[sc:wordpress-category ]So a few weeks ago I mentioned in my hosting post that Bravenet didn’t support SSL, however apparently they do, it’s just a little bit buried.
So I decided to move JumbleCat over to https to give it a try. First of course was getting an SSL certificate.
Traditionally SSL certificates are expensive and hard to get, primarily due to a decision made when the SSL standard was being made to combine identity and encryption in to the certificate. There is a trend starting though to separate the two to some degree and providers like GoDaddy and StartSSL provide SSL certificates with just an e-mail confirmation.
I’ve used GoDaddy before and they provide a good service, however there is still a cost associated with the cert and I decided to give StartSSL a try. When I first tried to sign up I received a message that they were too busy to process my request, but I tried again a few minutes later and go in all right.
The sign up process was straight forward, however once complete the site takes you back to the main screen without telling you a message has been sent to your e-mail with the next steps.
That e-mail takes a little while to get to you, but once it does it has the steps to install your e-mail certificate that they use to authenticate you in their dashboard. If you try to connect to the dashboard before installing the cert you get a strange error message that isn’t very obvious.
Once I had the cert installed though everything was smooth and getting a certificate for JumbleCat was straight forward.
Installing the certificate on Bravenet was easy enough as well, there’s no configuration required once you have set the private key and certificate information.
The next step was to configure WordPress to use https and this is where the first real problem came up.
The first step is to go to the admin dashboard in WordPress and then change the WordPress and Site URL’s to use https. This broke pretty badly and didn’t let me login to JumbleCat again. After hunting around a bit I found that Bravenet uses a reverse proxy between the internet and the actual webhosts, which meant I had to add the following lines to wp-config.php:
if ($_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’)
I also added the following to force the admin pages and login page to use https:
define( ‘FORCE_SSL_LOGIN’, true );
define( ‘FORCE_SSL_ADMIN’, true );
After that things went smoothly and the site came back up.
I also installed “WordPress Force HTTPS” in WordPress to force everything over to https.
There are a few things that need to be update after https is working:
- If you have an avatar image you’ll need to reselect it to use https.
- Links in your posts which use http will need to be converted to https.
The second issue is the biggest by far. A blog like JumbleCat currently has hundreds of posts and updating them by hand. Instead I used “Velvet Blues Update URLs” which automatically updated all the links for me.
I’m sure I’ll find a few more small things over the next few weeks, but for now everything seems to be working well.