Mostly Harmless

Mostly about my amusement

Tag: SSL

With very little effort I replaced my existing SSL cert which was SHA-1 based with a SHA-256 version for free.

The SHA-1 Sunset Tool makes it easy to find all of your SHA-1 certificates. Enter your domain name to find affected certificates and upgrade to SHA-256 with a free DigiCert certificate.

via DigiCert SHA-1 Sunset Tool: Find & Replace SHA-1 Certificates.

It’s a neat offer. I could have asked my existing SSL cert provider but I wanted to see how well this works. The instructions and validation steps were very simple.

Fixing my SSL based shortlinks

If you look at the HTML source for this NGINX post I wrote you’ll find this code.

<link rel='shortlink' href='http://wp.me/pLamj-2Lz' />

Which was inserted when I published the post via Jetpack. Shortlinks are cool.

But if you use curl -LI on that wp.me URL you see that it goes http -> http -> https which irks me.

$ curl -LI http://wp.me/pLamj-2Lz
HTTP/1.1 301 Moved Permanently
Location: http://blog.dembowski.net/?p=10637

HTTP/1.1 301 Moved Permanently
Location: https://blog.dembowski.net/?p=10637

HTTP/1.1 301 Moved Permanently
Location: https://blog.dembowski.net/2014/i-am-nginx-and-so-can-you/

$

I like https based URLs because I want the communication between my web server and your web browser to be encrypted.

My web server does 301 redirect the browser to the https version but I don’t want any plain text http in the mix. It’s not Jetpack’s fault, I’m passing the non-SSL URL to it to get the shortlink.

Having the shortlink point to a plain http URL doesn’t fit well with my tin foil hat. Since my web sites are SSL enabled there is no reason to use unencrypted http anymore.

YOURLS to the rescue

I am pretty sure that Jetpack’s URL shortner will handle SSL based URLs in a friendly encrypted way but I’d rather use YOURLS.

YOURLS stands for Your Own URL Shortner and I’ve been using my own installation for years. In December I blew up my multisite and disabled my YOURLS plugin (and several other things). Today I made a subtle change to my shortlink installation’s config.php file.

This line

define( 'YOURLS_SITE', 'http://dn7.me' );

was changed to this with https.

define( 'YOURLS_SITE', 'https://dn7.me' );

And just like that my short URLs are now SSL based. The old http shortlinks continue to work fine.

I previously used Ozh’s plugin but the plugin Andrew Norcross created is recommended by many and I  switched to that one. It’s really easy to use, you  just fill in 2 fields and click the check boxes.

WP-CLI  should be used in all the things

I could not find where the heck my URLs were being generated as non-SSL. If I asked in the forums or looked at the wp_get_shortlink() source code I am sure I could figure it out. But I’m lazy and instead I just used wp-cli like so.

cd /to/my/multisite/directory
wp db export ~/save-me.sql
wp search-replace 'http://blog.dembowski.net' 'https://blog.dembowski.net' --network

The export command was my safety net incase my backups aren’t as good as I think they are. If this hurt anything then I could put the database back right before I munged it up.

Today I published a post and it has this code and shortlink.

<link rel='shortlink' href='https://dn7.me/2ou' />

Looking at that with curl reveals this.

$ curl -LI https://dn7.me/2ou
HTTP/1.1 301 Moved Permanently
Location: https://blog.dembowski.net/2015/good-product-integration-is-important/

$

The https URL sends a 301 to the destination https URL with nothing else to see. My tin foil hat is now even a little tighter.

You do know that you use Jetpack, right Jan?

I’m not really concerned about data leakage and this really is just an excercise for me. I like Jetpack and understand the implications of continuing to use it.

When you setup a  web server the default port is 80 without any encryption. SSL on port 443 needs to be configured and turned on manually with x509 certs. Wouldn’t it be great if you could do away with HTTP and just use HTTPS? That’s part of what Let’s Encrypt is trying to accomplish.

As a service it’s supposed to be available mid-2015 and I can’t wait to see how that goes. Encryption everywhere is a great idea  and in the 21st century there’s no excuse not to use it.

I may have broken my Feedburner feed

After I converted my WordPress install to 100% SSL I noticed that my own feeds in Tiny Tiny RSS were not updating. Years ago I forwarded my RSS feeds to Feedburner and 301 redirects from https://blog.dembowski.net/feed/ https wasn’t working.

I can’t even remember why I used Feedburner. I’m pretty sure I turned it on in a moment of “What’s that button do? *Monkey pushes button*”.

I’ll keep testing but eventually I’ll disengage Feedburner and just use https://blog.dembowski.net/feed/ instead.

Edit: This work around seems to fix it.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} blog.dembowski.net [NC]
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !^/feed/$
RewriteCond %{REQUEST_URI} !^/index.php$
RewriteCond %{QUERY_STRING} !^feed=rss2$
RewriteRule ^(.*)$ https://blog.dembowski.net/$1 [R=301,L]
</IfModule>

The part starting at line 5 is where I added conditions so that the SSL 301 redirect will be ignored.

Better SSL with mod_substitute

Renewing my SSL certificates was on my to do list for months and today I’m at home recuperating from a fever that kept me up all night. Since my web server is now patched it is a good time to get new SSL certificates. So I contacted StartSSL and did the deed.

WordPress and SSL has always irked me because just putting a certificate on the web server and using the https URL would still give you elements that are loaded via http (not SSL) and your browser’s address bar would look like this.

ssl-conflict

See that yellow warning triangle over the lock? It irks me. It does. It’s a personality flaw, a blemish, an imperfection. It loudly announces to the world that I’m Doing It All Wrong™. I see that on my site and I hang my head in shame.

OK it’s not really that big a deal. I could play with WordPress SSL plugins but part of my background is configuring applications on servers and Apache2 has a useful module called mod_substitute.

I have two configuration files for my site. One is for the http version and the other is for SSL. It’s like two separate virtual hosts with the same directories.

After I enabled mod_substitute I added these lines to my SSL config.

<Location />
 AddOutputFilterByType SUBSTITUTE text/html
 Substitute "s|href="http://blog.dembowski.net/|href="https://blog.dembowski.net/|"
 Substitute "s|href='http://blog.dembowski.net/|href='https://blog.dembowski.net/|"
 Substitute "s|src=' http:|src='|"
 Substitute "s|src="http:|src="|"
</Location>
# NOTE: Remove the space before the http above

I’m using the alternate delimiter “|” because I don’t want to escape out the URL slashes.

That’s probably too many lines. The first two Substitute lines replaces any URLs of mine from http:// to https://. The next two are for any reference that load elements using plain “http:”. I don’t substitute those with “https:” but instead make those URLs “//” without an explicit protocol.

Doing that gets this image in my browser’s address bar.

ssl-conflict-gone

Green is good. Order is restored.

Why didn’t I use a WordPress HTTPS plugin?

Because I’m lazy and not feeling well. Also using mod_substitute lets me filter the HTML output after WordPress has generated it but before it is sent to the web browser. That gives me more confidence that I’ll get all of the URLs that I want to change.

I’m only using this trick on the SSL version of my site. It’s not a perfect solution and I’m curious to find what this breaks. I had to disable Jetpack’s Photon option because some of my images were not being sent to that CDN properly and there may be other thing as well.

This is not something for everyone (if you’re on a shared host for example) but if you can load Apache2 modules and restart your web server then this may work for you too.

Update: Using (.*) instead of “blog” works for my other vhosts as well. Nope, that breaks LOTS. reverting back.

Now validated with StartSSL

So while I was putzing around with my SSL sites and getting some grief with mod_gnutls, I realized that my life really would be much easier with a valid wildcard SSL cert.

So naturally I went to StartSSL and went through the process for a Class 2 Validation. I had meant to do it for a long time and have been using their free Class 1 certificates for ages.

The process was easy and once I logged in, I uploaded some documentation and waited for the administrative work to complete. I used PayPal and shortly afterwards I received a phone call from Startcom. It was Eddy Nigg personally calling me to ask me the control questions.

I couldn’t help myself and I laughed out loud. I have been long admiring what he and his company have been doing with affordable SSL certs. I regard what other CAs charge as quite a successful scam and StartSSL’s efforts have been well on par with the other “Big names”.

So now I’m successfully validated, using a wildcard SSL cert for my entire domain, and I am officially a satisfied customer. I can’t recommend them enough.

StartSSL and Nginx

I converted this blog from Apache2 to Nginx but forgot a step for SSL. With Apache2 to correctly install the SSL cert, you need to include in your config ca.pem and sub.class1.server.ca.pem. See here for more information.

I didn’t realize I had a problem until I pointed my iPhone at my SSL enabled web site.

With Nginx you’ve got

 ssl  on;
 ssl_certificate  /etc/nginx/ssl/blog.crt;
 ssl_certificate_key  /etc/nginx/ssl/blog.key;

Nginx doesn’t do SSL certificate chaining like Apache2 does. In order to get the ca.pem and sub.class1.server.ca.pem onto your install just append the two files to your certificate file.

curl http://www.startssl.com/certs/sub.class1.server.ca.pem >>blog.crt
curl http://www.startssl.com/certs/ca.pem >>blog.crt

I restarted my Nginx server and had no problems since. I continue to be impressed with StartSSL and at some point I will want to purchase a wild card cert for my domain.

SSL certs for free and not self signed?

I may have been under a rock lately. I saw on Reddit that Microsoft Internet Explorer 8 supported StartSSL certificates. So as a goof I signed up at https://www.startssl.com/ and applied for a free server certificate.

I generated via their web page a certificate for blog.dembowski.net, installed it on my apache server and started using it. Firefox complained that I’m not certified as I have not validated who I am. That’s reasonable and very X.509v3 of them.

Internet Explorer 8 used the SSL cert for my server without a single hiccup. Other than my WordPress mixes http and https on the same page, there were no complaints. Internet Explorer just used the SSL cert without any problems.

I use SSL certs for privacy and not for identity, so self-signed SSL  certs that I have generated are no big deal for me. But having a Microsoft browser not complain about my SSL web site is surreal.

Edit: Oh. Turns out you also need to follow these instructions too. I added SSLCertificateChainFile to my conf and on my other laptop Firefox does not complain at all now. Chrome works like a charm too.

How did I find out about my misconfiguration? Because I recieved this e-mail from StartSSL this morning:

This mail is intended for the person who owns a digital certificate issued by the StartSSL™ Certification Authority (http://www.startssl.com/).

It seems, that the installation of your server certificate with serial number 45568 for blog.dembowski.net is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at http://www.startssl.com/?app=20 on how to do that. The missing certificate can be obtained from http://www.startssl.com/certs/sub.class1.server.ca.pem


Best Regards

StartCom Ltd.
StartSSL™ Certification Authority

So after I applied for a cert, they reached out to check if I installed it correctly. For Free. How cool is that?

Importing self-signed SSL certs into Vista

I use SSL on my web servers for privacy and not authentication. Since it is my own use I don’t care if it’s from Verisign or Thawte. Also why shell out cash for the certificate when a self signed certificate will do just fine?

Internet Explorer used to permit you to install web server certificates by examining the SSL certificate and importing it into your key store. Version 7 of the browser took that away and made it more difficult to import them into the key store.

Here is how I imported the web server certificate into Vista. Continue reading

WordPress SSL Admin plugin (patched)

A while back WordPress.com released a plugin which protected your login with SSL. Normally when you administer a WordPress blog, it’s done via http. The plugin was originally released for the WordPress 2.1-alpha release. After a few updates it stopped working.

Over at Haris.tv this gentleman fixed the plugin and released a patch version of it which works with 2.0.6 as well as 2.1 (I have not tried 2.1 yet). It works like a charm (been playing with it all day). If you use a wordpress blog, have SSL set up on your web server, then it’s a must have and you should install it ASAP.

© 2018 Mostly Harmless

Theme by Anders NorenUp ↑