Add HTTPS support about hnrss HOT 9 CLOSED

HTTPS up and running via Lets Encrypt.

HTTPS handled by Hitch. Redirects handled by Varnish.

Refs: https://fnord.no/2015/11/12/letsencrypt/

from hnrss.

When I go to https://hnrss.org/newest with Firefox 51.0.1 the browser says "hnrss.org: connection is not secure" and "connection not encrypted. the website hnrss.org does not support encryption for the page you are viewing. information sent over the internet without encryption can be seen by other people while it is in transit." The URL https://edavis.github.io/hnrss/ works fine instead.

from hnrss.

Hi @fturco — Thanks for the report. I'll take a look. Few questions:

Does https://hnrss.org/newest work on other browsers?

Does the page totally fail to load or does it load but just with that error message? Because I do see this on Firefox 52.0.1 (macOS 10.12.3) but the XML still successfully loads:

What OS are you on?

Do you have any special security options set in Firefox?

Do other sites using LetsEncrypt give you any problem?

If you don't mind, could you send me your IP address? I see a handful of errors in the log and knowing which is yours could help. You can also email me ([email protected]) it instead of posting here, if you'd rather do that.

from hnrss.

I can successfully open https://hnrss.org/newest with GNOME Web, without any error messages.
In Firefox the XML page load successfully, just like in your screenshot.
My GNU/Linux distribution is Gentoo Linux.
I have a personal website which supports HTTPS via Let's Encrypt and I also have the same problem with its Atom feed: https://shaarli.fturco.net/?do=atom
I'm going to send you my IP address in private via e-mail.

from hnrss.

Thanks. I don't see your IP address in the logs, so whatever is happening isn't registering as a proper SSL error (which makes sense if the XML ultimately does load).

I see the same message as you on https://shaarli.fturco.net/?do=atom with Firefox.

Interestingly, your main site (https://shaarli.fturco.net/) and a static file I just put up (https://hnrss.org/.well-known/acme-challenge/test.txt) both show fully green padlocks. Whatever is happening appears to just be happening on the feeds.

Maybe when Firefox takes the feed and transforms the raw XML to the better looking list of articles, that's enough to flag it as not secure?

from hnrss.

It seems to be a bug with Firefox. See https://bugzilla.mozilla.org/show_bug.cgi?id=1172234

from hnrss.

This is because the content is loaded in a page called about:feeds, and that's what the identity popup uses to make decisions. It no longer has access to the security info of the original https channel, and so it can't tell us anything about the cert or otherwise.

Yeah, that's got to be it. Especially since other browsers handle the feeds fine.

I'm going to close the issue for now. Feel free to re-open if you run into any other problems.

Thanks!

from hnrss.

An email from Tom Hacohen on April 3:

Just wanted to let you know that it stopped working for me sometime over the last few days. I've been getting handshake errors, which while should work on android, apparently it doesn't work on Java according to the SSL test. https://www.ssllabs.com/ssltest/analyze.html?d=hnrss.org&hideResults=on

Have you changed anything?

Adding/reopening here to increase visibility.

I did change something around April 1. I was using Hitch for SSL termination (so Hitch:443 -> Varnish:6086,PROXY -> NGINX:8080 -> uWSGI) but I wanted to consolidate my stack so I changed it to use NGINX for SSL termination (so NGINX:443 -> Varnish:6081,HTTP -> NGINX:8080 -> uWSGI).

Not sure how to fix at this point. Going to do some research and work on this later.

from hnrss.

Ran hnrss.org through ssllabs.com again and looks like only Android 2.3.7, IE8/XP, Java 6u45, and Java 7u25 still have issues.

If this move to HTTPS broke something for you, feel free to chime in with changes. I won't introduce massive changes to support some ancient platforms, but if it's a small/safe tweak I'd be happy to look into it.

from hnrss.