Secure HTTPS on www.ecocloud.org.au

[hoylen]

HTTPS on https://www.ecocloud.org.au is not working.

The TLS server certificate is a self-signed certificate and it is for the wrong domain name.

[hoylen]

A QuoVadis certificate has now been added to the WordPress site.

Unfortunately, that certificate is only for the domain name of "ecocloud.org.au" and there is no SubjectAltName for "www.ecocloud.org.au" in it, so it is not going to work for people visiting https://www.ecocloud.org.au/ (with the "www").

We have two options:

1. Get a new certificate with the correct SubjectAltName and install that on WordPress.

2. Edit all the links to www.ecocloud.org.au, changing them to just ecocloud.org.au and hope nobody types in www.

I think option 1 is better, since it will then work with and without the www.

[sarahrichmond]

@gweis are you able to look into getting a cert. for www.ecocloud.... ?

[hoylen]

@gweis One certificate that supports both "www.ecocloud.org.au" and "ecocloud.org.au".

[hoylen]

@gweis Ideally, both domain names should appear in the SubjectAltName -- not one in the common name and the other in the SubjectAltName (even though that usually works). This is because future versions of Chrome/FireFox will no longer recognise the domain name from the common name. https://www.chromestatus.com/features/4981025180483584 https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/

[gweis]

I was under the assumption, that Wordpress supports only one domain name... it will always redirect to the configured domain name, so one domain name should suffice.

I.e. if Wordpress is configured to serve the domain ecocloud.org.au, then it will always redirect to ecocloud.org.au even if you browser to the site via www.ecocloud.org.au.

I can try and ask for a certificate with multiple domain names ... not sure whether that's possible as I haven't asked for one before.

So if I understand it correctly, it's some browsers want for that initial redirect a valid ssl cert as well, but e.g. chrome happily just redirects anyway.

(Also I assume it's not possible to configure two different ssl certs for the two domains ?... that's what I usually do with self hosted web servers.. one cert per virtual host)

[hoylen]

Your assumption sounds plausible, but it seems WordPress.com does support multiple domains. I am surprised they don't charge extra for it!

There are two types of redirection we want. (The text below assumes the preferred domain does not have the "www" in it -- I actually prefer it with "www", but it is an uphill battle against the might of Google on this issue!)

1. Redirection to canonicalise the domain name (e.g. www.something to something).
2. Redirection for insecure requests to secure requests (e.g. http://something to https://something).

So this is what we want for the following combinations of what the user could enter:

a. Visits http://ecocloud.org.au redirect to https://ecocloud.org.au (ideally) b. Visits http://www.ecocloud.org.au redirects to https://ecocloud.org.au (ideally) c. Visits https://www.ecocloud.org.au redirects to https://ecocloud.org.au d. Visits https://ecocloud.org.au (success: serve the page)

TLS needs to work on www.ecocloud.org.au and ecocloud.org.au, so that both c and d work. In c, all browsers send the initial HTTPS request to www.ecocloud.org.au. It needs to establish a TLS connection it trusts, before it can even discover there is a redirection.

I say "ideally", because WordPress might implement the two types of redirections as two separate HTTP redirects.