Pitfalls of adding an SSL Certificate to your Wordpress site or your Podcast.
tl;dr:
Follow these steps to set up SSL but mostly just check on https://decoder.link/sslchecker/diversifyyourselfesteem.com/443 to be sure it is working properly and isolate the issue. I found my problem right away and was able to solve it from here.
I just went through the joy of activating and configuring the SSL of my website, www.diversifyyourselfesteem.com
I invested the time because there is substantial evidence that not having proper TLS setup (SSL) for your site will give it an untrusted status and hurt its Google ranking.
Now often hosting providers will autoconfigure your SSL for you. But in this world of ‘unbundling’ where you get the basics for cheap and pay for every extra I fell in the bear-trap.
I got cheap hosting for a wordpress instance using Namecheap’s new WPEasy. Now, to be fair, it is very easy to set up the actual site. A few minutes of sign up and paying then your site is rolling.
But the SSL Cert was extra.
I was a little annoyed as they hadn’t mentioned it but it’s like A$10 a year so I just bit the bullet. You can also potentially use Let’s Encrypt to create free SSL certificates.
I had hoped that if I payed this nominal sum to get it through my hosting provider (Namecheap) that it would autoconfigure. A fair assumption as a paying customer for something that can be done for free using open source software.
Just kidding.
You still have to do all the CRS generation, SSL activation, ca-bundling, intermediate chains and private key configuration.
The Namecheap documentation was painful so after muddling through it for a few hours and misconfiguring it once. Having fatal issues with my RSS feed for my podcast that is hosted through my wordpress site.
Turns out I had messed up the ca-bundle step, which meant my ‘intermediate chains’ were misconfigured. Confusing both Apple podcasts and Spotify to differing degrees. It was unable to find my new episode when I pushed it out because SSL was not legit.
Now moving forward there is talk of SSL certificates being compulsory so let’s get it right.
So I will walk you through the process I followed that worked, and will work for you — if you use Let’s Encrypt you will likely have a slightly different process but ultimately a similar outcome.
Step 1: Purchase an SSL certificate.
I got mine from Namecheap because they host my website and I bought my domain from them. Having it all in one place made configuring things simpler.
Step 2: Generate the CRS:
Namecheap has a CRS generator, you enter some preliminary information about your business/website and it creates the CRS. Which is a number of things, but what really matters is the private key. You can submit the CRS into the box to move on to activate the SSL certificate itself.
Paste this into a file called your_website.key. Do it with a plain text editor to be sure.
Step 3: Activate the Certificate
This has 3 possible approaches. I believe the simplest to be a CNAME DNS Validation. Select this option and it will take you to get the host and key values. These are some jargony words but essentially:
- Go to your domain name management page.
- Go to DNS management.
- Click add record.
- Select CNAME out of the record types.
- Add the host value to be the given one from the SSL activation process, without your domain in it. So if it is 012390fajdfa90jef.YOURWEBSITE.com then just take everything before the first dot.
- Paste the key value over.
- Set the TTL to the minimum value (i.e. like 1 minute)
- Finish. Get a beer and relax. Sike!
Step 4: Ultimate Fuckery
Now this is where I got salty, in a point-and-click web 2.0 Software-as-a-Service world why I now needed to go and edit the certificate files is beyond me.
But in simple terms:
- You receive a zip file. Unzip it.
- There is a .crt and a .ca-bundle file.
- Open ca-bundle in a PLAIN TEXT EDITOR, notepad, wordpad, vscode etc.
- Copy the entire file.
- Open the .crt file and paste the contents of ca-bundle into it, after the certificate BEGIN/END tags in there.
- Save this as my_combined_certificate.crt
Step 5: Victory Royale
Alright, if you haven’t given up by now you’re almost there. Nice one.
You should have by now:
- CRS (consumed already, forget it)
- private key file (.key)
- combined certificate and ca-bundle intermediate chains (.crt)
- A dwindling will to live (maybe)
Steps now are easy: log in to your host and go to the SSL area of config. In WPEasy it is in the Domain tab.
- It will have an upload for the SSL certificate (upload the .crt).
- It will have an upload for the Private Key (upload the .key).
- Click activate/yes/confirm/flick the switch to on.
Confirming the damage
Alright so to be sure that you are done, you’ll want to check it is all working. It looked good when I first did it. But then Apple PodcastsConnect started complaining and erroring out. Spotify said nothing but didn’t find new episodes. A whole mess.
Using this website is a dream, enter your website and keep port 443: https://decoder.link/sslchecker/diversifyyourselfesteem.com/443
For me the problem was the Chain Issues.
The immediate SSL certificate was functioning. So Chrome was telling me https worked. But when the Apple service was pinging the port it was getting passed through the intermediate chains and that was failing.
Annoying and confusing. Hopefully this helps you avoid the same issue.