https for logins and SSL certificate warnings


  • Question

I'm setting up a site where users will register and log in to view content through the built-in users capability of drupal. Currently, if they try to log in using http:// they get access denied - it only works if they use https://. Flushing caches doesn't seem to have any effect here.

My second question is if there's a way to either not have to use https:// at all, or if there's a way to use a real certificate. If I do have to use https:// to authenticate users, I'd prefer not to have the first thing everyone sees be that security warning about an untrusted certificate.

Thanks for your help! site:


There is a known issue with username/password logins that the development team is working on. Logins that use Touchstone are automatically sent through via HTTPS, while username/password logins are not being forwarded to HTTPS correctly, causing the error you describe.

The current workaround is to have users include the https in links to the login page, or to instruct users to type the URL into their browser that way.

As for the certificate warning, when your site is first deployed, it has a "self signed" server certificate so it can be up and running quickly. IS&T then applies for an InCommon certificate and installs it when it is ready. If you need to expedite that, please send a request to Once the InCommon certificate is in place, there will be no more trust warnings.