I have 3 forums running on CentOS 7 no SSL no problems.
I'm upgrading to CentOS 8 and I want to move the forums over. To test everything was working. I started an install of the latest version. I got to the SSL part and Bye Bye installation.
I'm planning to install Let's Encrypt. I see no reason to pay for something which does NOTHING. It doesn't stop the hackers. it doesn't stop the spammers and it doesn't block the backdoors that the alphabet agencies have built into every computer. Let's Encrypt is the way to go BUT...
When I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.
I hope there is either an older version I can use which doesn't die if I don't make some millionaires even richer OR perhaps someone has managed to install Let's Encrypt for a site which doesn't exist.
I an NOT using a hosting site. Al my servers are in a subdomain which I host myself in my office (and I have all the security if it;s in my office that SSL won't give me!)
Anyone have an answer to this conundrum or do I stay with Centos 7?
I have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING
Not entirely true, it enables HTTPS without users getting scary warnings, which prevents the most trivial cases of MITM and so on and things like password sniffing over wifi.
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMWhen I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race
This is really a server problem not a PHP application level problem; you'd plug the certificate into Apache (or nginx, whichever your flavour, doesn't really matter) and if you can't serve even a static file/image from there, it's not configured correctly, because SSL connections are handled by the web server underneath the PHP layer.
Get it running without worrying about PHP - just stick an image in the folder you're going to be serving from and verify you can access that correctly over HTTPS.
As for SMF, you're on CentOS 7 which IIRC ships with PHP 5.4 which is far too old for SMF 2.1 (but not the still-supported 2.0). Ideally if you want to use SMF, not using something with a 10 year old (and long since unsupported by its developers) version of PHP would be a good start.
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMWhen I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.
You confusing that with the domain name?
Let's Encrypt will install a sub domain if you have a "valid" domain,
They don't know "your office"
Quote from: Kindred on July 05, 2022, 06:23:03 PMI have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
What browser, I tried Firefox, Chrome, Brave and it's the same with every one of them.It's fine until you reach the page where at the bottom you have a checkbox about forcing SSL. It's grayed out and as soon as you click 'Continue', I get a BLANK screen and a message it's insecure.
Just utter BS. There is no more privacy SSL or not NOTHING is secure.
There seems to be no way past this on my system. Unless you have found a browser that isn't trying to make someone rich.
I suggest stepping thru this how-to, one careful step at a time. Especially the SSL diagnostics & repair_settings tools:
https://www.simplemachines.org/community/index.php?topic=555034.0
Quote from: baldur2630 on July 05, 2022, 11:22:07 PMQuote from: Kindred on July 05, 2022, 06:23:03 PMI have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
What browser, I tried Firefox, Chrome, Brave and it's the same with every one of them.It's fine until you reach the page where at the bottom you have a checkbox about forcing SSL. It's grayed out and as soon as you click 'Continue', I get a BLANK screen and a message it's insecure.
Just utter BS. There is no more privacy SSL or not NOTHING is secure.
There seems to be no way past this on my system. Unless you have found a browser that isn't trying to make someone rich.
Any browser
Don't use https to install.
Use http.
Install smf.
Then install your cert.
Then switch your smf to https.
If you get a warning, then tell into ignore the insecure nature, you are aware of the risks.
Quote from: shawnb61 on July 05, 2022, 11:27:56 PMI suggest stepping thru this how-to, one careful step at a time. Especially the SSL diagnostics & repair_settings tools:
https://www.simplemachines.org/community/index.php?topic=555034.0
The opening line says it all (1.) Purchase & install your certificate.
HTTP is fine until the box about forcing SSL, after that ALL the browsers stop working and give a blank page or an error message. To say it works with any browser is pure bull****** IT DOES NOT.
I don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI have 3 forums running on CentOS 7 no SSL no problems.
I'm upgrading to CentOS 8 and I want to move the forums over. To test everything was working. I started an install of the latest version. I got to the SSL part and Bye Bye installation.
I'm planning to install Let's Encrypt. I see no reason to pay for something which does NOTHING. It doesn't stop the hackers. it doesn't stop the spammers and it doesn't block the backdoors that the alphabet agencies have built into every computer. Let's Encrypt is the way to go BUT...
When I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.
I hope there is either an older version I can use which doesn't die if I don't make some millionaires even richer OR perhaps someone has managed to install Let's Encrypt for a site which doesn't exist.
I an NOT using a hosting site. Al my servers are in a subdomain which I host myself in my office (and I have all the security if it;s in my office that SSL won't give me!)
Anyone have an answer to this conundrum or do I stay with Centos 7?
you cannot "force" SSL without having a certificate installed.
Which is why you should get the SSL working *first* before worrying about SMF in this case.
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING.
Yes it does, as Arantor said it blocks nearly all man in the middle attacks to sniffing passwords to evesdropping on the content your looking at.
You didn't say what webserver your running so perhaps if you tell us that and maybe post the servers configuration we can help more.
I too think you may have confused forum name with domain name with the certificate. Did you put your domain info into the Let's Encrypt certificate?
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMand I have all the security if it;s in my office that SSL won't give me!
This is not good thinking, it matters not one bit if the computer is in your office or not if there are any unpatched / not yet discovered exploits in your OS, webserver, php or forum software.
Quote from: baldur2630 on July 06, 2022, 03:17:56 AMI don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does
It is not an SMF problem. It is not a browser problem. It is not a Windows 10 problem. It is a websever configuration problem.
HP-Proliant ML110 G6 Server. VMWare ESX 6 (we are VMWare partners)
CentOS 8 server. Downloaded last week. Clean installation 4GB RAM. 100GB hard drive.
Apache, mySQL,
SELinux disabled.
dnf updates done.
vsftpd with TLS working.
2 x virtual servers. Working fine with a Welcome stub
vserver folder in /etc/http/config.d as below (exactly the same as on CentOS 7 which works fine WITHOUT an SSL)
<VirtualHost *:80>
ServerName myserver.mydomain(FQDN)
DocumentRoot /var/www/myserver
RewriteEngine On
RewriteRule ^(/techsup/.*) /www/myserver$1
ServerAdmin myEmail
ServerAlias myserver
ErrorLog /var/log/httpd/myserver-errorr_log
TransferLog /var/log/httpd/myserver-access_log
DirectoryIndex index.php
</VirtualHost>
What else?
Quote from: baldur2630 on July 06, 2022, 03:17:56 AMThe opening line says it all (1.) Purchase & install your certificate.
HTTP is fine until the box about forcing SSL, after that ALL the browsers stop working and give a blank page or an error message. To say it works with any browser is
Others have said this already in other words, but I'm just pointing this out once more to be clear,
since you seem more than a bit confused about it.
Installing an SSL certificate and configuring your server to use it, has nothing to do with SMF.
Quote from: baldur2630 on July 06, 2022, 11:06:23 AMWhat else?
Ok, I'm not so up to date with Apache but from what you've posted if that's the only configuration that you have then Apache is not configured to use SSL.
You also need a virtualhost listening on port 443 for SSL. This virtualhost would contain the settings for enabling SSL and the path to the SSL certificate for the domain. Here is an example I found:
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Do you have any configs that looks similar to that?
Quote from: Chief of Nothing on July 06, 2022, 10:41:39 AMQuote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING.
Yes it does, as Arantor said it blocks nearly all man in the middle attacks to sniffing passwords to evesdropping on the content your looking at.
You didn't say what webserver your running so perhaps if you tell us that and maybe post the servers configuration we can help more.
I too think you may have confused forum name with domain name with the certificate. Did you put your domain info into the Let's Encrypt certificate?
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMand I have all the security if it;s in my office that SSL won't give me!
This is not good thinking, it matters not one bit if the computer is in your office or not if there are any unpatched / not yet discovered exploits in your OS, webserver, php or forum software.
Quote from: baldur2630 on July 06, 2022, 03:17:56 AMI don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does
It is not an SMF problem. It is not a browser problem. It is not a Windows 10 problem. It is a websever configuration problem.
WRONG - visit www.grc.com. I quote from their site
H
ow is this elegant system subverted?
Any corporation, educational institution, or other Internet connectivity provider who wishes to monitor every Internet action of its employees, students or users—every private user ID & password of every social networking or banking site they visit, their medical records, all "secure" eMail . . . EVERYTHING—simply arranges to add one additional "Pseudo Certificate Authority" to their users' browsers or computers. It's that simple.
For example, suppose that "Bendover Industries" installs a commercially available "SSL Proxy" (also known as an HTTPS or TLS Proxy). Then, as part of prepping computers for use inside their network, Bendover's IT department simply adds one additional "trusted" Certificate Authority to each computer. That's all it takes.
Now, whenever anyone inside Bendover's network makes a "secure" connection to any remote public web site—their bank, Google Mail, Facebook, anything—that connection is intercepted by Bendover's SSL Proxy appliance before it leaves the building. On-the-fly, the SSL Proxy Appliance creates a fraudulent "spoofed" web server certificate in order to impersonate the intended remote web site, and it signs that fraudulent certificate itself using the signature of the also-fraudulent Certificate Authority that was previously planted inside the user's browser or computer.
Because the impersonation is perfect, neither the browser nor the user can readily detect that they do not have a securely encrypted direct connection to the remote web site. Their browser shows every facet of a standard secured SSL connection—all the locks and pretty colors and everything we have been trained to look for and check for are present . . .
And it's all a lie.
Instead of connecting to the remote web server, the browser is "securely" connected only to the local Proxy Appliance which is decrypting, inspecting, and logging all of the material sent from the browser. It inspects all content to determine whether it abides by whatever arbitrary policies the local network is enforcing. It's users have NO privacy and NO security. Or perhaps it just silently logs & records everything for possible future need. Either way, it has obtained full access to everything the user enters into their web browser.
Do you TRUST the providers after you shell out your hard-earned cash? I for one DO NOT.
Quote from: Chief of Nothing on July 06, 2022, 11:23:21 AMQuote from: baldur2630 on July 06, 2022, 11:06:23 AMWhat else?
Ok, I'm not so up to date with Apache but from what you've posted if that's the only configuration that you have then Apache is not configured to use SSL.
You also need a virtualhost listening on port 443 for SSL. This virtualhost would contain the settings for enabling SSL and the path to the SSL certificate for the domain. Here is an example I found:
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Do you have any configs that looks similar to that?
Of course I don't because I don't have any SSL Certificate. Please read the previous posts.
If you're that bothered, why are you even bothering with SSL?
Quote from: baldur2630 on July 06, 2022, 11:26:15 AMOf course I don't because I don't have any SSL Certificate. Please read the previous posts.
The FIRST step in getting SSL to work, is to get a certificate.
Please read the previous posts.
Marking this topic solved, as at this stage it is not an SMF issue.
Because 'believer' (like you) won't visit the site if it doesn't have one. Letsencrypt is FREE so I am quite happy to make 'believers' happy. Incidentally it's Open Source, so less likely to have the backdoor that the costly ones.
I repeat, None of us have any security or any privacy. I don't just have a Firewall. I check all my logs DAILY and block all the parasites that have nothing better to do than post s**t on your forum or deluge you with spam. SSL does NOTHING to stop that.
Quote from: Aleksi "Lex" Kilpinen on July 06, 2022, 11:35:39 AMQuote from: baldur2630 on July 06, 2022, 11:26:15 AMOf course I don't because I don't have any SSL Certificate. Please read the previous posts.
The FIRST step in getting SSL to work, is to get a certificate.
Please read the previous posts.
Marking this topic solved, as at this stage it is not an SMF issue.
Good for you. Maybe time to change forums software.
Feel free, if you feel it makes you happier. The other option would be to read through what we have already told you, and accept that your issue is with your server configuration first, only when you have that part covered can you get SMF configured too.
Quote from: baldur2630 on July 06, 2022, 11:25:18 AMWRONG - visit www.grc.com. I quote from their site
You need to take that in context. Large corporations might do this if they were stupid. Small businesses with stupid snooping bosses might do this. Educational institutions that are stupid and not worth studying at might do this. Any ISP worth their salt will not be doing this, they'd be out of business real fast if they were. It's actually pretty easy to check, despite what Steve Gibson says.
Quote from: baldur2630 on July 06, 2022, 11:26:15 AMOf course I don't because I don't have any SSL Certificate. Please read the previous posts.
I have read the previous posts. I'm trying to help you, but if you want to start being a d*** about it I'll just walk away.
If you can't make it work with a static file (i.e. excluding SMF), you're going to have about as much fun with the other forum platforms.
Also as far as "the believers" go, I doubt your users will be too keen on entering a password into a box that most browsers will explicitly mark "insecure" if not on HTTPS. All my dev sites on my local don't have HTTPS and I'm fairly sure at some point Chrome is just going to not let me enter a password any more.
But sure, let's call Google "believers" (they're one of the people driving the encryption movement, even to the point of downranking HTTP only sites)
Quote from: Aleksi "Lex" Kilpinen on July 06, 2022, 11:35:39 AMMarking this topic solved, as at this stage it is not an SMF issue.
And locking as the conversation has taken a contentious turn.