Ticket #540 (new maintenance)

Opened 4 years ago

Last modified 3 years ago

HTTPS for WordPress sites

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ed, laura Estimated Number of Hours: 2.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.1


Currently the wiki:WordPress sites have have the following SSL certificates:

None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com

I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO:

SNI and Seperate Certs and Shared IP

Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each.

The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side

Multi-domain Cert and Shared IP

Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI).

Seperate Certs and Dedicated IPs

Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option.

Non-commercial CAcert Cert

This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option.

Change History

comment:1 Changed 4 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

The certificate from http://cacert.org/ was generated using the csr script from http://wiki.cacert.org/CSRGenerator and the domains it contains follow:

Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): parrot
FQDN/CommonName (ie. www.example.com) : parrot.webarch.net
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:parrot.webarch.net
SubjectAltName: DNS:*.parrot.webarch.net
SubjectAltName: DNS:parrot.transitionnetwork.org
SubjectAltName: DNS:*.parrot.transitionnetwork.org
SubjectAltName: DNS:reconomy.org
SubjectAltName: DNS:www.reconomy.org
SubjectAltName: DNS:reconomyproject.org
SubjectAltName: DNS:www.reconomyproject.org
SubjectAltName: DNS:intransitionmovie.com
SubjectAltName: DNS:www.intransitionmovie.com
SubjectAltName: DNS:intransitionmovie.org
SubjectAltName: DNS:www.intransitionmovie.org
SubjectAltName: DNS:transitionmovie.org
SubjectAltName: DNS:www.transitionmovie.org
SubjectAltName: DNS:earthinheritors.net
SubjectAltName: DNS:www.earthinheritors.net
SubjectAltName: DNS:

comment:2 Changed 4 years ago by ed

  • Milestone set to Maintenance

comment:3 Changed 3 years ago by chris

There are now only 3 active sites (sites that admins are updating) on this server (Transition Culture is an archive):

It would cost £30+VAT to get SSL certs for all the sites and it would take perhaps an hour to set up a Nginx reverse proxy for HTTPS and add Apache redirects.

Ed -- is this something that can be considered this financial year?

comment:4 Changed 3 years ago by ed

something to consider. along with the actual value of the Parrot server, I think. If there aren't any more sites running, it may be more suitable for TN to re-consider the Parrot experiment. So stand by.

Note: See TracTickets for help on using tickets.