HTTPS www. problem


#1

Hi, I’m pursuing HTTPS status for my websites. Unfortunately, my budget is quite limited. I picked up hosting with Omnis.com on the advice of my prior host, AMHosting.com, because Omnis offers hosting as a single account for unlimited websites/space/traffic with fixed IP for $107/year. They don’t offer Let’s Encrypt cooperation, but give me a CSR for each domain to take to ZeroSSL.com, and then install the resulting certificates for me. The problem is, the CSR doesn’t cover the www. version of the site. I’m using .htaccess to redirect www.x.com to x.com, which works well for http, but does not work for https access. If a visitor asks for https://www.x.com, the browser complains that the certificate is only for x.com. Omnis support says they can’t give me a CSR for the www. version of my sites. I’ve spent hours researching a solution, but since I don’t have root access to the server most of what I find is useless. I looked at multi-URL certificate prices and was discouraged about trying for one of those. I’m considering moving hosting again to a company that offers Let’s Encrypt cooperation.


#2

I can’t imagine any good reason why they would decline to do this.

Ask your support representative why they can’t do it, or ask for a new support representative.

You could also try to just issue the certificate using your own private key/CSR in ZeroSSL, and then just send them the private key and certificate files to install. Minimize your host’s role in the process.

What type of control panel do they provide you? If you have to email them the certificate every 90 days (the duration of Let’s Encrypt certificates), I can imagine that would get very tedious for you.


#3

I am getting different answers from different people, and it seems like everyone is pointing their finger elsewhere. Here’s from a chat with my AMHosting.com tech support:
John typically a csr is given for a domain name would need to
add www to the cert at the ssl provider
KGH Omnis tech said, “You would need to add www to the
cert at the CA as we cannot bind a separate cert to www. Once added
please send to the cert back to us and we can do this.” I have no
way to do this. ZeroSSL is taking the domain name from the CSR and not
giving me a way to add the www. variation.

Here’s my thread at the Let’s Encrypt bulletin board about the setup:

I don’t have a private “domain” key; my hosting service has that. They give me the CSR, but only for the bare domain. The control panel does not say what software it is, nor the version. They don’t even tell me what server OS is running, though I think it is some flavor of Linux.

Yes, I have to email them the certificate every 90 days. Bless Let’s Encrypt for affordable SSL!

The big Q is, is there a way to add the www. variant to the bare URL CSR in ZeroSSL?

Thanks very much for your help, KGHN


#4

I don’t think so. The CSR is signed with the private key so that it is secure against tampering, and ZeroSSL itself takes the domain list from the CSR’s list of domains.

John can create a multi-domain CSR for you. The domains don’t have to be added on the CA side.

  1. Create san.conf

    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    [ req_distinguished_name ]
    countryName         = Country Name (2 letter code)
    stateOrProvinceName = State or Province Name (full name)
    localityName        = Locality Name (eg, city)
    organizationName    = Organization Name (eg, company)
    commonName = Common Name (e.g. server FQDN or YOUR name)
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = x.com
    DNS.2 = www.x.com
    
  2. Generate the CSR

    openssl req -new -out csr.pem -key privkey.pem -config san.conf
    
  3. Stick it into ZeroSSL, it will pick up your two domains


#5

I have great hopes that this will work. I just sent the info to Omnis. I’ll report back.
KGHN


#6

Agreed. Adding it to the cert at the CA is fine, but if you don’t have the certificate’s private key and only have a CSR all of the subject domain names need to be mentioned in the CSR by the person or entity who created the CSR.


#7

@_az and @schoen , thank you.
Hooray! After I sent them _az’s instructions, Omnis figured out how to give me a CSR for both the bare and www. versions of the URL. (They didn’t tell me how they did it.) I copied that CSR into ZeroSSL’s wizard and got a Let’s Encrypt certificate. (Details of that process are in this post: Have fixed IP and CSRs, need SSLs to give to hosting service . I had to tell NoScript to allow scripts globally this time during the ZeroSSL procedure.) I sent that certificate to Omnis, and they installed it on the server for me. All the variations of the URL work now. Phew. I think I can use the same CSR when I need to renew the certificate. Mark this one SOLVED.


#8

Yes, you should be able to reuse it indefinitely. That will mean, though, that you aren’t changing your private key with renewal, which some folks prefer to do.


#9

@danb35 You make a good point, and good to keep in mind for future projects. Just now, I primarily don’t want to be embarrassed by an “insecure website” notice from visitors’ browsers. My sites are plain HTML, with a php contact page and a paypal button for a simple sale on one site ( barth1962.com ), or a donation (kghn4mt.com) on the other. No user info stored. If someone did get access, I expect the consequences would be pretty mild. (Right?)


#10

Hi @CLogic. This should not be the case with NoScript - the only 2 sites you are interacting with in the process are zerossl.com and letsencrypt.org. If zerossl.com is not enabled, the interface would not load and you would see a message explaining that JavaScript is required for it to work. If letsencrypt.org is not enabled, you would be getting an error saying that SSL Certificate Wizard was not able to load the resource directory. As long as both zerossl.com and letsencrypt.org are not blocked, everything should work fine (this has been tested with the recent Firefox and NoScript).

If it is not the case, please let me know and tell me which browser version and NoScript version you are using, so I might try to reproduce that issue.


#11

@leader, Yes, the “not able to load the resource directory” is exactly why I had to enable scripting globally. My habit is to just enable scripting temporarily as I need it. I figured out ZeroSSL.com easily at the start. But NoScript did not give me the info that I needed to enable letsencrypt.org - usually it shows its control button when a site is blocked but it didn’t this time. I just got the error when I clicked NEXT, and didn’t know what site I needed or how to enable its scripting, except to turn it all on briefly (through Tools/Add-Ons). I am running Win7-32, PaleMoon browser Version: 27.7.2 (32-bit), and NoScript 5.0.6 . (PaleMoon started as a Firefox derivative, and is intended to be a secure browser, lightweight for older machines.)


#12

The way NoScript works is that it shows the options to block some sites once it knows they were accessed. Basically on the initial load you will not see “letsencrypt.org” on the list, because your browser has not tried to access it yet. But once that attempt is made (and the “directory” error is shown), letsencrypt.org will appear in the NoScript’s dropdown. I hope that helps :slight_smile:


#13

@leader, Yes, on my system, that’s how NoScript usually works. With certain options on a few banking sites, and now on zerossl.com , I sometimes just don’t get the dropdown. I have no idea how many other people encounter this obscure difficulty, but I thought I might mention it just in case.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.