The Core

Looking at setting up https on a wordpress domain.

I have never done it before.

Hosted on Debian Lenny.

The domain is registered with 123 reg.

Do I need to configure the server in some way? Or can I just buy an ssl?

123-reg.co.uk/ssl-certificates/

Somewhat baffled.

Thanks in advance.

Cheers

Registrar is immaterial here.

Certificates are installed on your server and yes, you must install it. How do you manage your server?

A few points...

1. If this is managed hosting or shared hosting, your host will do this for you. Just put in a ticket.

2. If you have somewhat higher privs, you can do this yourself through CPanel, Virtualmin, Plesk or command line, depending on what is available.

3. If you're on CPanel or Virtualmin, you can click a single button and it will install a Lets Encrypt Cert for free. I don't see any reason to buy a cert anymore unless you need higher levels of verification, and those get expensive (especially at the highest levels where they send someone to your location and pull all sorts of documentation).

4. Once you have the cert, you will be able to test it while still keeping the http version alive. Open your Dev Tools in your browser and open the console tab and load a bunch of pages. Do you get errors? If you have "mixed mode" you will - in other words, if you have a https page and an http stylesheet, that will throw an error and the stylesheet won't load. So you have to go through and update your base URL in Wordpress, any hardcoded links to stylesheets, JS, images, etc.

5. Once you've tested it an SSL is working, then you can set up your redirects and canonicalize on the https.

6. Finally - Google Search Console does not have a means of transferring a property to a new URL and this is a new URL. You will have to reverify for https and you will now have two, completely separate properties (possibly four if you verify for the www and non-www domains). Within a few months, your http property in search console will have zero traffic and all the rankings will be gone and you will forget and go look at it and have your heart sink and, hopefully, quickly realize that this is as it should be and switch to your live property.

The debian thing was a nause

Moved the domain to ubuntu 16 and it was done in 8 minutes with lets encrypt.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

>>nause

I guessed this from context... but had to look it up
http://www.urbandictionary.com/define.php?term=nause

Anyway, glad you got it sorted.

I did thanks.

It took 15 minutes to move the domain to a modern server.

Then a few commands within ssh and it was sorted.

Pretty easy and free.

Thanks

I think it was you that mentioned LetsEncrypt, so thanking you :-)

Quote from: ukgimp on February 05, 2017, 02:22:02 PM
I think it was you that mentioned LetsEncrypt, so thanking you :-)

Yeah... just the two of us in this thread. I am amazed how easy LetsEncrypt makes this now. If you don't need extended verification (which is the term I was trying to think of in my original post but couldn't), basic TLS/SSL is *so* easy now.

QuoteLetsEncrypt

does that need resetting every 6 months or something?

Last time we were looking at freebees, there was a higher danger of it being forgotten I thought.

>does that need resetting every 6 months or something?
Every 3 months. But that is handled by a script and you get email warnings if a certificate for some reason is not renewed.

Thats the bit I find scary.. its something else to go wrong.

I am using Webmin / Virtual Min, you click a button and it auto renews Let's encrypt every 2 months. If there is ever any errors it mails me. If I forget, even after getting the emails, I have a month to log in and check before it expires.... so a decent safety net IMO

Ok good idea.

Putting it on a staging server apparently. See how that goes. Still seems a small saving on what could be a high cost error.

>Small saving

Agreed

>high cost error

Disagreed.... or rather I disagree that paying for the SSL certificate removes the error of it expiring. We had this last year and our SSL certificate expired. We didn't realise for a few hours, I was in Croatia and Richard was here in Blighty. Paying didn't stop the issue of a certificate expiring, and in actual fact if we'd have had Let's Encrypt and the automated renewal process set up, we'd never have had the problem... and saved a few bucks per year :)

For me it's not a matter of saving money. Lets Encrypt is simply easier to use

Quote from: JasonD on February 06, 2017, 06:43:51 PM
I am using Webmin / Virtual Min, you click a button and it auto renews Let's encrypt every 2 months.

Ditto - Webmin/Virtualmin, 3-month cert set to renew every two months.

Quote from: Torben on February 06, 2017, 08:58:35 PM
For me it's not a matter of saving money. Lets Encrypt is simply easier to use

The price I was getting certs for at Namecheap was so low, it wasn't a factor. It's the convenience more than the price that finally has me converting low-value sites over to SSL.

QuotePaying didn't stop the issue of a certificate expiring

Paying doesn't mean your cert won't go bad if a sysadmin at your host makes some change on a server that invalidates your cert (which happened to a client six months or so ago). But it did mean having to contact people, find out how to update and reinstall the cert (I forget the details, but it shouldn't have happened), and took the better part of a day to get it to stop showing a browser warning. In as much time as it took to craft the email saying something was wrong, we could have just issued a new cert with LetsEncrypt and been done with it.

Obviously, if you need Extended Verification and things like that, it's not a solution though.

New light.. thanks.

Yesterday I tried making my woocommerce checkout use https by ticking the box in the settings.
Wasn't working though as there were unsecured links to http resources.
Looking closer into it the theme I was using (flatsome) for some unknown reason would use http links when you changed the logo from the default.
Their reply, use this plugin - https://en-gb.wordpress.org/plugins/really-simple-ssl/
Now my whole site is https. Not sure if that's a good thing or not?

Worth having the whole site https imho

Apparently some ranking effect
Looks good to Jonny user
No warning (scare tactic) from browsers.

I've found it's easier to manage having a whole site SSL than just parts.

We used to go with just parts years ago because there was so much overhead in the SSL handshake and all that. Now, I wouldn't give that a second thought and just redirect everything as part of your domain canonicalization redirect. Something like


RewriteCond %{HTTP_HOST} !^(www\.example.com)?$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://www.example.com/$1 [R=301,L]


The %{HTTPS} flag is available in every version of Apache since at least 2.0. Can't help with other servers.

I you switch to https I recommend that you also make the switch to HTTP2, which is a more efficient protocol but only available in combination with https

Any good links  Torben?

Yea, I'm starting to warm up to the idea of https being site wide.
The only issue now is I'm being told I've brought a CA that a 3rd party service I use doesn't support, and now the web hooks I use won't work.
Is this right? I've never come across this before, but then SSL is a new territory for me.

>https2

Agreed but it's a weird one to work with and means a change from looking at raw text going through the http/s stream, many of us are used to. As a protocol it's binary only and a ratification of what Google used to call Speedy.

>The only issue now is I'm being told I've brought a CA that a 3rd party service I use doesn't support, and now the web hooks I use won't work.

That sounds like the 3rd party service is posting some data to you and their back end only has a subset of CAs installed for their code and clearly less than normal browsers do... If so... and presuming it's just them that post back to you, I'd mirror your back end code on another URL and IP restrict access to just their IP address or ask for what CAs they do support and get a certificate from one of them

This is the list they gave me - https://support.chargebee.com/support/solutions/articles/218485-accepted-ssl-certificates
TBH, I'm not too bothered as I'm moving away from them very soon. I was more surprised at the list as I wasn't expecting that.
Thanks for the info though, it's certainly another learning curve :)

Quote from: ukgimp on February 08, 2017, 09:10:32 AM
Any good links  Torben?

https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04

> Chargebee list

It's quite comprehensive but far from complete. I understand why they do it they way they do, but.......

Just got this for one site:

https://www.screencast.com/t/2A9pIonbZhcC