./securedrop-admin sdconfig and get asked for the four lines: securedrop_app_https_on_source_interface: yes securedrop_app_https_certificate_cert_src: sd.crt securedrop_app_https_certificate_key_src: sd.key securedrop_app_https_certificate_chain_src: ca.crt
However, the script never asks for the key or the certificates.
Now I manually edited the “site-specific”, and everything else worked as intended.
Unfortunately I have to retract my statement about everything working. After installation of the certificate we are unable to get to the submit page.
Hitting the first SUBMIT DOCUMENTS-button works, but on the next page the SUBMIT DOCUMENTS-button or the re-generate token button leads back to the first page with an error message Your session timed out due to inactivity. The same thing goes for the CONTINUE button on the check for a response page (tested multiple times from different sources).
Reverted the change by setting HTTPS to “no” in the config, and now the page is working again. I will troubleshoot a little bit later, but any suggestions are appreciated.
Hey @jonas, I have a suspicion that modifying the Referrer-Policy in the source interface Apache config on the Application server might resolve the issue. Stop the Apache service (sudo service apache2 stop) and in /etc/apache2/sites-available/source.conf replace:
Header set Referrer-Policy "no-referrer"
Header set Referrer-Policy "same-origin"
And bring the service back up:
sudo service apache2 start
Try the source upload flow again. Let me know if this resolves.