[atuly7]

Hello,
I tried to install server certificate which is in apache2/conf folder.
After that I tried to login in processmaker it gives following error in chrome.

This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar. For more information, see https://goo.gl/zmWq3m.

10.png (348.29 KiB) Viewed 5334 times

When I insert credentials for user and click on LOGIN. It shows me above error.
This is happening with every user. how to solve this problem?
And One more problem?
Cleartext Password over HTTP
Vega detected a form with a password input field that submits to an insecure (HTTP) target. Password values
should never be sent in the clear across insecure channels. How will I send password in encrypted format over http?
Is it anything related coding?
Thanks & Regards

[amosbatto]

If you want security, you need to use https, not http. There is no way to have any real security with http if you are using passwords. You can do some things but there are always security holes with any http solution.

First read the documentation on SSL/TLS for version 2:
http://wiki.processmaker.com/index.php/ ... _SSL.2FTLS

In PM 3, your pmos.conf file should look something like this:

Code: Select all

<VirtualHost localhost>
    ServerName "localhost"

    DocumentRoot /opt/processmaker/workflow/public_html
    DirectoryIndex index.html index.php

    <Directory /opt/processmaker/workflow/public_html>
        Options Indexes FollowSymLinks MultiViews
        AddDefaultCharset UTF-8
        AllowOverride None
        Require all granted
        ExpiresActive On

        SSLEngine on 
        SSLCertificateFile /etc/apache2/apache.pem 
        SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^.*/(.*)$ app.php [QSA,L,NC]
        </IfModule>
        AddOutputFilterByType DEFLATE text/html
    </Directory>
</VirtualHost>

Change /etc/apache2/apache.pem to where you have your certificate file.

[atuly7]

If you want security, you need to use https, not http. There is no way to have any real security with http if you are using passwords. You can do some things but there are always security holes with any http solution.

First read the documentation on SSL/TLS for version 2:
http://wiki.processmaker.com/index.php/ ... _SSL.2FTLS

In PM 3, your pmos.conf file should look something like this:

Code: Select all

<VirtualHost localhost>
    ServerName "localhost"

    DocumentRoot /opt/processmaker/workflow/public_html
    DirectoryIndex index.html index.php

    <Directory /opt/processmaker/workflow/public_html>
        Options Indexes FollowSymLinks MultiViews
        AddDefaultCharset UTF-8
        AllowOverride None
        Require all granted
        ExpiresActive On

        SSLEngine on 
        SSLCertificateFile /etc/apache2/apache.pem 
        SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^.*/(.*)$ app.php [QSA,L,NC]
        </IfModule>
        AddOutputFilterByType DEFLATE text/html
    </Directory>
</VirtualHost>

Change /etc/apache2/apache.pem to where you have your certificate file.

Thank you for reply.
I forgot to mention I am using bitnami processmaker community edition 3.1
So, there is no need to add this code. I have to uncomment this line in httpd.conf file
Include conf/extra/httpd-ssl.conf

But it's not working and showing this error.

111.png (52.39 KiB) Viewed 5304 times

Thanks & Regards

[amosbatto]

First of all, check that your certificate file is readable by Apache (i.e., you don't have file permissions blocking it).

Did you create your certificate yourself or did you get it from a known SSL certificate provider? Google isn't able to validate it. You might want to read about your certificate provider: https://www.sslshopper.com/certificate- ... views.html

By the way, if you need to use your site, click on the "Advanced" button in your web browser when you see this error and there should be an option to add an exception for your site, so you can use it.

[atuly7]

First of all, check that your certificate file is readable by Apache (i.e., you don't have file permissions blocking it).

Did you create your certificate yourself or did you get it from a known SSL certificate provider? Google isn't able to validate it. You might want to read about your certificate provider: https://www.sslshopper.com/certificate- ... views.html

By the way, if you need to use your site, click on the "Advanced" button in your web browser when you see this error and there should be an option to add an exception for your site, so you can use it.

I am using self signed certificate.
There is no option to add an exception for site.

[amosbatto]

It sounds like you didn't create a good certificate. See: https://stackoverflow.com/questions/758 ... ertificate

In Firefox you can just click on the "Advanced" button and add an exception for bad certificates, but in Chrome and IE it is more complicated. But you really should fix your certificate.