SSL Certificate Problem because of the Core file out the document root?

Modx 2.6.5
Hardening with core out the document root
Https since 8 month

Hi,

1) Today my homepage is displayed only with text without css formatting

2) When I click on a link of my webpage , a page with the message «This site is not secure» — Details The hostname in the website's security certificate differs from the website you are trying to visit. With a link «Go to the webpage (Not recommended)»

3) When I click on on the link «Go to the webpage (Not recommended)», I can see the page correctly but with this message in the URL bar, the domain name is replace with it IP address and a certificate error is displayed.

— Please see the attachment file => ssl-01.jpg

This is the second time that this happens

To solve the problem the first time (few months ago) I reinstall a backup copy and everything came back to normal

I did the same thing today, but the problem persists.

Is it possible that the fact that the Core folder is outside the public_html folder is the cause of the problem?

I ask this question because when I go to the page «Manage SSl Host» in the cPanel I see that certificate SSl applies to the root folder public_html. (see attachment file => ssl-02.jpg)

Thank you for your support [ed. note: jber last edited this post 5 years, 8 months ago.]

This is such a pain, I just have dealt with this. The whole https situation is quite unorderly.

What is happening is likely that somehow your css file is going through unsecured. So, its not really going though (styling is broken), but it also says your site isn't secure simply because of the unsecure request.

This can be really confusing, but one possible solution would be to hardcode your link in your template to your css file with https (might also need it for any other scripts you host locally).

Then, if that works, you can see if the normal Modx placeholder works with https specified

That's not the best fix tbh, but it could solve this problem for you.

You can also go into the developers tools in your browser and watch the requests when the page loads, to see exactly what the bad request is.

let me know where you are, we can get you right. [ed. note: nuan88 last edited this post 5 years, 8 months ago.]

Thank you, your information allowed me to identify the probable source of the problem.

Effctively, some CSS and JS files have not been loaded.

It also allowed me to find that <base href = "[[++ site_url]]" /> does not return <base href="https://mydomain.ca/" /> but <base href="https://155.55.55.201/" />.

Now the question is why <base href = "[[++ site_url]]" /> returns <base href="https://155.55.55.201/" /> instead of <base href="https://mydomain.ca/" />.

Is it a MODX bug or an SSL Certificate problem?

I'll try your solution for now and I'll let you know if it works.

Information from Google : Distrust of the Symantec PKI: Immediate action needed by site operators — March 7, 2018
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

Thank you for your valuable information

Hi,

I hardcode the <base href = "[[++ site_url]]" />, this solved my problem.

Strange, this tag « <link rel="canonical" href="[[++site_url]][[*id:isnot=`[[++site_start]]`:then=`[[~[[*id]]]]`]]" /> » is OK, I don't have to hardcore it. Why?

Thank

Glad it could help.

I can't help too much more, because apparently there is something going on deeper in the system, it could even be your hoster's rules. Also your htaccess file is involved!

I had to put https into all my templates, but then apparently later had to change them back when the underlying issue was changed, in other words prepending the https led to my styling breaking rather than fixing it, lol.

And I have no idea how it all happened, honestly.

My gues might be the htaccess file, which should re-write every page request, for some reason those requests are not being re-written.

Here, consider to try out my htaccess, but this would be without the hard-coded https in your templates, it should work. I just posted this not long ago and it straightened someone out.

Ah here is the link to the post I put it on https://forums.modx.com/thread/104020/friendly-urls-and-migration-to-https-ssl#dis-post-559396

Quote from: jber at Aug 23, 2018, 03:42 PM

Hi,

I hardcode the <base href="[[++ site_url]]">, this solved my problem.

Strange, this tag « <link rel="canonical" href="[[++site_url]][[*id:isnot=`[[++site_start]]`:then=`[[~[[*id]]]]`]]"> » is OK, I don't have to hardcore it. Why?

Thank

I think that's because of your htaccess, which is re-writing the id number into the alias

Also this thread has some info as well, its the same as above, just the second page.

https://forums.modx.com/thread/?thread=104020&page=2

It turned out that cPanel and WHM had an Options line in the <Directory> block that was not set correctly. Obviously that trumps .htaccess settings.

Thank, you are really good advice.

For what I understand (my first language is french), there would be a little setting problem in cPanel. I looked in the cPanel and I did not find the « Directory »block.

Would you be kind enough to tell me where file is located, so that I can check?

Hi,

Do you think that using the uncached [[!++site_url]] could solve the problem?

Thank

Quote from: jber at Aug 23, 2018, 06:19 PM

Hi,

Do you think that using the uncached [[!++site_url]] could solve the problem?

Thank

I don't think that would matter, but you should call the site uncached in any case

To be honest I think the hard-coded calls to the css files and local js is good enough, if you don't plan on changing urls. It doesn't represent a risk at all, the only issue would be if the url changed.

About those server settings, I would say don't worry about them for now, that was another user, i also don't know where they are.