Web Admin help needed (SSL, Wordpress stuff)
#1
Elite Member
Thread Starter
iTrader: (7)
Join Date: Jul 2009
Location: Jackson, MS
Posts: 7,388
Total Cats: 474
Web Admin help needed (SSL, Wordpress stuff)
Okay, looking for ideas here. This is the setup:
www.lemuriabooks.com (main domain, company website with secure pages for checkout)
blog.lemuriabooks.com (subdomain, company Wordpress blog, no secure pages)
Hosted on Bluehost.
This morning I checked the website as I normally do. Main site looks fine, blog looks fine, when I click to log in to the back end of the Wordpress blog...it redirects to the main site (www.lemuriabooks.com). That's odd. Try it again, same result. Check cPanel on our Bluehost account, the redirect for the blog.lemuriabooks.com is correct and pointing to the appropriate address.
Finally I notice that the link to the Wordpress back end is pointing to a secure https address...which it should not be. Those pages have never been secure. Back to cPanel, I confirm that there's no SSL certificate set up for the subdomain. Moreover, I remember that it's not possible for the subdomain to be secure -- Bluehost restricts accounts to one SSL cert and it can only be applied to the main domain.
So, I'm guessing that either Wordpress or the Wordpress security plug-in was updated or options were changed to make the Wordpress back end secure...only there's no SSL cert, so it keeps redirecting to the main domain site.
Ideally, I would log in to Wordpress, check the settings, and turn off whatever option in the security plug in that is attempting to make the back end secure...except I can't log in to the back end in order to make those changes.
I have tried getting to the same Wordpress back end via the full address on the primary domain (LemuriaBooks.com.) but I can't get those pages to load -- either 404's, or redirecting back to the main page.
Any thoughts? At the moment, I've been trying to figure out (using FTP) what the correct full URL would be to get to the Wordpress back end admin page, but I'm not sure that that would work anyway.
Is there some way I can force the site to stop attempting to use a secure connection on those pages?
www.lemuriabooks.com (main domain, company website with secure pages for checkout)
blog.lemuriabooks.com (subdomain, company Wordpress blog, no secure pages)
Hosted on Bluehost.
This morning I checked the website as I normally do. Main site looks fine, blog looks fine, when I click to log in to the back end of the Wordpress blog...it redirects to the main site (www.lemuriabooks.com). That's odd. Try it again, same result. Check cPanel on our Bluehost account, the redirect for the blog.lemuriabooks.com is correct and pointing to the appropriate address.
Finally I notice that the link to the Wordpress back end is pointing to a secure https address...which it should not be. Those pages have never been secure. Back to cPanel, I confirm that there's no SSL certificate set up for the subdomain. Moreover, I remember that it's not possible for the subdomain to be secure -- Bluehost restricts accounts to one SSL cert and it can only be applied to the main domain.
So, I'm guessing that either Wordpress or the Wordpress security plug-in was updated or options were changed to make the Wordpress back end secure...only there's no SSL cert, so it keeps redirecting to the main domain site.
Ideally, I would log in to Wordpress, check the settings, and turn off whatever option in the security plug in that is attempting to make the back end secure...except I can't log in to the back end in order to make those changes.
I have tried getting to the same Wordpress back end via the full address on the primary domain (LemuriaBooks.com.) but I can't get those pages to load -- either 404's, or redirecting back to the main page.
Any thoughts? At the moment, I've been trying to figure out (using FTP) what the correct full URL would be to get to the Wordpress back end admin page, but I'm not sure that that would work anyway.
Is there some way I can force the site to stop attempting to use a secure connection on those pages?
#2
Finally I notice that the link to the Wordpress back end is pointing to a secure https address...which it should not be. Those pages have never been secure. Back to cPanel, I confirm that there's no SSL certificate set up for the subdomain. Moreover, I remember that it's not possible for the subdomain to be secure -- Bluehost restricts accounts to one SSL cert and it can only be applied to the main domain.
So, I'm guessing that either Wordpress or the Wordpress security plug-in was updated or options were changed to make the Wordpress back end secure...only there's no SSL cert, so it keeps redirecting to the main domain site.
So, I'm guessing that either Wordpress or the Wordpress security plug-in was updated or options were changed to make the Wordpress back end secure...only there's no SSL cert, so it keeps redirecting to the main domain site.
There is also a self-generated security certificate associated to your blog subdomain, created before your problems started.
I can dig a bit more, but what I think is going on is something else happened, and you were unaware that wordpress created a self-signed certificate to enable people to log in in a secure fashion (Read: Not ------- plaintexting login details, which is absolutely retarded.), but as a result of being unaware of the self-signed security certificate, are blaming the issues on a standard wordpress install.
Just my 2c, I could be full of crap, but no one plaintexts login details in this day and age. I'm digging a little bit more in your site, however.
#3
And a bit more detail...
I was wrong about the SSL certificate your blog subdomain is using. Your blog subdomain is using the certificate from your root domain and not the self-signed one I was originally looking at (A bit wtf, but w/es) - there's nothing to be worried about.
The error stems from b*.l*.com trying to use a certificate from l*.com that is explicitly disallowed from using subdomains (Well, more correctly only explicitly allowed to use the root domain...).
The certificate itself is nothing to worry about. Remember, WordPress needs a certificate for secure logins. What you may want to consider is simply using b*.l*.com to redirect to l*.com/b* instead - this would also fix your security certificate issue.
I'm taking a closer look at the login stuff now.
blog.lemuriabooks.com uses an invalid security certificate.
The certificate is only valid for the following names:
www.lemuriabooks.com , lemuriabooks.com
(Error code: ssl_error_bad_cert_domain)
The certificate is only valid for the following names:
www.lemuriabooks.com , lemuriabooks.com
(Error code: ssl_error_bad_cert_domain)
The error stems from b*.l*.com trying to use a certificate from l*.com that is explicitly disallowed from using subdomains (Well, more correctly only explicitly allowed to use the root domain...).
The certificate itself is nothing to worry about. Remember, WordPress needs a certificate for secure logins. What you may want to consider is simply using b*.l*.com to redirect to l*.com/b* instead - this would also fix your security certificate issue.
I'm taking a closer look at the login stuff now.
#4
wget returns a 404 error on "https://blog.lemuriabooks.com/wp-login.php"
Have you been messing with your login script, Mg? According to your server, it's not there.
(Edit) IE in W7 also verifies that it's missing. The problem is with your script, not your certificates - although I did explain how to fix the certificate error in a previous post, Mg. The behavior that redirects you straight to the root (l*.com) is a browser-specific addition likely related to avoiding 404s, as only some of the browsers I use do it, and others properly display the 404 error.
(Edit edit) Unless you wrote in specific functionality to auto-ban certain browsers and return a 404 error, but I don't think it's something you'd do.
Have you been messing with your login script, Mg? According to your server, it's not there.
(Edit) IE in W7 also verifies that it's missing. The problem is with your script, not your certificates - although I did explain how to fix the certificate error in a previous post, Mg. The behavior that redirects you straight to the root (l*.com) is a browser-specific addition likely related to avoiding 404s, as only some of the browsers I use do it, and others properly display the 404 error.
(Edit edit) Unless you wrote in specific functionality to auto-ban certain browsers and return a 404 error, but I don't think it's something you'd do.
#5
Elite Member
Thread Starter
iTrader: (7)
Join Date: Jul 2009
Location: Jackson, MS
Posts: 7,388
Total Cats: 474
Thanks, appreciate your help. Keep in mind that this is (obviously) not my area of expertise. I just happen to know enough to keep it running between big problems which are then passed to our contracted tech helper. But I'm having a hard time getting in touch with him today, and any time I can get it sorted out before he gets involved saves us money, so I usually take a stab at it. But obviously I'm out of my depth here.
#6
Either it's permissions/security-related, or there's no wp-login.php file on the server. Either way, I can't diagnose more from the tools I have available from where I am - the server repeatedly tells me that there is no wp-login.php that I can access no matter what I use to try to access it.
The certs have nothing to do with it, although it's an incredibly amateur mistake to do what was done.
The certs have nothing to do with it, although it's an incredibly amateur mistake to do what was done.
#7
Elite Member
Thread Starter
iTrader: (7)
Join Date: Jul 2009
Location: Jackson, MS
Posts: 7,388
Total Cats: 474
wget returns a 404 error on "https://blog.lemuriabooks.com/wp-login.php"
Have you been messing with your login script, Mg? According to your server, it's not there.
(Edit) IE in W7 also verifies that it's missing. The problem is with your script, not your certificates - although I did explain how to fix the certificate error in a previous post, Mg. The behavior that redirects you straight to the root (l*.com) is a browser-specific addition likely related to avoiding 404s, as only some of the browsers I use do it, and others properly display the 404 error.
(Edit edit) Unless you wrote in specific functionality to auto-ban certain browsers and return a 404 error, but I don't think it's something you'd do.
Have you been messing with your login script, Mg? According to your server, it's not there.
(Edit) IE in W7 also verifies that it's missing. The problem is with your script, not your certificates - although I did explain how to fix the certificate error in a previous post, Mg. The behavior that redirects you straight to the root (l*.com) is a browser-specific addition likely related to avoiding 404s, as only some of the browsers I use do it, and others properly display the 404 error.
(Edit edit) Unless you wrote in specific functionality to auto-ban certain browsers and return a 404 error, but I don't think it's something you'd do.
#8
Elite Member
Thread Starter
iTrader: (7)
Join Date: Jul 2009
Location: Jackson, MS
Posts: 7,388
Total Cats: 474
What's weird is that if I go to the nonsecure URL:
http://blog.lemuriabooks.com/wp-login
I get the 404.
But if I go to the secure URL
https://blog.lemuriabooks.com/wp-login
I get the immediate redirect to the main site.
http://blog.lemuriabooks.com/wp-login
I get the 404.
But if I go to the secure URL
https://blog.lemuriabooks.com/wp-login
I get the immediate redirect to the main site.
#12
Elite Member
Thread Starter
iTrader: (7)
Join Date: Jul 2009
Location: Jackson, MS
Posts: 7,388
Total Cats: 474
No clue what that means. Keep reminding yourself that I work in a bookstore and I maintain the website because I drew the short straw of knowing more computer stuff than a bunch of English and philosophy graduates.
Thread
Thread Starter
Forum
Replies
Last Post
Zaphod
MEGAsquirt
47
10-26-2018 11:00 PM
russian
Miata parts for sale/trade
6
10-08-2015 03:01 PM