I recently downgraded one of my Heroku apps to a free dyno - as a result, the SSL was revoked (cos I was using the SSL provided with a paid dyno). Now, when I visit my site URL, it gives me this error: ERR_SSL_PROTOCOL_ERROR
I've edited my production.rb file to set: config.force_ssl = false and published that code, but it still redirects my site to https when I try to connect on http.
Now, to complicate things:
This only applies to my custom domain - the .herokuapp.com domain works fine
It works fine on incognito mode on both the custom domain and the herokuapp.com domain
I've tried clearing the cookies and cache (for the last 7 days) and it still didn't work :/
Any ideas what I can do?
Edit:
In case it helps, I am using Chrome on Windows 10
Given that you are using Chrome, according to this answer, you need to follow these steps to stop Chrome from redirecting http:// to https://.
Anon is right about STS, but there is a way to specifically delete your domain from the set. Go to chrome://net-internals/#hsts. Enter 3rdrevolution.com under Delete domain security policies and press the Delete button.
Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.
Related
I am using rails 4.2.2, deploying to production on Heroku and using the free level of Cloudflare for ssl. In my production.rb file I have set
config.force_ssl = true
If I am not signed in as a user, then ssl works and I see the padlock in the browser url bar, and I see it for all unsigned-in pages. However, once I log into the site, the padlock disappears on all signed-in pages. When I am signed in and chose a different signed-in page, the padlock temporarily appears as the page is being loaded but then disappears when the loading is complete. All this happens on both Chrome and Safari. I am not using Devise.
What could be causing this?
If you are using devise, take a look at this:
https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)
Thanks to the support team at Cloudflare, I was able to solve this.
The signed in users can use a gravatar, but the gravatar_image_tag was not being used with the secure setting. This meant the image was being transferred using http not https. This could be seen by looking at the developer console, which was displaying an error indicating the page was displaying with mixed http and https. In order to fix this problem, I just used the secure setting for the gravatar_image_tag.
In my case, the page accesses to some in-secure asserts (ex: images in AWS S3). Chrome Developer Console shows that the page is mixed-secured. Change S3 image links from http to https make ssl works.
I configured my Heroku app with SSL Endpoint from Heroku and bought the certificate from DNSimple. When I browse to my site, sometimes it shows up with the green https:// (on chrome) and other times (like when I click the home button for some reason) the https:// turns red and gets crossed out and the certificate goes back to Heroku's default one instead of the one I purchased. If then you click the lock (to see the SSL) it'll say Identity not verified. How come sometimes it works and sometimes it doesnt??
A few things I have configured
my application.rb says
config.force_ssl = false
but in my production environment I set that to true
config.force_ssl = true
Looking on Firefox in the technical details i get a
(Error code: ssl_error_bad_cert_domain)
Check your DNS configuration. I may be, for some reason, the domain is pointing to the Heroku standard app endpoint and not the Heroku SSL endpoint.
If this is happening randomically, make sure you don't have two DNS records associated to the same hostname. In fact, if you created two CNAME one pointing to the SSL endpoint and one to the standard endpoint, your request will be randomly routed to one of those hostnames.
I'm running a Refinery CMS application that uses Devise as the plugin for logging in/authentication. The problem I am having is that Chrome/FF are working fine but IE is not logging the user in. At first, I believed it was that the SSL Certificate wasn't set up yet. After I fixed the SSL issue with Heroku, the problem remained.
Changing the privacy setting for cookies to "Accept all Cookies" is the only workaround I've found to fix this problem. This is problematic because I have to explain to my clients why their IE browser isn't working and at the same time they have to expose themselves to 3rd party cookies if they use this browser for other internet applications.
Is there a configuration that I can set in Rails 3/Refinery/Devise that will remedy this issue?
Thanks!
I had a similar problem - fixed it by using a different session_store in config/initializers/session_store.rb
The :cookie_store default session store tries to store all session information on the browser (which is why you had to set the "Accept all Cookies" in IE). As an example I set my session store to :active_record_store and it solved the login issues.
Coincidentally, I had this problem with IE8, but IE9 and IE10 didn't seem to have the same problem.
I have a website, http://www.scubastic.com, which I use as a playground app for Ruby on Rails development and SEO hacking. I have run into an issue that I can not seem to fix on my own and it revolves around SSL, SEO, and Heroku.
TL;DR: I had an SSL site and I disabled it but Google still remembers the SSL site. How do I get Google to switch to the Non-SSL site when the SSL site still responds but with a Certificate error??
Basically, when I first created Scubastic.com, I setup Heroku SSL as an excercise in learning it. I setup Google Web Master Tools and began playing around with the various aspects of SEO as well. After I was satisfied, I disabled Heroku SSL and stopped the monthly bill.
Now I have a very interesting problem. Google can't seem to forget the HTTPS version of my site and index is quite stale. Worse, the link people get in Google greets them with an SSL Certificate issue (the *.herokuapp.com Cert doesn't match www.scubastic.com issue) which does nothing to help my page rank. If I manually click through the SSL errors, I do arrive at the website. I find this quite odd because I removed Heroku SSL entirely and the application still responds to SSL requests....to me this is a bug in Heroku and I wish I had greater control over the situation. Alas, I turned to trying to handle this at the application layer because SSL requests still hit the Rails stack (even though these requests should not respond at all!)
So my first attempt at fixing the Google index was to setup a 301 Moved Permanently redirect if any request came into the app as SSL.
class ApplicationController < ActionController::Base
before_filter :redirect_ssl
private
#only need this until Google doesn't link to HTTPS anymore
def redirect_ssl
if request.ssl?
redirect_to "http://#{request.host_with_port}#{request.fullpath}",
:status => :moved_permanently
end
end
end
If you go to Google and search for my site name, you can see the issue I'm having:
https://www.google.com/?q=scubastic
I basically just want Google to stop linking to my SSL site and refresh with the latest content.
Thank in advance for your help.
I was able to resolve the issue with my original post and a lot of patience. It took 5 days for google to update its index but now the link google serves to my site is the non-ssl version.
The redirect is not going to help currently because browsers will barf when they get an invalid certificate when trying to establish a SSL connection to Heroku and that's before any HTTP is done. I don't think it's a bug with Heroku: You removed SSL (and by implication the certificate) and that leaves no way for Heroku to respond correctly to SSL connection requests to your domain.
Here's what you can do:
Re-add SSL on Heroku
Add the redirection you have
Wait for Google to cotton on to the change
Remove SSL
There is also the option of actively asking Google to remove the page, because it's old/not available anymore: Check the webmaster tools help for how to "Remove old or deleted information from Google".
I successfully installed an SSL certificate on my website but Chrome strikes through "https" saying there are still some resources on the website that are not secure. I made sure there's no reference to http on my webpages and also replaced the google's ajax js file with https version. How do I find what else is unsecure on my website and make sure my website is secure for users to browse and do stuff?
Chrome can show you everything that it's loading for a page. This is what you could do on the OS X version, the menu locations and/or modifier keys might be slightly different on other version.
In Chrome, open up View -> Developer -> Developer Tools
Click on Network.
Hold Shift and click the refresh button.
You should see a list of every network request made for that page. Look for one that is using http instead of https.