https warning

[meteoesine]

Hi,
even I have a valid SLL certificate installed, I have the following problem with https
is it a MT matter or something else from my part? can you pls clearly advise the right way to fix it?
thanks in advance

ScreenShot00238.jpg (6.8 KiB) Viewed 44500 times

ScreenShot00236.jpg (108.45 KiB) Viewed 44500 times

[Jachym]

Hi,
most likely you did not change the page URL parameter in the Main setup.

Go to your server, open config.php in a code editor and check the pageURL parameter. Make sure it is "https" not "http"

[meteoesine]

Solved. tnx Jachym

[Dehatter]

Just as a random followup question, what is the benefit of having a https site over a standard http site. Is there a risk to those of us not currently using https?

... and should we be using one if we are able to?

Tom

[EveshamWeather]

The benefit to me is just Google's search system as this seems to give priority to https sites over plain http ones. There is little other benefit on a site where no logins happen for anyone other than the owner.
I enable https on all sites where possible though as this is free and easy on my webhost as they offer LetsEncrypt certificates as part of the cpanel system.

[Jachym]

In theory - no benefit, there is no personal info or forms sent via Meteotemplate

In practice - yes, as mentioned earlier, Google prioritizes this and will lable such sites as "non-secure" - stupid in case it is irrelevant, but some people might be tempted to leave the site

[Dehatter]

Thanks for both responses.

Tom

[JHoke]

Also adding HTTPS is quite straight forward now with CertBot (and FREE)

https://certbot.eff.org/

I've been using this as my Certificate Authority via cronjobs for about a year now. The certs auto-renew every 3mos and there is no cost at all!

I am a firm believer in HTTPS on everything

[Fraggboy]

. . .I am a firm believer in HTTPS on everything

My thinking exactly. I know it's overkill with MT. When there are free services like CertBot and Let's Encrypt, might as well. Let's Encrypt automatically renews also.

I know others view this as not needed, which it's not. Call me crazy, I guess.

[JHoke]

Call me crazy, I guess.

Welcome to the Crazy Club ... the bar is over there --->

[Jeffm5690]

So this is interesting... I go to my site www.linyweather.net and it looks fine. If you go to https://www.linyweather.net and you get some website for a plastics company. So I go ahead and try installing SSL from my host. Then you go to the https and my site shows up but the layout is all screwy. I pulled the SSL for now. Strange.

[JHoke]

In your config do you have https://www.linyweather.net/ set as your PageURL?

If not then you are trying to load nonHTTPS resources in the HTTPS page which wont work

make sure that in config.php you have

$pageURL = 'https://www,linyweather.net';

not
$pageURL = 'http://www,linyweather.net';

[Jachym]

Its not so straight forward, my provider for example, charges for the SSL certificate as such, so even Lets encrypt is not free.

[Jeffm5690]

In your config do you have https://www.linyweather.net/ set as your PageURL?

If not then you are trying to load nonHTTPS resources in the HTTPS page which wont work

make sure that in config.php you have

$pageURL = 'https://www,linyweather.net';

not
$pageURL = 'http://www,linyweather.net';

All is good now. Had I been smart I would have re-read the prior posts -



Thanks!

[WessexWeather]

Reviving an old thread here...

Has anyone any experience of securing their Meteotemplate site with Cloudflare?

I used to use it with an old Wordpress site which seemed to work well and I’m thinking of trying this with WessexWeather.

Thought I’d post here before I do though, in case it messes things up!

Thanks in advance,

[andyk1]

I know I am jumping into this conversation a bit late but yes I had that exact problem. The cause was a free SSL certificate from 1and1.com My host server and many others here. I replied o this on another tread I don't remember where.

The free SSL cert is not actually in your sites name but was in behalf of 1and1 so the ssl cert would not certify your actual site. I ended up not screwing around and paid $29.something for one registered to my site.... https://look at the bottom. After that my site work just fine. Now the problem I have is I am changing my site to a shorter name as many have told me it was to long and I agree as it was a pain for me to constantly type it out. Shorter but not by much. www.nicomaparkweather.com to www.nicomaparkwx.com a bit simpler but not by much.

Now the problem. The SSL Cert I brought can not be transferred by I can't remember who handles url redirects. ICANN Policy (feel free to correct me) I believe. So now to get my WX site SSL'd (which yes now a days most people fell comfortable with)
I had to buy a new cert for the www..............wx.com. I'm sure it's a way to make more money even though 1and1 says you can transfer it. Not sure if my new site is listed in ICANN yet but the new cert is working but redirects to my old site through www.............../wx/index.html temporarily till the end of the month. my site on top explains why and to give present users time to adjust and google crawler to catch up.

Wished I'd have seen this tread earlier to try the free ssl site that was posted above before spending more money.

Andy

P.S. I tried a paid cert I had from a previous host (fastcomit.com) and that did not work on my new WX site just to let ya's know. My guess is there dns related.

[jonnyj771]

I had a similar issue with my domain registrar (NameCheap).
I reset up my SSL and had the issue with no images and a certification warning.
I got on with a support rep and they walked me through the process which was real simple but I needed a little help.

In the .htaccess file you will find this line at the bottom

Code: Select all

   </IfModule>
    
    <IfModule mod_headers.c>
        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
</IfModule>

they had me add a line to it and it fixed everything... (note: did not list this as code to show the added line)
</IfModule>

<IfModule mod_headers.c>
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
Header set Content-Security-Policy: upgrade-insecure-requests
</IfModule>
</IfModule>

I believe this line can be added to any .htaccess file. It removes the insecure notifications (site Certificate warnings) and allows the images to show like they are supposed to.
My site was secure and had no issues after that. all I had to do was empty my cache for the last hour or 2 on Chrome and I was good to go. Took about 10 minutes.

[WessexWeather]

I’ve been trying to set up https on my Meteotemplate website without success, mainly because I want to improve my Google ranking.

My host uses a free cPanel certificate which they enabled today. My url successfully included https at the beginning, but there were still security warnings (and no padlock in the browser address field), they say because elements on my site were insecure. So I asked them to disable https again.

I made sure to change my url to https in my Main Settings.

I then tried Cloudflare but I had the same issue - https but without the padlock, and still with browser security warnings - so I disabled that too, for now.

I have looked at Certbot and Letsencrypt to install certificates myself but it’s left me a little confused! I notice many of you have successfully secured your Meteotemplate sites without errors, and any help in achieving this would be much appreciated.

[andyk1]

First off free SSL certificates do not always work because DNS is not always assigned directly to your site but to the host servers DNS. Ask your provider if certificates ae assigned to you. Free ssl like lets encrypt may not work but I have read others have had luck with it as jonnyj771 posted just above. Playing with your htaccess may work depending on your provider.

Andy

[WessexWeather]

OK so I’ve decided to take the Cloudflare route to secure my website.

I initially enabled every layer of security that Cloudflare offered but this killed my SteelSeries Gauges, so I had to switch off the “Always Use HTTPS” setting and HSTS.

I still have “Automatic HTTPS Rewrites” enabled in the hope that this would secure all elements in my site. However although I now have “https” at the start of my url, I do not have a padlock showing and green url in the address bar, so the exercise hasn’t quite worked as I had hoped.

Any ideas?

[Fraggboy]

There is a plugin/block retrieving http information, thus not seeing the green lock. Mine shows it every once in a while.

These screenshots are taken from Firefox. Other browsers should be able to show you this information.

Click on the lock and select More information:

2.jpg (45.1 KiB) Viewed 43065 times

Select Media Tab:

3.jpg (94.61 KiB) Viewed 43065 times

Scroll down on the addresses and look for the offending data that is not https. For myself, it's my Bloomsky video that isn't pulled via https. If it was, my lock would be green.

4.jpg (99.42 KiB) Viewed 43065 times

[Fraggboy]

I have a script that changes http to https. Once the script runs (Every so often), my padlock turns green, as shown below.

Working as intended.jpg (54.4 KiB) Viewed 43064 times

[andyk1]

Sometimes when you setup or even change an SSL certificate it could take 24-48 hours to reflect the new DNS settings. Most times your host takes care of that if you buy the SSL from them. Yes it affects SSgauges but if you do a refresh (the house icon on upper left) it will work in most browsers.

Andy

[andyk1]

I just remembered something. Did you change the main setup found in MeteoTemple Control Panel "Paths" Section In there is a section called (Page URL - make sure to include the http:// !!!) It tells you how to set that up. In your case just change http:// to https"// If your still having trouble check the index.html in the root folder and change it also to reflect the secure sites path.

[WessexWeather]

Thanks for the replies. I changed to https in the main settings immediately, and I don’t have an index.html...

I’m still only getting a partially secure page though.

The only browser that’s reads my site as secure is Firefox.

It’s probably due to other insecure scripts or links within my site, but the warnings may put some users off from visiting.

Very frustrating.