This was actually a tweet, not an email, and I’ll get to it later on in the post.
Essentially, a weird thing happened.
I’ve been setting up SSL for admin’ing my sites (because you should) and using a mix of Comodo SSL via Namecheap and StartSSL depending on the domain. But I also set up some Self-Signed SSL certs for other domains. In particular, this one.
Now. SSL certificates provide encryption between the two ends using the certificate. That’s all. They’ve never been able to verify who the two ends are, and all a paid-cert does is say “And I paid these guys to prove who I am” so now you’re ‘trusting’ three people. Maybe. The point is that there’s nothing wrong with a self-signed SSL certificate in specific situations.
If you’re messing with money or personal identification, you need to use a signed certificate. This isn’t even an option. But halfelf.org doesn’t do that and I really just wanted an SSL cert for a secure connection to my wp-admin dashboard. No big, right? So I did that, posted a new article the next day, and my buddy Mike said:
hey there, clicking on the article title from the email notification tries to force https:// and throws privacy error warning
What the what?
For some reason, the setup I had that works perfectly fine, no errors on ipstenu.org wasn’t working on halfelf.org, and the only difference was that self-signed certificate. Apparently the emails sent by Jetpack grabbed the https URL and while the server was set to redirect to http, users still got that moment of “Hey, this isn’t a real certificate.”
I know that a self-signed certificate means there’s no chain of trust, but it’s quite annoying that Google Chrome and other browsers flip out when you’ve done it. If it was just a warning “Hey, this site is secure but we can’t verify it…” that would be one thing. But what Chrome does is slap up a big fat warning and stop users, making it a double click through to get to the page, which forces them back to http anyway. Visitors may not trust my site to be safe, but frankly, that site wasn’t really meant to be ‘safe’ anyway. It’s safe on the back end for me. Not you.
It’s a complicated mess, and I can’t wait for Let’s Encrypt to take off. I’ll be installing that on my server ASAFP because the ability to self-sign without making browsers flip out.
To fix it for now, I turned off SSL over admin (which literally was all I’d done for WP) and picked up a legit certificate. But it’s rather stupid that the email sent from Jetpack decided it was meant to be https when it wasn’t, and that my site that forced http over https for non-logged in users wasn’t ‘enough to convince the browser they were in the wrong place.
Comments
One response to “Mailbag: Self-Signed SSL”
Another option is to stick CloudFlare up front and enable its Full SSL mode. After about a day, you’ll get a trusted SSL cert on CloudFlare, so your visitors get that trusted SSL experience — and CloudFlare will happily trust your self-signed SSL cert. Just don’t enable Full SSL (Strict) or CloudFlare will refuse to play with your self-signed cert!