Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: ssl

  • SSL Intermediary Certificates

    SSL Intermediary Certificates

    Every now and then, my Andriod friends tell me my store won’t work on their phones.

    Android warning: Your connection is not private

    Now my store works on Chrome, Firefox, Safari, and IE. I get a green lock, which is what you’re looking for on Chrome, and SSL Labs comes back … with varying results of stupidity. I tend to get this:

    Unexpected failure – our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can’t provide accurate results, which is why we fail.

    Now this is a ‘valid’ failure. I have one IP and a multi-domain certificate (ipstenu.org, mothra.ipstenu.org, store.halfelf.org). It’s stupid, mind you, since sometimes it works and sometimes it doesn’t and it gives me a headache. If you look on Digicert or SSLShopper, they both come back just fine. I’ve started to think that the ssllabbs cache is drunk. I’m going to assume I’m okay based on sslcheck, who gives me a B because it can’t tell if I patched for BEAST (I did).

    That said, I did some research and determined I was not the only person having this issue specifically with a Comodo cert! As it happens, the issue was in part due to missing an intermediate certificate in my file. If someone’s already visited another website which has the same certificate seller, the intermediate certificate is remembered in the browser. Sounds great, right? The site loads faster! But if the visitor hasn’t hit my store, then they don’t have the intermediary certificate and it would fail.

    But why does this only happen on an Android phone? Your browser on your big computer has a whole mess of certificates it saves for you, to make things faster for everyone. Your phones don’t.

    To solve a missing intermediate certificate in the SSL connection, you have to add the intermediate certificate to your own certificate file. This is a little annoying with cPanel/WHM, because I can only do it as root. I’d previously added everything via cPanel as my ipstenu.org log in because it was per domain, right? The trick here is that I have to not just add the certificate by pasting that in, but I have to grab the other two certs that came with:

    Two More Certificates!

    Notice how there are four? The first one is my certificate, the one I pasted in. The second is my Root certificate, leave it alone. The bottom two I had to add at the bottom of the cert page, where it said “Certificate Authority Bundle (optional):” Those I pasted the content of, one after the other, and saved it. In my case, I was so annoyed I deleted them all and re-added everyone, pasting in the main cert and using auto-fill, and then manually adding in the bundle.

    I do find it interesting to note that this only failed on Android phones, though.

  • SSL for One Domain on Multisite

    SSL for One Domain on Multisite

    To start with, I made a mistake and assumed, bad me, that the Terms of Service that let me collect donations for my ebooks would similarly be okay with collecting payments for said ebooks. Alas, no. “Digital goods including digital currency” are not permitted, and that was my bad. It resulted in me losing my entire account and having to fight to get my customers their money back.

    Meanwhile I decided to get started on making an easy way for people to pay and stay on my site (like Stripe), and this, no matter what, means I need to have SSL.

    Normally that’s not too much of a problem, but my store happens to be a subdomain of a mapped domain on a multisite. My WordPress install is at ipstenu.org. This site is actually tech.ipstenu.org, and my store (store.halfelf.org) is actually hshop.ipstenu.org (stands for HalfElf Shop…). I used domain mapping to point halfelf.org to tech.ipstenu.org, and store.halfelf.org to hshop.ipstenu.org. While I could just edit the site and home URL in the ‘Edit Site’ page, domain mapping is needed for in order to tell WordPress that the domain is really a thing.

    Setting all that up was the easy stuff, though. The SSL part was something I’ve poked at before and given up, since multiple domains and one SSL cert is a pain in the ass. But today, if you go to the Half-Elf Warehouse, you’ll see it’s all SSL! (NB: It was. It’s now only SSL on pages that need SSL, to allow for better caching.)

    You will need….

    SSL Certs

    This is the easy part. You need an SSL certificate for the domain you need to protect. If this is the only domain you want to add this on to, it’s relatively easy. If you need to add SSL on to multiple domains, check with your webhost.

    I actually have multiple SSL certs. The problem with multiple SSL certs is that a wildcard one for subdomains costs around $300 (this is on Comodo), and I have three domains I need to protect on one server… Oh. Wait, wasn’t this a problem before? As it happens, I’ve got SNI on my Apache instance now, so that was fixed. I picked up a cert for store.halfelf.org and set it up, done. Except…

    Add-on Domain

    Why this? Well it’s funny. I used to always tell people ‘Use Parked Domains, it’s way easier’ and this is still true, it just has a caveat of ‘unless you’re trying to use SSL.’ Now that I am, I hit a sticking point where a parked domain cannot have it’s own SSL cert, but an add-on domain can. This was a simple fix. I deleted the parked domain and flipped it to an add-on domain. Then I added the certificate in for my site and now I have https on ipstenu.org and store.halfelf.org but not halfelf.org. Why? Because halfelf.org and store.halfelf.org are separate add-on domains. Had I bought a wildcard cert for halfelf.org, I could have made halfelf an addon, and store.halfelf a parked domain on top of halfelf, but this works too.

    The other option, of course, is a multi-domain cert, which is too much money for my tastes, and I don’t need it all the time. I have SNI, which makes this so super easy for me, it’s silly. Just add the cert for the domain and have a party.

    WP-Config

    But today I only want to force one of my mapped domains to be SSL:

    if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) {
    define('FORCE_SSL_ADMIN', true);
    define('FORCE_SSL_LOGIN', true);
}

    No that was it. If it’s two domains, it’s this:

    if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) { ...}

if ( $_SERVER["HTTP_HOST"] == "ipstenu.org" ) { ...}

    and so on and so forth. Why not using an OR check? Because it failed miserably when I did that. I suspect it’s due to ipstenu.org being my main domain, but I was tired and stopped here.

    .htaccess

    Okay, now I want my domain to default to SSL when people visit too!

    RewriteCond %{HTTP_HOST} ^store\.halfelf\.org
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://store.halfelf.org/$1 [R,L]

    That was easy.

    WordPress SSL

    What about making everything on my page load SSLish? Install and activate? That was it? Oh. Okay.

    Verify!

    https://store.halfelf.org

    Hey! Looks good! Actually I’d had a problem when I first ran this.

    Chrome's Warning for SSL

    Yeah, that little yellow triangle. What the heck did it mean? I trotted off to Why No Padlock? and got an error:

    SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
    ERROR: no certificate subject alternative name matches

    That didn’t help me at all, so I viewed page source and looked for http://store and didn’t find anything. Then I looked at the console and saw that it had an error on some JS:

    //Moral? Always read the ToS.