WordPress does not play well with shared SSL
-
Normally, if you want to use SSL to get to this page:
all you need to do is write:
(that’s assuming SSL exists)
However, in my case, SSL exists, but in order to get to my page:
because I’m using a shared SSL certificate I need to write:
Let’s label these. The first method is Normal SSL, and the second method is Weird SSL. WordPress is written assuming that Normal SSL holds. Because of this, I can’t use WordPress. The specific problem that I have is complex, but in essence it is that I want to use WordPress so that it can be accessed publicly by http://, but at the same time I want to use https:// in order to administer it. And for some nasty thorny reasons, this can’t be done.
Suppose, for example, that I try to login. Since the login is at http://mypage.com/blog/wp-login.php, and I want to login using SSL, I write: https://mypage.com/~/mypage/blog/wp-login.php . And it works. So far, so good. But then the problems start. I type in my username and password, press the login button, and then WordPress tries to find the page:
https://mypage.com/blog/wp-login.php
Notice that the https is present, but the ~/mypage is absent. So WordPress has kept the https but removed the ~/mypage. Why did it do this? Apparently because WordPress has the location mypage.com/blog/wp-login.php hardcoded, though it allows http and https to be relative to which one you are currently using. The problem is that on my website, this page does not exist, because my website uses Weird SSL. If my website used Normal SSL, then that page would exist. But it uses Weird SSL. That’s why I say that WordPress assumes Normal SSL.
I have tried many solutions, some of which almost work. The one that seemed the most promising was to set the wordpress address to the correct https address and set the site address to the correct http address (in General Settings). At first I thought it worked. But as it turns out, WordPress uses a mix of wordpress address and site address when putting together the blog page, so that it fetches some of the items using http and other items using https. This would normally not be a problem, except that the SSL that I am using is an untrusted SSL, and Firefox (and I don’t know what other browsers) simply declines to fetch files over an untrusted SSL – nor, however, does it display the dialog you would normally see saying something like “this SSL certificate is untrusted, do you want to proceed anyway”. So on Firefox, the blog looks a complete mess. I can of course force Firefox to accept the files by directly using https in the address window, from which point it accepts all files and the blog looks fine. But the blog looks ugly to anyone who has not done that.
One solution is for me to buy SSL for my site, so that I can start using Normal SSL. However, this would more than double the cost of the site to me. It’s quite an expensive addition (relative to the price of the site).
By the way I have tried two other blogging platforms on my same site – namely, dotclear and textpattern. They both work fine, presumably because they use relative URLs, which allows them to adapt gracefully to the presence or absence of “~mypage” in the URL. I would much rather use WordPress on my site, because aside from this one problem it’s much more complete. However, I am having a very hard time with the idea of logging in via a non-encrypted connection. That is just so nineties. I have a strong aversion to it. Maybe I’m being irrational, but when I checked posterous.com to see whether a typical site doesn’t bother with encryption, I found that posterous in fact does encrypt the login (or at least seems to). So I’m not alone in my paranoia.
I’ve spent two days on the problem and seem to be coming down with something due to lack of sleep, so posting this is kind of a hail mary.
- The topic ‘WordPress does not play well with shared SSL’ is closed to new replies.