ssl

Fixing Safari's 'can't establish a secure connection' when updating a self-signed certificate

I do a lot of local development, and since almost everything web-related is supposed to use SSL these days, and since I like to make local match production as closely as possible, I generate a lot of self-signed certificates using OpenSSL (usually using Ansible's openssl_* modules).

This presents a problem, though, since I use Safari. Every time I rebuild an environment using my automation, and generate a new certificate for a domain that's protected with HSTS, I end up getting this fun error page:

Safari Can't Open the Page - Safari can't open the page because Safari can't establish a secure connection to the server servername.

Safari Can't Open the Page – Safari can't open the page because Safari can't establish a secure connection to the server 'servername'.

Self-signed certificates via Ansible for local testing with Nginx

Most of my servers are using TLS certificates to encrypt all traffic over HTTPS. Since Let's Encrypt (and certbot) have taken the world of hosting HTTPS sites by storm (free is awesome!), I've been trying to make sure all my servers use the best settings possible to ensure private connections stay private. This often means setting up things like HSTS, which can make local / non-production test environments harder to manage.

Consider the following:

Remove a single Certbot (LetsEncrypt) certificate from a server

I've been using Certbot to generate and renew Let's Encrypt certificates for most of my smaller sites and services, and recently I needed to move a site from one server to another. It was easy enough to build the new server, then generate the certificate on the new server and use it in Apache or Nginx's configuration.

However, on the old server I no longer wanted to have the old certificate get renewed every week/month/etc. during the certbot-auto cron runs, so I looked to see if there was a way to simply have Certbot delete a certificate. It turns out there's not, but there is an issue—adding -delete option to remove the cert files—to add this functionality.

Force SSL (https://) for only one virtual host with .htaccess

Many servers I help administer host many websites; and every now and then, someone wants me to set up a secure (SSL) certificate for one of the websites on the server. Once the certificate is working in Apache, and users can access the site at https://example.com/, they also request that all traffic that was originally destined for either http://www.example.com/ or http://example.com/ be routed to the secure site.

This can be slightly tricky if you're using multiple VirtualHosts on the same server/multisite installation with something like WordPress or Drupal, because if you just add in something like below with multiple sites routed through the same .htaccess file, ALL sites will be routed to the https version (which is not what's desired):

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R,L]