors or elements that are not https.

I just checked Windows Chrome, and that says the site is secure. It seems to be only Mac Chrome and Mac Firefox. I’ll do some experimenting with tossing the entire profile.

Back in 2014 I had a discussion with our security and he sent this:

Apparently this is actually a ton more complicated then I thought.

Turns out that the noca certs are signed by two different authorities. One is trusted by all browsers, the other is not.

Supposedly on a clean aces install it trusts the global authority; but using apple mail and supposedly other env; it gets corrupted and starts trusting the expired cert.

The supposed best work around is to create a new keychain that prioritized the correct certificate. Etads was working on this, but it has gotten stalled.

Although this may be an entirely different issue. I do NOT have the extra intermediate he later suggested installed.

(Mark Moorcroft) #8

Update: This morning for some reason Mac Chrome now shows the site as secure (green). I’m not aware of any changes over night. I suppose I don’t need the answer to the mystery, but it would be nice :-\