[Solved] Question Regarding The Ssl For Sub-Domain

[codesays]

Hello Admin!

 

I just created my Stevie account, and I am considering to take the SSL for the site. But I have a question for the SSL certificate. Does the certificate cover the sub-domain?

 

For example, if I have a website https://example.com with a Stevie SSL account. Then I add a sub-website http://sub.example.com under the SAME Stevie account (in another directory). Is the sub.example.com protected by the SSL certificate also? If not, can I get another free SSL certificate for the sub-domain, and how? Thanks!!!

 

Sorry, due to network issue, the post was submitted twice.

[wolstech]

It depends upon what kind of certificate you use.

 

You need what's known as a "wildcard certificate" (a certificate for *.example.com) if you want it to cover subdomains. A regular certificate (for just example.com without the *. ) will not cover them. Be aware that such certificates are extremely expensive compared to regular ones. If you need SSL cheaply, your best bet is to either:

• Not use subdomains
  
• Create a secure.example.com subdomain and buy a certificate just for secure.example.com to secure that subdomain. Everything will be unencrypted except for that one subdomain. Use the secure subdomain to store things like payment scripts and login systems and leave the rest of your site unsecured.
  

Also, if you do SSL, use Stevie. Johnny's performance is already terrible without it, and the SSL will just that poor performance even worse.

[codesays]

It depends upon what kind of certificate you use. You need what's known as a "wildcard certificate" (a certificate for *.example.com) if you want it to cover subdomains. A regular certificate (for just example.com without the *. ) will not cover them. Be aware that such certificates are extremely expensive compared to regular ones. If you need SSL cheaply, your best bet is to either:

• Not use subdomains
• Create a secure.example.com subdomain and buy a certificate just for secure.example.com to secure that subdomain. Everything will be unencrypted except for that one subdomain. Use the secure subdomain to store things like payment scripts and login systems and leave the rest of your site unsecured.

Also, if you do SSL, use Stevie. Johnny's performance is already terrible without it, and the SSL will just that poor performance even worse.

 

Thanks for your detailed explanation! I must mis-understand something there

So:

To use a SSL certificate, I MUST get a dedicated IP address firstly, right?

And you do not sign the certificate, so I need to get a certificate somewhere else, correct?

 

Many thanks!!!!

[wolstech]

So: To use a SSL certificate, I MUST get a dedicated IP address firstly, right? And you do not sign the certificate, so I need to get a certificate somewhere else, correct? Many thanks!!!!

Yes you must get a dedicated IP address. That's what the $12 fee is for. Our provider charges us $12 for it, so we just pass the cost to you.

 

As for the certificate, yes, that must be obtained from a certificate authority. We do not sell certificates. Many are $10-50 a year depending on vendor for regular ones. Wildcard ones are extremely expensive (on the order of $200-500 a year).There are some promising upcoming free providers though. Let's Encrypt is probably the biggest of them (now a public beta), but I'm not sure if they ever got the stuff required to prevent browsers from showing warnings, and you need to use a linux PC with it installed to generate them.

[codesays]

So: To use a SSL certificate, I MUST get a dedicated IP address firstly, right? And you do not sign the certificate, so I need to get a certificate somewhere else, correct? Many thanks!!!!

Yes you must get a dedicated IP address. That's what the $12 fee is for. Our provider charges us $12 for it, so we just pass the cost to you. As for the certificate, yes, that must be obtained from a certificate authority. We do not sell certificates. Many are $10-50 a year depending on vendor for regular ones. Wildcard ones are extremely expensive (on the order of $200-500 a year).There are some promising upcoming free providers though. Let's Encrypt is probably the biggest of them (now a public beta), but I'm not sure if they ever got the stuff required to prevent browsers from showing warnings, and you need to use a linux PC with it installed to generate them.

 

For the IP address fee, is it one-time or yearly? I got different answers, when I searched our website.

 

For the Let's Encrypt, to verify the ownership, they will create some files inside the website. Do we (consider to) officially support that script? Otherwise, I need to manually sync the verification files.

[wolstech]

For the IP address fee, is it one-time or yearly? I got different answers, when I searched our website. For the Let's Encrypt, to verify the ownership, they will create some files inside the website. Do we (consider to) officially support that script? Otherwise, I need to manually sync the verification files.

IP address is yearly according to Krydos (who pretty much runs the place). I'd have to ask though, as our website tells a different story.

 

As for Lets Encrypt, I don't know if we support it as I haven't personally read the detailed documentation for their service. If it uploads something over FTP, you're probably good. If it uses SSH, it's not supported. Also, I think browsers will still see security warnings in its current state (it hasn't gotten the cross-certificates it needed last I heard).

[codesays]

For the IP address fee, is it one-time or yearly? I got different answers, when I searched our website. For the Let's Encrypt, to verify the ownership, they will create some files inside the website. Do we (consider to) officially support that script? Otherwise, I need to manually sync the verification files.

IP address is yearly according to Krydos (who pretty much runs the place). I'd have to ask though, as our website tells a different story. As for Lets Encrypt, I don't know if we support it as I haven't personally read the detailed documentation for their service. If it uploads something over FTP, you're probably good. If it uses SSH, it's not supported. Also, I think browsers will still see security warnings in its current state (it hasn't gotten the cross-certificates it needed last I heard).

 

A quick update: LetsEncrypt got the cross-certificates from IdenTrust.

[Tjoene]

For the IP address fee, is it one-time or yearly? I got different answers, when I searched our website. For the Let's Encrypt, to verify the ownership, they will create some files inside the website. Do we (consider to) officially support that script? Otherwise, I need to manually sync the verification files.

IP address is yearly according to Krydos (who pretty much runs the place). I'd have to ask though, as our website tells a different story. As for Lets Encrypt, I don't know if we support it as I haven't personally read the detailed documentation for their service. If it uploads something over FTP, you're probably good. If it uses SSH, it's not supported. Also, I think browsers will still see security warnings in its current state (it hasn't gotten the cross-certificates it needed last I heard).

 

You don't need SSH to run the client. Let's encrypt has provided an option to manually verify the domain's ownership. All you need is to upload a file under a specific folder that the Let's encrypt client provide to you.

The only requirement is that you need a linux machine available to execute the client. There isn't one available for windows yet. However, you can use a VM for this, like I have done.

[codesays]

For the IP address fee, is it one-time or yearly? I got different answers, when I searched our website. For the Let's Encrypt, to verify the ownership, they will create some files inside the website. Do we (consider to) officially support that script? Otherwise, I need to manually sync the verification files.

IP address is yearly according to Krydos (who pretty much runs the place). I'd have to ask though, as our website tells a different story. As for Lets Encrypt, I don't know if we support it as I haven't personally read the detailed documentation for their service. If it uploads something over FTP, you're probably good. If it uses SSH, it's not supported. Also, I think browsers will still see security warnings in its current state (it hasn't gotten the cross-certificates it needed last I heard).

You don't need SSH to run the client. Let's encrypt has provided an option to manually verify the domain's ownership. All you need is to upload a file under a specific folder that the Let's encrypt client provide to you. The only requirement is that you need a linux machine available to execute the client. There isn't one available for windows yet. However, you can use a VM for this, like I have done.

 

It is really good to hear from the LetsEncrypt user!

 

I did not have experience with LetsEncrypt. But as far as I see in the documents, a single certificate can verify one domain and many sub-domains at the same time. For example, one single certificate can cover bothe example.com and sub.example.com. If I hosted example.com and sub.example.com under one Stevie account. To say, example.com in /user/example/www_one and sub.example.com /user/example/www_two. Is it workable that I upload the one certificate, and both domains get coverred? Thanks!!!

[wolstech]

It's not the account layout, its the name of the domain that's embedded in the certificate that matters. A wildcard certificate to include all subdomains will have "*.example.com" on it. A normal certificate will only have "example.com" on it (without the *.).

 

What the docs refer to is a third option: multiple domain certificates. These are certificates good for a specified list of multiple (sub)domain names (these are sometimes called "SAN Certificates" because the SAN field on the certificate is used to include the alternate (sub)domain names).

 

If you use a such a certificate, you need to reissue and reinstall your certificate with the new domain included if you decide to add a new secure subdomain later on.

 

We only support one certificate per physical person (an account can only have certificate per IP, only 1 IP per account, and you cannot have two accounts). The only way to cover example.com as well as subdomains is to use either a multiple domain certificate (as described above and in LE's docs) or a wildcard certificate (if LE decides to support it...they don't right now).

[codesays]

It's not the account layout, its the name of the domain that's embedded in the certificate that matters. A wildcard certificate to include all subdomains will have "*.example.com" on it. A normal certificate will only have "example.com" on it (without the *.). What the docs refer to is a third option: multiple domain certificates. These are certificates good for a specified list of multiple (sub)domain names (these are sometimes called "SAN Certificates" because the SAN field on the certificate is used to include the alternate (sub)domain names). If you use a such a certificate, you need to reissue and reinstall your certificate with the new domain included if you decide to add a new secure subdomain later on. We only support one certificate per physical person (an account can only have certificate per IP, only 1 IP per account, and you cannot have two accounts). The only way to cover example.com as well as subdomains is to use either a multiple domain certificate (as described above and in LE's docs) or a wildcard certificate (if LE decides to support it...they don't right now).

 

Thanks for your explanation!