SSL Certificates


#1

Not sure if this sits under troubleshooting but heyho, I’m sure it’l get moved if this isn’t the right place.

I want to enquire about SSL certificates.
Can I set it up like such;

https://secure.mydomain.com http://www.mydomain.com

Both pointing to the same folder path, but giving the option to use either secure or non-secure connections.
If I setup a certificate for https://secure… will users choosing to visit through http://www… be affected?

Also, in other peoples’ experiences, how easy/costly has it been to setup with dreamhost as the certificate provider,
…and what levels of encryption are available?

Thanks :slight_smile:


#2

You do need a dedicated IP to do SSL… It’s fairly easy to set up and you can actually get a free class 1 cert from startssl.com to experiment with. The free certificate is class 1 which will prevent eavesdropping, but is probably not what you would want for an e-commerce site. See option 4 on this page: http://wiki.dreamhost.com/Secure_Hosting

Setting up http://www.mydomain.com and https://www.domain.com to both work is relatively easy and is actually how it will work when first set up. I don’t see why you couldn’t set it up with https://secure.mydomain.com and http://www.mydomain.com by pointing the two to the same directory but I haven’t actually tried it.[hr]
The downside I do see to setting it up as https://secure.mydomain.com and http://www.mydomain.com is that google will penalize you for duplicate content I believe.


#3

It’s easy on Dreamhost. If you are not particular about who issues the certificate, get it from Dreamhost. After a short while, it’ll be installed. Then, visitors can use either “http:” or “https:”, regardless of any subdomains (“secure.mysite” is not a gimme). If you don’t want people to visit via non-SSL, one way is a brief PHP script at the top of each page to prevent it. There may be other ways.

I got mine from a 3rd-party. In that case, you go to their site, pay and give all the info, and they email you one or two chunks of garbled ASCII, which you then paste into Dreamhost’s form. Boom, you’re done.

I think it’s a $25 one-time fee for a dedicated IP address, which is required for SSL.


#4

Dedicated IP’s are 3.95 a month or 43.13 per year. there is no “one time” about it.

To force https: the best way is a couple lines in .htaccess


#5

Thanks for the replies guys :slight_smile:

I already have a dedicated IP address setup for “mydomain.com” (doesn’t include the WWW) - If I read correctly, doesn’t dreamhost
require that I have a fixed IP address on a full “www.mydomain.com” address in order for the certificate to work?
Or did I misread the wiki?

EDIT:
I’ve had another look at the Secure Hosting bit on my panel,
It shows I need an organization name and a security department?
My website isn’t an e-commerce site (yet) and when it is, I’ll be a sole-trader meaning I technically wont have a “department” for security?

Would I be allowed just to have the website name as the organization name, and leave the security department name as its default - or would this break some kind of rule somewhere?


#6

If you read through the wiki you will see this which answers your question:

basically you need to decide between the two…


#7

I would rather, given the choice - use “https://www” for secure connections, and “http://www” for non-secure.
Not sure if that’s what you mean?


#8

What the quoted text above means is that you have to have the domain configured either to force WWW ( www.mydomain.com ) or force non-WWW ( mydomain.com )… you can’t set it so the “either” works like you can with a basic non-secure domain.

This forum adds http:// when it sees www but the use of http or https is irrelevant at that point… the point is you must force it one way or the other… with www or without www


#9

Ah ok,
I’ve chosen to remove the www prefix completely now, so according to the settings page www.domain will redirect to just http://domain.
So with a certificate both https://domain.com & http://domain.com should work?


#10

correct.


#11

Is this specific to DreamHost? I have a website with an SSL (not currently hosted on DH, but I am in the process of moving it to DH) that works either way. I originally set my site up on DH to accept both. Before I change my dns and add my existing SSL certificate (I’m not sure what order I am supposed to do that in, so help on this would be appreciated), do I understand correctly that I need to set it to redirect one way or the other? Which is the preferred method, in your opinion?


#12

The wiki is out of date in that regard — the page needs some serious love, and I’ll see about having someone update it in a bit. (I’ve just removed the offending text for the moment.) The SSL certificates we’re currently issuing are good for both the with-www and the without-www variant of the hostname. If you have an SSL certificate which was issued elsewhere, though, this may not be the case.

That being said, setting your domains to redirect to one of the two variants is a good idea in general. Allowing both variants can cause some really bizarre issues. In particular, cookies created by the without-www hostname will be visible to the with-www hostname, but the converse is often not true: cookies created on the with-www hostname are frequently only visible to that hostname, and are not visible on the without-www hostname. If you have a site which makes significant use of sessions (e.g, to allow users to log in), you’d be well advised to pick one of the two options.


#13

Thanks so much for taking the time to reply. Your advice is quite helpful.