Certificate Hell

Finally got around to organising some real certificates fo my sites, since the change to Google and various browsers to give warnings on HTTP only sites.

Safari Not So Goody

The EFF have been fantastic in lending their support to moving everyone onto HTTPS through their Let’s Encrypt website > https://letsencrypt.org/

These are temporary but very real free certificates that last for three months and mean your site won’t disappear behind scary warnings. The down side of this is of course the expiry and being spammed by you hosting console about that expiry.

Upgrading to my own certificates for the various URLs I own was going to be expensive on first look. After a bit of research, I decided to go for the PositiveSSL Multi-Domain (DV) through Sectigostore.

This has allowed me to have a multisite certificate registered to my company by covers 21 URLs.

Providing the information was painless but getting these various URLs verified was a bit harder. Verifying via email was out as I wasn’t going to go create 21 admin email addresses. Verifying via text file on the server worked for those with websites, not so much for a couple that I have parked at the Registrar

To do those and eventually the others, I had to add a CNAME record into the DNS at the Registrar. I try to not mess about with DNS as its not my bag. On this occasion I had no choice as all listed URLs had to be verified before a certificate could be issued. Thankfully the support via chat was good and I soon had everything verified.

One criticism of the Sectigostore website, was that I couldn’t see the verification status of each URL. Turns out two of them failed to verify as I had done the CNAME record change at my hosting rather than the Registrar. Once I asked the support they told me which ones were unverified, I changed them and on minute later I had a shiney new SSL certificate.

Welcome to the new section of Certificate Hell.

Installing the SSL Certificates for each site was just a lot of copy and paste. Once done I gave the new urls a test:

NET::ERR_CERT_COMMON_NAME_INVALID

Uh?

So the fancy new Certificate that I had was still throwing up a “here be dragons” warning.

After a bit of searching, the issue seemed to be that the browser was whinging about the site url being different from the certificate owner (my company).

I tried a few different things but finally adding the following lines in the WordPress config file (wp-config.php) seemed to make this issue go away:

define( ‘WP_HOME’, ‘https://joemolloy.com’ );
define( ‘WP_SITEURL’, ‘https://joemolloy.com’ );

This fix was obtained from https://wordpress.org/support/topic/neterr_cert_common_name_invalid-2/

It is a bit of a hack, but it works. Apparently according to the WordPress Support site it breaks the ability to edit this via the UI. I can live with that.

https://wordpress.org/support/article/changing-the-site-url/

This made the warning pages go away in Chrome & Brave. Safari has been more stubborn, but who uses desktop Safari these days anyway?