“WordPress’s implementation of SSL is kind of a botch” but I managed to get it working

TL;DR: The site is now SSL, but it was a real pain in the donkey to get there.

Long version: As of about an hour ago, Rant Roulette is now accessible via SSL. You may have noticed today that the URL now starts with https instead of http. This is for many reasons, but the main one is so that Google won’t start down-ranking search results starting in January. Even if I were to say “to hell with Google” (which, for the reason I’m about to explain, I came damned close to doing) it’s likely that most other search engines out there will eventually follow suit.

I have often made the joke that I know two languages: clean English, and profanity in English. (Technically, I know a small amount of Spanish as well, including some profanity, but I don’t normally mention this.)

So here’s a summary of what I went through to get here:

December 1, around 19:00 or so: I start looking into Certbot on the EFF site. The main obstacle before is that Certbot really wants to run on the web server, and it also wants root. This makes getting SSL on shared hosting mostly a non-starter, until I find out there’s a way to run it on my own machines and upload the certificates manually. I do this and find out my host (nearlyfreespeech.net) now has a way to just upload all the certificates into a web form. (Turns out there was an even easier CLI tool for doing this which I didn’t find out about until later.) I do this, and realize even though technically the site still comes up, I’m getting no stylesheet and no images. Changing the Project Wonderful ad banners over to https doesn’t help (but it needed to be done anyway).

The next couple hours, off and on: I start by changing the URLs in WordPress to https instead of http. I’m greeted by a redirect loop. Even worse, it’s a redirect loop that affects the entire site, including the WordPress dashboard. So I have to manually go in and edit the URLs back to http using phpMyAdmin. I utter some profanity and chug the half glass of Coca-Cola I had poured a few minutes prior, then go edit the database. Site is at least back up but still half-broken. I ask in two different IRC channels, one of them being #wordpress on Freenode. Nobody has any useful advice.

(Somewhere in here I also fix the botched upgrading of the Project Wonderful ad box code, but that’s kind of a minor thing compared to the whole site being down.)

Later: I try disabling NFSN’s “canonical SSL” redirect, as well as the canonical name redirect,┬áin an attempt to break the redirect loops. No joy. I have to manually edit the database several more times, but I don’t utter nearly as much profanity upon doing so because I’m getting fast at it. The profanity is reserved strictly for my frustrations, and for the moment I run out of Coke.

Early morning hours of December 2, from midnight up until about 02:00 or so: I try putting in a redirect in .htaccess, which still brings up the redirect loop. Finally, I stumble upon this gem in the NFSN forums, posted by someone using the forum name ‘lovekylie’:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')

Adding this right above the “That’s all, stop editing!” comment in wp-config.php fixes everything. I’m able to change the URLs to start with https like they should be, and most everything appears to work. I am still getting the little yellow triangle with the padlock, but that’s because some images in posts are not https links.

I’ve already added that code snippet to my other WordPress blog at skqrecordquest.com even though I have not upgraded it to SSL yet (it does nothing if it’s not forwarding an SSL request, and arguably should be part of the WordPress internals).

Anyway, the title quote comes from later in the post from ‘lovekylie’ which I, unfortunately, kind of agree with after going through all that. Going forward, of course I hope that it’s no longer true. At the time I write this, 4.6.1 is current with 4.7 in “release candidate” status, meaning it’s going to be an actual release Sometime Really Soon. For all I know, that fix is already in there, but after all the downtime this week (there was a few hours of downtime a couple of days ago due to another blunder I made) I’m a bit leery of installing a version of WordPress that’s not an actual release (as opposed to beta or release candidate).