Mid June – SSL Certificate Renewal

Coinciding with my birthday, the timing was such that the XBOP website SSL certificate expired, which was the reason for recent website connectivity challenges, particularly if you utilise Google Chrome as your preferred browser for viewing XBOP. My apologies for any inconvenience experienced by you in attempting to visit XBOP.

Google Chrome increased their security settings to display an unfriendly disclaimer message to warn web surfers that a particular site may have security issues, which an expired SSL certificate will trigger. The following screen-shot image would have presented itself as a rather unfriendly barrier to accessing XBOP, and interestingly, I have noticed the drop in successful website traffic… so I can see first-hand and quantify the impact that this issue has caused me.

Of course, the link at the bottom left provides a work-around to this annoying situation and still allows visitors, including myself, regular access to the website. Naturally, I suppressed the warning message after repeatedly having to deal with the warning each time I clicked on an internal link – such as navigating through the WordPress admin portal… Unfortunately, I only suppressed the warning quite late and after a week or so of putting up with this situation.

At the time of writing this article, the solution is in the process of being implemented, but let me provide a narrative to this story since the learning process will actually help inform other web developers should they find themselves in a similar situation.

What is SSL or TLS?

The following video is a reference developed by Comodo and it provides a really good explanation of the key concepts:

 

The XBOP Experience

One of the key questions that I am sure you are wondering about is why I was not proactive in preventing the SSL certificate from expiring in the first place, and ensuring that I renewed it in a timely fashion. I suspect it is partly because a year ago, when I had upgraded my website host service to a dedicated server/IP address, the SSL certificate installation process was complimentary and relatively straightforward. Along the way, I performed another upgrade to the service, which I suspect disrupted what would have been a timely reminder… In upgrading to reseller status, SSL certificates become no longer self-manageable. I, of course, had forgotten a lot of the experience that I had acquired from two years previously when the original SSL certificate was first installed.

That first experience in learning about SSL certificates was also somewhat managed via Hostgator, and their service and explanation made it seem quite easy to utilise – no coding required, just follow their instructions and copy/paste the various pieces of information. This time around, I decided to purchase my own SSL certificate on my own, in a somewhat Do-It-Yourself (DIY) approach.

The brand/service provider I immediately considered was the Certificate AuthorityComodo. No surprises there, really… Part of the reason why XBOP has endured for a good half of a month in this state of expired SSL certificate was that in purchasing an SSL certificate direct from the likes of Comodo required my business – XBOP – to be validated, before the purchase and issuance would proceed. This was not a straightforward process as I would discover.

To start with, I attempted to utilise the standard ABN / Australian Business Registry reference point for small businesses, but was advised that I actually had to register my business with the globally recognised Dun & Bradstreet business services company. In my haste to simply renew and get a new SSL certificate I had inadvertently selected a corporate-grade unified communications SSL certificate. As a corporate grade product, it offered the highest validation level, and somehow, because of my general busy-ness and desire to simply get a new SSL certificate, all these warning signs did not register to me… With my focus on simply wanting to get the SSL certificate, I dutifully submitted XBOP to Dun & Bradstreet where, fortunately, the process to register the business was free-of-charge and a simple application form completion.

In undergoing the highest validation level, I experienced the ultimate set of security and validation steps. I received an email which led me to a Comodo automated service, where I had to enter in an initial code. This then triggered a callback process, where they would telephone my registered business phone number. The automated call would then generate another code, which I then had to enter back into their website, along with my username & password credentials…

Whilst describing the above sounds straightforward, for me, undergoing the process was a lengthy and drawn-out experience because I had to find the time to do this outside of normal business hours! Arranging the callback took me 2-3 days, and the first time when I went through the process, I found out that I did not know my password! Resetting my password was also not a straightforward process, but involved a two-step process for receiving an initial email followed by a code and finally a generated password would be issued. Naturally, the generated password was temporary and would expire after a short period of time.

With the callback validation service completed successfully, the certificate was issued, which left the final hurdle/step being the SSL certificate installation. I ended up spending the whole evening trying to remember how I installed the original certificate… the difficulty was that my host provider service had changed, as mentioned earlier. Much of the time was me logging into the various back-end systems trying to figure out where exactly to load the CRT and CSR files. Part of my confusion and misdirection originated from the Comodo instructions I was attempting to follow – which of course, applied to a corporate server environment, and I was dealing with a different hosting environment… After a lot of digging and futile attempts, I finally turned to Hostgator and their wealth of support material. It was here that I rediscovered what process and instructions I should have been following all along! Again, the warning signs failed to alert me to the fact that I had a corporate/premium certificate, and I ploughed headlong down the path in submitting the three different SSL certificate components to Hostgator, who dutifully actioned my request. The following status message was a relief of sorts…

When you factor in the time lapse in between the activities, from real-world life activities, you can appreciate why the above experience turned into more than a week! The irony from all this is of course, that I chose a product which featured all this extra security… Fortunately, I have the chance to correct this mistake and request a conversion of my newly installed SSL certificate, since Comodo offer a 30-day money-back guarantee. Again, there is great irony in the situation since my request to change the product was made at the same time that I received notification of the above completion status messages… and I suspect the journey is not quite over just yet…

As at the time of publication, I am calling it a night, and I hope that Comodo will minimise the amount of rework required for me to finally get XBOP security back to normal in the form of SSL certificates which will remain for the next three years!