I have installed Moodle 2.0 on shared hosted server. I had no problem with the installation; however, when i tried to create a course I get the error message: (Error code: ssl_error_bad_cert_domain). Now the hosting company wants me to spend $100.00 for an SSL certificate. Can someone verify that the ssl certificate is required? Is there an option in moodle to turn this off or work-a-round?
As you can see from my posting just below (and in other forums), I also have a similar problem with compulsory SSL in Moodle2 but my error messages are mainly when Moodle 2 uses SSL to verify a password when a guest logs in using one. I did also experience the need for SSL when setting up a new course but it depended on the browser used.
Camino on a Mac doesn't ask for SSL or give ANY error messages. Unique.
Safari gives error message but one can click "show certificate" and trust the settings (once or permanently). Firefox also allows one to make an exception.
Internet Explorer gives perhaps the biggest warning, but it also can be ignored.
My point is: I totally understand the need for security, but I want to start a campaign to Restore the option of not needing SSL (as in Moodle 1). If Moodle 2 developers are unwilling to provide this option, then a WARNING should be given to potential upgraders that they may need to Pay for an SSL cert for certain functions. I think this is a fair request.
Anyway, I'm seriously considering returning to Moodle 1 until this option is restored. I am pleased that someone else has found the same problem so keep posting your requests for improvement here. It's a small but very annoying problem which needs to be addressed ASAP.
John
I assume you can ignore these messages each time and click Continue?
I do like the new interface and themes of Moodle 2 but like you would prefer not to have to pay an extra 100 euro each year just for the guest login + password facility.
So I set up 3 new visitor users: visitor1, visitor2 and visitor3, each with a different password. Then I enrolled each user to a different course and removed their "student" role, replacing it with None. So I now have 3 different guest options but they must login properly (not as guest).
Moodle does not require an SSL certificate (unless you choose to install it on an HTTPS server).
I don't know what the error messages you are seeing mean, or where they come from, but I repeat: Moodle does not require an SSL certificate. Don't let someone sell you one.
Dear Tim,
I'm assuming you are speaking to Rich (and others) when you say Moodle does not require an SSL certificate. I would like to believe you (as I don't want to buy one) but I'm not fully convinced - unless my problem is caused by our Hosting company's settings.
Can you (or anyone else) please try this for me on Moodle 2: ?
Make a course available to guests but with a password/key.
Login as guest using this key.
When you enter the password and press Enter, does Moodle use HTTPS to verify the password?
If so, is there a message saying "can't verify the identity of this website" (Safari) or similar messages about "invalid security certificate" in Firefox or Internet Explorer?
If you don't get a similar security warning message from your hosted Moodle2, then I assume that there is no overall SSL setup on the server which is found by Moodle in your hosted Domain or Subdomain?
My Moodle site is on a Zeus server and there may be a different way the SSL is setup globally on the server. If you don't have this problem then I must contact my Hosting company to ask them to remove their cert from our domain if that's possible.
Hope this makes some sense,
John Bonner
P.S. I can understand that Rich is getting his error message as listed as I have experienced similar message when setting up a new course as Course Creator. Will try to recreate that error message as it's been a while since I saw something like it. Will report back if I find it.
Tim,
I trust your judgment and expertise. Unlike John, I am receiving an error when creating the course. I have no problem logging in as admin. However, I have not been able to test a student account since I am unable to create a course.
My provider, TMD Hosting, is telling me I need an SSL certificate at a cost of approximately 120 dollars per year. I am not installing Moodle on an HTTPS server and I don’t have any problems with my Moodle 1.9.10 installation.
That being said, where should I look for the problem? Is it the hosting company, or a Moodle install problem? Why would it work with 1.9.10 and not with 2.0.1?
Just want to say that I also trust your expertise and experience.
I also get the same "invalid security certificate" error when I try to create a course as admin. It seems to happen whenever https is required. Of course the error message can be ignored in both cases but it is annoying. The only browser which doesn't show the above error message is Camino on a mac.
So this happens on Moodle 2 but not in Moodle 1.10, where guests go through the enrol process. I notice it doesn't happen when I install Moodle 2 for windows (XAMPP) or in a Fedora Linux installed in VirtualBox on Windows. I suppose localhost installations won't have a security cert anyway. However the XAMPP version doesn't go to https for guest login with password - it just uses http. STRANGE!
John
You need to try to find which bit of Moodle configuration is making it try to use https. It should not be doing that.
Thanks for welcome advice. Will need to make a list of possible moodle pages to check for https setting. Could a database or config file need to be modified?
John
Just had an idea. It seems we both have more than one moodle installation installed in our domains and both versions available. Could that have caused the https setting? Just a thought. John
First to correct one thing I said earlier. Camino browser wasn't giving the SSL error because I had saved the site as an exception. I had forgotten this. Sorry for confusion.
One thing I noticed in Tim's earlier comment:
"Moodle does not require an SSL certificate (unless you choose to install it on an HTTPS server)".
What is an HTTPS server? Does this mean that a program is installed on the server which would make some logins+password (or admins setting up courses) use https+SSL - and that if the setting were removed from the server then HTTP would be used at all times and site certificates would no longer be checked or required?
John
My previous remark was a bit of an oversimplification, because I could not be bothered to explain fully.
The thing is, the Internet is really quite well designed. There are lots of independant parts that just plug together to achieve the overall effect, and it all works because of various standard protocols.
The bits are roughly:
+--------------+ +-----------------------------------+
| Client | Network protocol | Server (Apache+PHP, IIS+PHP, ...) |
| (IE, FF, ...)|<-------------------->| +--------------------------+ |
| | (HTTP, HTTPS, ...) | | Moodle | |
+--------------+ | | | |
| +--------------------------+ |
+-----------------------------------+
Note in that diagram, that the network protocal only touches the client (the users's web browser) and the server. Moodle is sitting inside the web server, and does not really care how the data is sent down the tubes. The server handles the details of that. Moodle just sees a request for a particular URL, and sends back some HTML (and JS, CSS, ...).
Actually, there is one place where Moodle affects thta. How does the user's web browser decide which protocol to use? Well, that depends on the URL it is trying to request. Depending on wether that starts HTTP or HTTPS, the client will use one protocol or the other. As part of the output it generates, Moodle output URLs (links) that the user may click on. So, by outputting either HTTP or HTTPS urls, Moodle will determine whether the client users HTTPS in future.
Now, by default, Moodle does not use HTTPS. There are some settings that affect this, including $CFG->wwwroot in the config.php file, and "Use HTTPS for logins" under Site policies.
The difference between HTTP and HTTPS is pretty small, since HTTPS is built on top of HTTP. Actually, it is HTTP wrapped inside SSL, or TLS as I think it is more properly called. That gives you two additional bits of security.
A. It makes it impossible for anyone to see that data that is flowing backwards and forwards. HTTP is like a glass pipe. Anyone who can see the pipe can peak at the data flowing inside, and may be able to spot things like passwords as the pass. (This is why you may wish to turn on the HTTPS for logins setting.) HTTPS is like an armour plated pipe. No one can see it, only the client at one end and the server at the other can see the data.
B. HTTPS can guarantee to the client that the server is who it says it is. This is the bit where the certificate comes it. The server owner buys a certificate from a trusted source, and the client can check the certificate aginst the list provided by the trusted source when it connects. This prevents a malicious user from setting up a server that pretents to be your server, and tricks users into sending their password or credit card detials to the hacker's server.
Now in theory, it should be possible to use the A part of HTTPS without the B part, but in practice it is not. The reason for that is to do with keeping people safe. Because people send really sensitive information (like bank deatails, credic card nubmers) over HTTPS, and becuase of phishing attacks, broswer makers and banks wanted a really clear message to tell users to keep them save. The message is, look for the security icon in the URL bar before you typein sensitive information. In this case it is important to have both A and B, and as a result, web browsers now give very promenant warnings if you try to do A without B. Enough phishing attacks have tried to do that, so it cannot be allowed to just work.
I hope that makes it clearer.
Thanks for explaining the need for SSL so well. From many postings on various forums in the last month (including my own), it is confirmed that others are experiencing the same annoying Site Certificate error message. This happens when (a) creating a new course and (b) logging in as guest with password.
I accept that many others don't have the problem and must assume that it's due to their particular hosting server setup. However, Moodle 2 has changed its settings to cause this annoying feature. Somethnig is calling HTTPS (despite settings to the contrary) and I would ask that developers do more work to isolate what's causing it and make a fix or workaround.
Just found another forum with a similar posting:
http://moodle.org/mod/forum/discuss.php?d=163171
So I sign off for now on the subject with suggestions for those annoyed by the "HTTPS bug" as it must be called.
1. Don't use guest login with password. It will drive your guests mad.
2. If you do get the "site certificate" error, tell your students to add the site as an exception in their browser. This will also stop the same security message appearing when Course Creators are creating a course.
3. If you need guest access, just set up a "visitor" account with password. You can then add the user to your course(s) and delete the "student" role if desired.
4. Put a message explaining this on Frontpage, if desired.
5. Stick to Moodle 1 if you prefer.
Thanks,
John
The thing is, this does not happen to everyone. So far, none of the developers have been able to reproduce this on one of their test servers. If you can't make this happen on a server where you can poke around under the hood, then it is almost impossible to fix.
So, we know it happens on some servers and not others. Therefore, it must depend on some server setting(s). The key thing is to track down what that setting is, and then we can work out how to fix the bug that setting triggers.
Tim, Thanks. Now we're getting somewhere. I looked at the demo.moodle.net site and was able to set up a course, allow guest access with password. There were no HTTPS calls or SSL site certificate errors. I see Moodle's demo site is on an Apache 2 server. It has all the requirements - including xmlrpc and intl (both of which my hosting company doesn't provide), but I assume they're not essential for ordinary use. Also PHP 5.2.13.
My Server is a Zeus, (not used a lot for Moodle?) with load balancing, - where the System address changes often e.g. Linux bedtime.server.net to Linux somethingelse.server.net. - PHP 5.2.11 ( all found in Server/PHP Info)
MySQL 5.1.40. Not sure if this makes any difference.
Can you check that SSL site certificate is not installed on the Main server hosting the demo.music.net site. I'm assuming it doesn't support HTTPS?
Perhaps we could ask Moodle users who have this problem to supply details of their server specification. Then we might see what they have in common, and perhaps get the problem solved.
Thank you very much for your advice.
John
I am also getting the exact same issues with the not trusted actions whilst suddenly looking for https pages. I am also on a shared hosting zeus machine.
It is very annoying and very sorry I upgraded. Seems its only on hosting accounts rather than local machines etc
In reply to Edward Williamson
Re: Is an SSL Certicate required for Moodle 2.0
by Edward Williamson -
|
PHP Version 5.2.11 is my version if thats any good? |
That PHP version should be fine.
Zeus servers are currently emerging as the common factor. From a quick Google it looks like that is not open source software that anyone could install on their computer for debugging purposes
Next Problem I am having is editing the settings on a course, when I put a pasword in for a particular course, it looks for an ssl cert, when I click it to ignore and continue, it does but won't save the password.
Really want to go back to Moodle 1.9 at this stage.
It should be possible to add an exception (or whatever the browser calls it) so that the "invalid site cert" is trusted and saved in your browser's settings. What browser and operating system are you using to access Moodle 2 site?
John
I'm learning a lot from reading this thread. Thank you to all who are contributing. After Tim's great explanation of the differences between HTTP and HTTPS, I wrote to my hosting company for a further explanation as to why I needed the SSL certificate. This is their reply:
"Thank you for getting back to us.
However please note, that there are some core changes in your Moodle where some URL's are accessed only via the https:// protocol. We have other clients using Moodle which have similar issues, however I'm afraid that this cannot be turned off as we have already tried. Please note, that the previous 1.9 version did not have such issues and worked just fine. I'm afraid that you can either purchase a SSL certificate in order to have fully functional Moodle 2.0 or we can provide you with Moodle 1.9, which as I have mentioned does not have these issues and does not require SSL certificate."
As you can see, I'm not any closer to resolving this problem. I agree with Tim's statement. If you can't replicate the problem then you can't resolve it. I wonder if it's a shared server issue. Tim, have you tried replicating the problem in a shared/hosted environment? I would be willing to give you access to my hosted site. Who knows, maybe the developers or tech people at my hosted site modified the install scripts in an effort to generate additional revenue.
Also, did you notice the tech support reply indicated they were having the same issue with other clients using Moodle 2.0x.
Any thoughts or comments would be appreciated.
I have been posting on this topic since December and see that others have also asked similar questions in various forums.
As Tim says, the problem can't be tested on a non open-source server, so I visited the Zeus website. http://www.zeus.com/downloads/index.html
It is possible to download trial versions of Zeus web server as they will give a 30-day licence for demo/testing etc. I first looked at their Traffic Manager desktop demo and installed it in a VirtualBox. Guess what: It uses a https address by default. It was interesting to look at. Offers the possibility of Virtual servers and other things.
I'm just applied online for a full version demo licence for the ZWS (web server) and hope to install it in a Linux PC (while disabling Apache) to see if I can tweak it. I'm not optimistic but we'll see.
However, the most useful information is found in their installation and user manuals in pdf. Looks to me like it's not going to be easy to adjust SSL HTTPS settings but I'll have a look. Perhaps we should have a seperate forum for this or for Zeus hosted sites?
BTW, Mary the invalid site certificate" message is from your browser, not Anti-virus. You can ignore it each time and proceed, or add it as an exception in Firfefox or Safari. Hope this helps a bit.
John
Sorry, The reply to Mary should have been in the Installation forum.
John
Forgot to add that the download page for Zeus User Guides is
These may be useful. See the section on SSL and soft Virtual Servers.
John
I don't have the time or inclination to try to fix this myself. I am just trying to be helpful.
Even though their tech support have not yet been able to track down the problem, I am still sure it is something relatively simple. It is a bug that some URLs will only work over HTTPS, and it would be good to get it fixed.
Hiya, Not to get off topic but...
I just wanted to post here for anyone who happens to read this post, that as a developer and host I purchase SSL certificates from godaddy for $12.99/year. When a client needs one I google "ssl certificate". The first sponsored listing is usually godaddy advertising SSL for $12.99/year. You can buy up to 5 years at this rate. It's the best deal around. ]
Definitely not the browsers causing the problem on my end. Tested in Chrome, IE, and Firefox. All show https...
I can manipulate the form action using Firebug in Firefox by changing https to http and then the action works perfectly fine.
I have access to a Enterprise LiteSpeed™ Web Server. I read the entire post above about server issues. It seems to be an issues for a lot of people.
Server
LiteSpeed V5.4
PHP Version 5.2.14
Hello,
the problem is that LiteSpeed and Zeus may not always return the same information in global $_SERVER variable as Apache, each server may be configured in a different way and there are multiple ways to set up PHP on these servers.
The fix will be probably trivial but I can not do it unless I can test the behaviour myself on the problematic server or somebody else does that. We may be able to work around some problems but it may be also necessary to fix the server configuration.
Petr
(the developer responsible for the related changes in 2.0)
the problem is that LiteSpeed and Zeus may not always return the same information in global $_SERVER variable as Apache, each server may be configured in a different way and there are multiple ways to set up PHP on these servers.
The fix will be probably trivial but I can not do it unless I can test the behaviour myself on the problematic server or somebody else does that. We may be able to work around some problems but it may be also necessary to fix the server configuration.
Petr
(the developer responsible for the related changes in 2.0)
Hi everyone, like Grant did, I have manipulated the form action using Firebug in Firefox by changing https to http and then the action works perfectly fine. Do you want to know what I think about this issue ? I think this is a malicious way from hosting providers to sell SSL certificate to there customers. They do offer to install Moodle for you with Softaculous but the original software has been modified to call https among all its administrative forms. Moodle does not require an SSL certificate once again, I have installed Moodle 2.0 manually on Godaddy shared server without any problem of this kind right after I have found this issue with TMD. This is my opinion, have a nice day.
No, it is just a bug with Moodle on certain sorts of web servers, not a conspiracy.
(Or, did they pay me to say that )
Well I will confirm Alain's theory regardless as I used my hosting providers prebuilt 2.0.1 installation of Moodle.
Otherwise I really hope someone sorts this issue out sooner rather than later.
Just finished complete install from Moodle download.
Completed install and still having https issue.
I have made some changes in the https detection, please try the next weekly that will be released sometime later tomorrow or better git snapshot from the integration server git://moodle.org/integration.git and report if it helped.
Petr
Petr
THanks Petr, I will try tomorrow and report back!!!
I await this with a lot of hope. the https is driving me and all the Teachers crazy.
Between this and the ajax php error, moodle 2 is giving me headaches......
Petr, latest update seems to fix https issue!
It is very late but at a first glance it seeems to be working. I will confirm in more detail tomorrow.
Again, thanks for the update. I have a feeling this will make a lot of people happy!
Cheers,
Grant
Thanks for the testing!
Tried this on zeus server shared hosting and again seems to have fixed the https issue. Teachers are doing more rigorous testing but so far so good.
Thank you for your efforts Petr. I had a tracker open on this issue which you were dealing with which I think can now be changed to solved.
I have done more testing throughout the day and I am quite confident that this absolutely annoying problem is now gone. Well Done and thanks for getting this solved, I think a lot of people will be very happy with this fix.
I also want to add my voice to thank Petr for fixing the "https error" problem.
In my efforts to find a workaround, i.e. change all https requests on my domain to point to http (using a script or setting change), I downloaded demos of ZWS (Zeus web server) and also the load balancing software ZXTM. From asking on a forum (www.webhostingtalk.com), I got some helpful advice from one user. Each virtual site has 2 ports 80 and 443. The plan was to change the backend 443 to 80 also.
I was about to request that my hosting provider make such changes when by chance I had another look at this forum posting. I can't believe you finally fixed the problem! I have done the update and tested it. It works just fine and now I can re-enable guest login and allow course creators to create again without being directed to the https and site certificate error.
So I don't need to contact my hosting company now.
Thanks again for sorting this problem which has annoyed me since Christmas.
Best wishes and thanks to all,
John
In reply to John Bonner
Re: Is an SSL Certicate required for Moodle 2.0-LiteSpeed
by Nick Cusumano -
Hi,
I have been wanting to use moodle 2.0 for my classes. I am having the same issue with the ssl certificate problem. I was excited to see that it had been fixed. My hosting service will not update to Moodle 2.0.2 until they have verification that the fix will work for their shared hosting machines use LiteSpeed.
If you could please tell me if the fix applies to the LiteSpeed machines.
Thank you
Nick
In reply to Nick Cusumano
Re: Is an SSL Certicate required for Moodle 2.0-LiteSpeed
by John Bonner -
You have a catch 22 situstion here. Litespeed is not open scource so it's difficult to test. Perhaps you could post on the Litespeed site's forum or just pretend that the fix does solve the problem. I think both Zeus and Litespeed use similar techniques - e.g. load balancing, virtual servers (on shared server space) etc. and Litespeed is a bit closer to apache than Zeus so the fix should solve the problem.
You could try a new posting in the General problems forum and /or send a query to the Litespeed site. If you don't get any response I would just pretend to your inflexible hosting company that it does fix the problem. It certainly won't make it worse. I've no idea what it costs in time and effort to update the automatic scripts like Softaculous to Moodle 2.0.2+ (latest).
John
You could also post on webhostingtalk.com. Choose the correct forum.
It has a lot of users and somebody there may be able to help.
John
It's not required, but using SSL is becoming best practice. See the discussion in http://moodle.org/mod/forum/discuss.php?d=161491 for more details - You may want to buy the SSL certificate and make your site HTTPS only to avoid potential session stealing issues.