SSL on personal website

Discussion in 'General troubleshooting' started by Violynne, Apr 22, 2014.

  1. I've read the KB on SSL and I think I'm somewhat familiar with what I'm about to do, but I've some questions.

    The domain I wish to register does not belong to a company, yet I do not wish to provide my personal information.

    What do I add to the fields:
    Organization / Name
    Organization Dept

    This information is required.
    I would like to add my domain name as the "organization" and "organization dept", if I can. Is this allowed?

    Since I'm not sure how my domain is set up, I'm a bit lost on what SSL cert I should get.

    I'm looking at the *.mydomain cert, but am completely lost why "mydomain" isn't covered. I'm under the impression the "www" is auto-resolved via DNS services, not the browser, so why is "mydomain" not covered with the cert having "www.mydomain" (or "*.mydomain")?

    Will this require a second purchase or will "mydomain" throw up the "Cert not validated" message?

    Thanks for your help.
     
  2. FredC

    FredC Winhost Staff

    Organization / Name = company name
    Organization Dept = like IT department

    There's no validation for the content for these fields, you can put anything there you wish.

    >>I'm looking at the *.mydomain cert, but am completely lost why "mydomain" isn't covered. I'm under the impression the "www" is auto-resolved via DNS services, not the browser, so why is "mydomain" not covered with the cert having "www.mydomain" (or "*.mydomain")?

    This is how its supposed to work. I recommend you create a URL rewrite rule to rewrite all request from domain.com to www.domain.com so you don't have to buy another cert.
     
    jabarkas likes this.
  3. I suppose it's time to start installing Microsoft toys again. Can't create a rule without an IIS manager. ;)

    Thanks for your help, Fred. I'll get busy with the rule, then purchase the SSL cert.

    Have a great day.
     
  4. FredC

    FredC Winhost Staff

    Not necessary.

    IIS Manager basically modify the web.config file

    You can insert this rule into your web.config

    <system.webServer>
    <rewrite>
    <rules>
    <rule name="CanonicalHostNameRule">
    <match url="(.*)" />
    <conditions>
    <add input="{HTTP_HOST}" pattern="^www\.domain\.com$" negate="true" />
    </conditions>
    <action type="Redirect" url="http://www.domain.com/{R:1}" />
    </rule>
    </rules>
    </rewrite>
    </system.webServer>
     
  5. I already installed the manager and did the rewrite. I was going to do it anyway, since there are other things I wanted to set up.

    I submitted, received, and installed the wildcard certificate, and adjusted IIS to require SSL, but the site keeps timing out. It works fine if I remove the require SSL, but then it's not SSL.

    I followed the instructions not to include the CA certificate, but I'm wondering if I goofed up somewhere. I hope not. That'll be a $169 mistake.

    I'm also trying to set up FTP via SSL, but I'm getting an "Invalid Certificate" error message.

    If you need the site name, let me know. I'll be here until I get it fixed. :)

    Thanks again for your help.
     
  6. FredC

    FredC Winhost Staff

    let me know the domain name that cause the problem.
     
  7. Will do. Following RapidSSL instructions now to put cert in IIS. :) Just created the .cer file, proceeding with the next steps.
     
  8. Hmm. There doesn't seem to be the option to upload the cert in IIS. My CP shows the cert is now active, but I can't get the site up. The RapidSSL instructions seem to be for those running IIS servers, not being hosted.

    Any ideas on what I could be doing wrong? I didn't install the CA cert, per the SSL instructions in the KB.
     
  9. The domain name is peppermintvault.com.

    Heh: just found the edit link. Sorry for the repeated posts.

    RapidSSL site says CA needs to be included. Should I have copied both CA and Web Server cert into the second box?
     
  10. FredC

    FredC Winhost Staff

    I looked at your account and it seems like you already installed the cert. I also tested HTTPS on your site, seems to be working fine.
     
  11. Interesting. I've tried https://peppermintvault.com and https://www.peppermintvault.com, and I'm getting a "Connection has timed out" on both.

    Using Firefox latest. I just turned it off about 5 minutes ago, and the non-https version pops up.

    I'm going to recheck "Enable SSL" and the "Require" option and let IIS filter for another 5 minutes to reset. Will let you know what happens then.

    EDIT: Just tried IE10 and it's giving me a nasty page saying the server requires a cert. :\

    EDIT 9:19pm EST: Unchecked the Require SSL. Not working despite several changes. Will need to try again tomorrow to see what's up.

    Not sure how you can see it when I can't. :(

    Thanks for the help today. Will chat again soon. :)
     
    Last edited: Apr 24, 2014
  12. FredC

    FredC Winhost Staff

  13. This is interesting. I unchecked "Require SSL" and "Ignore" on IIS. However, when I check them, it doesn't work. Should I just leave the option alone?

    If so, I'll set up another rule to change http to https.

    Thanks again for your help. :)

    EDIT: Just updated the rule and added another to push to HTTPS.

    Working well. Thanks again!
     
    Last edited: Apr 25, 2014
  14. FredC

    FredC Winhost Staff

    good to hear.
     
  15. Either I'm completely clueless what the cert is doing or I over-estimated what its purpose is, but I'm having a hell of a time using the cert for both ftp and mail at the domain, which is the reason I bought the wildcard cert.

    On the FTP program I use (FireFTP add-on), I continue to get a "Cert is only valid for wh-2.com". This is trying to use ftp.peppermintvault.com, not the secondary server name (which I use at home with an installed FTP client and works well with SSL, but couldn't use ftp.peppermintvault.com).

    In addition, I get a "untrusted connection" message when trying to connect to "https://mail.peppermintvault.com".

    I can understand the exclusion of FTP given this really isn't an HTTP protocol and using the secondary server name isn't a problem at all.

    But it's very important I add it to mail.peppermintvault.com, since it seems the basic email client doesn't use SSL.

    Any help you can provide, even if it's to help me understand, will be appreciated.
     
  16. FredC

    FredC Winhost Staff

    1) You can't use your certificate to secure FTP connection. If you want to use FTP over SSL, you'll need to use the secondary FTP URL found in the control panel.

    2) Mail. If you want to use HTTPS for mail, please use https://m04.internetmailserver.net
     
  17. Ouch. Pricey lesson to learn buying a wildcard cert assuming ftp and mail were covered. I am a little surprised mail.peppermintvault wasn't covered. I just assumed the connection would be encrypted from the pointer to the resolved server. I can assume, then, that Winhost does not use mail servers? I suppose I should have asked this before buying the cert.
    :p

    I pop3's my mail accounts into outlook.com, so I'll just leave them there since SSL is provided and it's available on my android phone. I really don't like the interface of "smartermail".

    Again, thanks for your help. I'll definitely keep this in mind when I need to renew the cert next year, which won't be a wildcard. ;)
     
  18. Having read the KB intensely, I can't seem to find an answer to my concern. I apologize for not being more clear, but this is a learning experience for me since I'm new to SSL on a hosting service.

    The email client isn't my concern. It's the email service in general.

    If I have a form on my website, which I want the contents to be sent to my domain email address, I'd like to know how I can secure the communication between my website and the email server.

    I can't seem to find any information regarding the email server and the domain server (though there are plenty of articles on setting up email readers).

    I bought the wildcard cert assuming "mail.peppermintvault.com" would be set up as a shared cert on the trusted connection, given it's unusual to put an email service and web service on the same server.

    Reading the email isn't the issue. It's how the information from the web site to the email server is being sent. I need to ensure it's encrypted since it now appears my cert can't do it.

    I don't know how I can enable SSL in my ASP.NET application if I can't use my mail.domain account (which all SMTP articles indicate I should use) and I can't find any information on how to set up the SMTP account for SSL enabling in the KB.

    Again, I apologize for the confusion and hope this clears it up. :)
     
  19. ComputerMan

    ComputerMan Winhost Staff

    I know what you mean because I been there before. Basically what you installed on your hosting environment is a Wildcard SSL Certificate and that means that Anything.YourDomainName.com is secured.

    However, you must be wondering, "well why isn't mail.YourDomainName.com secured since you stated Anything.YourDomainName.com is secured".

    This is because mail.YourDomainName.com points to a different server. Our mail server is hosted on a different box. The SSL Certificate you ordered is only installed on the web server and not on the mail server.

    Just remember that any subdomain name you wish to use that points to our web server for your site account is automatically protected by the Wild Card SSL Certificate you installed.

    The mail service and the web service isn't on the same server. That would explain why the SSL Certificate you ordered doesn't protect your mail.peppermintvault.com

    Also, you can't secure the SMTP connection from your web site to the mail server because at this moment we don't support this. So trying to do this will just make your head hurt because you won't be able to do this.
     

Share This Page