Ticket #540 (new maintenance)
HTTPS for WordPress sites
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Parrot server | Keywords: | |
| Cc: | ed, laura | Estimated Number of Hours: | 2.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.1 |
Description
Currently the wiki:WordPress sites have have the following SSL certificates:
- https://www.intransitionmovie.com/ -- Gandi commercial certificate and dedicated IP address
- https://www.reconomy.org/ -- CAcert non-commercial certificate and shared IP address (SNI)
- https://www.earthinheritors.net/ -- CAcert non-commercial certificate and shared IP address (SNI)
- https://parrot.transitionnetwork.org/ -- Gandi TN wild card cert and shared IP address (SNI)
- https://parrot.webarch.net/ -- CAcert non-commercial certificate, this is the default site for clients without SNI support
None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com
I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO:
SNI and Seperate Certs and Shared IP
Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each.
The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side
Multi-domain Cert and Shared IP
Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI).
Seperate Certs and Dedicated IPs
Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option.
Non-commercial CAcert Cert
This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option.
Change History
comment:1 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.0 to 0.1
comment:3 Changed 3 years ago by chris
There are now only 3 active sites (sites that admins are updating) on this server (Transition Culture is an archive):
- http://www.reconomy.org/
- http://www.transitionstreets.org.uk/
- http://www.transitiontowntotnes.org/
It would cost £30+VAT to get SSL certs for all the sites and it would take perhaps an hour to set up a Nginx reverse proxy for HTTPS and add Apache redirects.
Ed -- is this something that can be considered this financial year?
The certificate from http://cacert.org/ was generated using the csr script from http://wiki.cacert.org/CSRGenerator and the domains it contains follow: