I had played with it about a year ago, had it running for a short while, then broke it unintentionally. I spent much of today getting it up and running again, and now with the larger server capacity we have, I want to try running the whole site through SSL (https). It simplifies many things if you just move the whole site over rather than doing it piecemeal. There will undoubtedly be some quirks along the way, so please post up when/if you notice them.

I know that the wiki might show up with some ssl errors, and I think there still some glitches on the portal page. Also - as we post up many, many images on this forum from other websites, you will frequently see the SSL symbol in your address bar change from full lock/green to yellow. All this means is that some items on the page you are looking at aren't encrypted, as they are being served directly from another website; they aren't coming from our ninjette.org server itself.

One thing I'm working on is the youtube embed code; it's not happy right now. The links still work, but I hope to have the existing embed code fixed shortly.

EDIT: Most of the major embedding code is now working fine (youtube, google maps, vimeo, spotwalla, the member map)

The wiki looks pretty good at this point. No obvious SSL errors anymore, and I took the opportunity to update the logo picture and the sizing of the header ad, so it looks much more like the main part of the site. Was able to use the SSL error logs to identify a few other files/images that had been missing for years, including the bullet images on the list pages within the wiki (like here (https://www.ninjette.org/wiki/Category:Electrical,_Lighting,_and_Gauges)). I think it's time for sleep... :thumbup:

Hmm, I have a user saying on Facebook that they can't get to the site, as it keeps saying invalid certificate and redirecting them. Has anyone else seen anything like that today? (I imagine if it's affecting others, they wouldn't be here either, but worth a shot). Still seeing normal usage and normal traffic so far, so it doesn't appear to be a widespread problem.

Seems like most of the issues have been sorted out. There are nuances in getting everything pushed correctly from:

http://ninjette.org
http://www.ninjette.org
https://ninjette.org
https://www.ninjette.org

to all be correctly pushed to and served from:

https://www.ninjette.org

even when there are subdirectories past the main domain coming in on the query, for all 4 choices. It takes a combination of mod_rewrites to add the www, and redirects between apache virtual servers to push all http traffic to https. For fun, go check any of your favorite sites that use SSL, and try all 4 combinations to see what happens. Just found out my main company's site is borked by a couple of these (Fortune 20).

Also learned that SSL certs are tied directly to "ninjette.org" or "www.ninjette.org", but not necessarily both. Many providers do not create certs that will work on both, and you have to pay extra for wildcard-type certs to cover that case. GoDaddy certs apparently include the domain.com and the www.domain.com, so it is working here by dumb luck, not because I understood that ahead of time.

Added a "site seal" in the footer, which allows the truly paranoid a separate check that my cert provider confirms that this is actually the right site, and the cert was obtained and installed correctly.

If people are still seeing SSL errors when they browse ninjette from some pc's, make sure to check out this thread (https://www.ninjette.org/forums/showthread.php?t=174783) for a possible solution.

Playing with the ciphersuites available for SSL. We were scoring a C- on Qualys's security test, by allowing all types of ciphers, including older weak ones. No modern browsers are limited to them anymore, so it should be a non-issue to limit the ciphers to the ones that people are using anyway. But - if you are seeing any weirdness, please let me know. Here's what it looks like now:

https://www.ninjette.org/forums/picture.php?albumid=840&pictureid=11491

This can only help us here:

Google confirms it's giving HTTPS sites higher search rankings (http://www.zdnet.com/google-confirms-its-giving-https-sites-higher-search-rankings-7000032428/)

Playing with the ciphersuites available for SSL. We were scoring a C- on Qualys's security test, by allowing all types of ciphers, including older weak ones. No modern browsers are limited to them anymore, so it should be a non-issue to limit the ciphers to the ones that people are using anyway. But - if you are seeing any weirdness, please let me know. Here's what it looks like now:

https://www.ninjette.org/forums/picture.php?albumid=840&pictureid=11491

http://i.imgur.com/PRmVtry.jpg

Had to remove support for SSLv3 due to the poodle attack.

info: http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/

Shouldn't affect many users, but if you are seeing SSL issues when you use an older browser, that may be the reason.

but poodles are so adorable :(

I just updated our SSL cert; it was about to expire. I hadn't realized before that I could do these for multiple years, so the new one won't expire until April 2018.

didn't the max used to be 2 years? at least that's what my certs were when i bought them back then. it was through the hosting provider though so maybe if you go directly its better?

GoDaddy is allowing 3 years at this point, not sure if/when that may have changed.