So SSL is Set Up? But Did you Remember the www Domains?
So I had set up SSL for one domain, the non-www domain. Then I noticed that the www domains did not work, but only on the second and subsequent visits. This blog post explains this behaviour - and I did then get an SSL certificate for the www domain too!
Nginx config files
For this post, we need to know that Nginx is the web server used for the ghost blog, and that it had two existing config files on the server after SSL was set up for the idontunderstand.it domain in the folder /etc/nginx/sites-available:
Config file | Action |
---|---|
idontunderstand.it-ssl.conf | Sends request to nodeJS server that runs ghost. Knows about SSL certificate from Let's Encrypt - created by ghost SSL set up command in a previous blog post. |
idontunderstand.it.conf | Created by ghost before doing the SSL setup. |
The above are both for the non-www domain versions of the site.
All of the Redirects
Once I installed an SSL certificate for idontunderstand.it (which is the domain that I purchased), this is the behaviour I was observing:
Visiting | Does the browser indicate a valid SSL certificate | Page that you land on | Behaviour |
---|---|---|---|
https: // idontunderstand.it | Yes | Blog | Clicking any links, redirects to http page - not good! |
http: //idontunderstand.it | Yes | Blog | Clicking any links, redirects to http page - not good! |
https://www.idontunderstand.it/ | Yes, but first visit only | Blog the first time. Browser warning page "Your connection is not private" the second time | First and second visits differ! |
http://www.idontunderstand.it/ | Yes, but first visit only | Blog the first time. Browser warning page "Your connection is not private" the second time | First and second visits differ! |
Searching around online I found this useful blog post.
Explaining All Links Redirecting to HTTP
Behaviour
All links within the non-www pages were http. This issue makes sense, as all links are just to idontunderstand.it (the http version) which initially had no idea about any SSL certificate, in its config file. So it sounds like this config file has to change, to know about the SSL certificate.
Solution
For these non-www pages, I simply modified their corresponding config file idontunderstand.it.conf
, to make the location block appear as per the below, and restarted nginx.
location / {
return 301 https://idontunderstand.it$request_uri;
}
What this does, is simply tell anyone visiting these pages, to go to the https version instead, which does have an SSL certificate.
Explaining the Browser Warning Page for the www Pages
Behaviour
But then I noticed behaviour that was strange when visiting the www version (https and http).
For the https www version for the first visit, here's the network tab:
Note that the error ERR_CERT_COMMON_NAME_INVALID shown, occurs when the certificate does not match the domain. This makes sense, since I did not yet have a certificate for the domain with www. prefixed to it.
The page loads the first time, due to the 301 redirect in the config file. But not the second time, which shows a browser warning page and shows this in the network tab:
For the http www version for the first visit, here's the network tab, which makes sense, due to the 301 redirect in the config file.:
The page loads the first time again. But not the second time, which shows a browser warning page and shows this in the network tab:
If I open Fiddler in the background, and keep reloading the www pages in Chrome, things get even stranger. The www pages load every time, and Fiddler shows a 304 Not Modified which is a redirection to a cached resource. Fiddler does have a pop-up to warn users it interferes with traffic capture!
Anyway, any access to the www sites will trigger a certificate warning in a browser. But the first time you visit a site is special, as the browser has nothing in memory. So this behaviour makes sense.
Solution
The solution is to generate a SSL certificate for the www domain, which I did the same way as the non www domain in my last blog post.
After that, as per that previous blog post, I created the last config file below. I also list the previously existing config files here too for completeness:
Config file | Action |
---|---|
idontunderstand.it-ssl.conf | Sends request to nodeJS server that runs ghost. Knows about SSL certificate from Let's Encrypt - created by ghost SSL set up command in a previous blog post. |
idontunderstand.it.conf | Created by ghost before doing the SSL setup. |
www.idontunderstand.it-ssl.conf | Redirects to https non-www site. Created by ghost ssl set up command. |
www.idontunderstand.it.conf | Redirects to https non-www site. |
Alternative solutions to all of this would have been to get a wildcard certificate instead of two certificates, or to use something like cloudflare.
All of the redirects were interesting to investigate in any case!