Better SSL with mod_substitute

Renewing my SSL certificates was on my to do list for months and today I’m at home recuperating from a fever that kept me up all night. Since my web server is now patched it is a good time to get new SSL certificates. So I contacted StartSSL and did the deed.

WordPress and SSL has always irked me because just putting a certificate on the web server and using the https URL would still give you elements that are loaded via http (not SSL) and your browser’s address bar would look like this.

ssl-conflict

See that yellow warning triangle over the lock? It irks me. It does. It’s a personality flaw, a blemish, an imperfection. It loudly announces to the world that I’m Doing It All Wrong™. I see that on my site and I hang my head in shame.

OK it’s not really that big a deal. I could play with WordPress SSL plugins but part of my background is configuring applications on servers and Apache2 has a useful module called mod_substitute.

I have two configuration files for my site. One is for the http version and the other is for SSL. It’s like two separate virtual hosts with the same directories.

After I enabled mod_substitute I added these lines to my SSL config.

<Location />
 AddOutputFilterByType SUBSTITUTE text/html
 Substitute "s|href="http://blog.dembowski.net/|href="https://blog.dembowski.net/|"
 Substitute "s|href='http://blog.dembowski.net/|href='https://blog.dembowski.net/|"
 Substitute "s|src=' http:|src='|"
 Substitute "s|src="http:|src="|"
</Location>
# NOTE: Remove the space before the http above

I’m using the alternate delimiter “|” because I don’t want to escape out the URL slashes.

That’s probably too many lines. The first two Substitute lines replaces any URLs of mine from http:// to https://. The next two are for any reference that load elements using plain “http:”. I don’t substitute those with “https:” but instead make those URLs “//” without an explicit protocol.

Doing that gets this image in my browser’s address bar.

ssl-conflict-gone

Green is good. Order is restored.

Why didn’t I use a WordPress HTTPS plugin?

Because I’m lazy and not feeling well. Also using mod_substitute lets me filter the HTML output after WordPress has generated it but before it is sent to the web browser. That gives me more confidence that I’ll get all of the URLs that I want to change.

I’m only using this trick on the SSL version of my site. It’s not a perfect solution and I’m curious to find what this breaks. I had to disable Jetpack’s Photon option because some of my images were not being sent to that CDN properly and there may be other thing as well.

This is not something for everyone (if you’re on a shared host for example) but if you can load Apache2 modules and restart your web server then this may work for you too.

Update: Using (.*) instead of “blog” works for my other vhosts as well. Nope, that breaks LOTS. reverting back.

Now validated with StartSSL

So while I was putzing around with my SSL sites and getting some grief with mod_gnutls, I realized that my life really would be much easier with a valid wildcard SSL cert.

So naturally I went to StartSSL and went through the process for a Class 2 Validation. I had meant to do it for a long time and have been using their free Class 1 certificates for ages.

The process was easy and once I logged in, I uploaded some documentation and waited for the administrative work to complete. I used PayPal and shortly afterwards I received a phone call from Startcom. It was Eddy Nigg personally calling me to ask me the control questions.

I couldn’t help myself and I laughed out loud. I have been long admiring what he and his company have been doing with affordable SSL certs. I regard what other CAs charge as quite a successful scam and StartSSL’s efforts have been well on par with the other “Big names”.

So now I’m successfully validated, using a wildcard SSL cert for my entire domain, and I am officially a satisfied customer. I can’t recommend them enough.

StartSSL and Nginx

I converted this blog from Apache2 to Nginx but forgot a step for SSL. With Apache2 to correctly install the SSL cert, you need to include in your config ca.pem and sub.class1.server.ca.pem. See here for more information.

I didn’t realize I had a problem until I pointed my iPhone at my SSL enabled web site.

With Nginx you’ve got

 ssl  on;
 ssl_certificate  /etc/nginx/ssl/blog.crt;
 ssl_certificate_key  /etc/nginx/ssl/blog.key;

Nginx doesn’t do SSL certificate chaining like Apache2 does. In order to get the ca.pem and sub.class1.server.ca.pem onto your install just append the two files to your certificate file.

curl http://www.startssl.com/certs/sub.class1.server.ca.pem >>blog.crt
curl http://www.startssl.com/certs/ca.pem >>blog.crt

I restarted my Nginx server and had no problems since. I continue to be impressed with StartSSL and at some point I will want to purchase a wild card cert for my domain.

SSL certs for free and not self signed?

I may have been under a rock lately. I saw on Reddit that Microsoft Internet Explorer 8 supported StartSSL certificates. So as a goof I signed up at https://www.startssl.com/ and applied for a free server certificate.

I generated via their web page a certificate for blog.dembowski.net, installed it on my apache server and started using it. Firefox complained that I’m not certified as I have not validated who I am. That’s reasonable and very X.509v3 of them.

Internet Explorer 8 used the SSL cert for my server without a single hiccup. Other than my WordPress mixes http and https on the same page, there were no complaints. Internet Explorer just used the SSL cert without any problems.

I use SSL certs for privacy and not for identity, so self-signed SSL  certs that I have generated are no big deal for me. But having a Microsoft browser not complain about my SSL web site is surreal.

Edit: Oh. Turns out you also need to follow these instructions too. I added SSLCertificateChainFile to my conf and on my other laptop Firefox does not complain at all now. Chrome works like a charm too.

How did I find out about my misconfiguration? Because I recieved this e-mail from StartSSL this morning:

This mail is intended for the person who owns a digital certificate issued by the StartSSL™ Certification Authority (http://www.startssl.com/).

It seems, that the installation of your server certificate with serial number 45568 for blog.dembowski.net is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at http://www.startssl.com/?app=20 on how to do that. The missing certificate can be obtained from http://www.startssl.com/certs/sub.class1.server.ca.pem


Best Regards

StartCom Ltd.
StartSSL™ Certification Authority

So after I applied for a cert, they reached out to check if I installed it correctly. For Free. How cool is that?