more security excitement

Whoo. Spent a solid 8 hours yesterday getting SSL squared away on this Wordpress project.

That’s not entirely true. I also added an entirely different NodeJS app to the same machine, configured Apache to pass through connections to the Node app (a two-headed monster that is both an API for a goofy service, and the endpoint for a Slack notification system I cobbled together for myself).

After all of that, though, I went down the SSL hole. Getting the certs from Let’s Encrypt was pretty straightforward. Using the Apache docs to apply the right certs to the right VirtualHost seemed straightforward. Then I ran into the buzzsaw of redirecting HTTP traffic over to HTTPS.

There are one million blog posts about this; every one of them is very slightly different. I beat my head against the wall and tried probably two dozen variations on a theme, until I realized something.

The problem was at the domain registar level, not the local machine level.

Went to my registrar (Hover), added another DNS entry pointing WWW at the same IP address as the @ entry, and went to bed. (It was the last thing I thought of.)

In the morning, I dropped a simple Redirect into a VirtualHost for the ServerName, et vóila.

<VirtualHost *:80>
    Redirect /

There’s still more to understand; I think my certs are not perfect because when I use cURL to test everything, I get useful redirects from the www URL variants, but on I get a cert warning, curl: (51) SSL: no alternative certificate subject name matches target host name ''. The cert is checked before the server Redirect is reached; the cert doesn’t match, but in a browser (unlike the cURL command), the request passes through to the Redirect directive, and on being redirected the second request (to the WWW-less domain) does match the cert.

So it works, but I think could be impoved.

This entry was posted on September 26, 2018 with tags