Wordpress + invalid SSL certificate (host name mismatch)

Question

Hi all,

I deployed Wordpress to my site today (not to power the whole thing, but to function on the sidelines as a blog in a regular directory) and have been running through the Wordpress Codex and a JournalXtra guide on hardening the security.

Amongst those things was enabling SSL logins.

It seems to be working alright, and I logged in just fine, except that now when I try and submit/save through my Wordpress dashboard, it warns me that it cannot identify whether it's really my site. Checking the certificate shows a PositiveSSL certificate, but the domain underneath is not my site, which is giving a host name mismatch error.

Now, I tried to look up this error and the initial results I turned up claim that it can occur when you use something like http://yoursite[dot]com and it doesn't redirect to http://www.yoursite[dot]com.

One of the other changes that occurred during my installation and tweaking is that if I go to http://www.mysite[dot]com, it'll display with www. Without www works just as well.

However, http://www.mysite[dot]com/blog redirects to mysite[dot]com/blog automatically.

Could that be the issue? What's going on here?

Update: I had forced SSL login, and commenting that bit out did indeed remove the error. So how do I correct this issue so I can have SSL without getting invalid certificate warnings?

Update Update: Nevermind. I login without issue, but saving my settings for the Better WP Security plugin gives me this prompt.

I think my site may have been compromised. I noticed that a "wysiwyg[long string of alphanumeric characters].php' was added to my public html directory. Unless Wordpress or something else added this, it was not me. (Another edit: Erp, I'm a dummy. Apparently this file gets added if you use the HTML editor in cPanel. Other issue remains)

Answer 1 · 2013-04-25T20:09:25Z

April 25, 2013 8:09pm

Try setting it to false instead of just removing it.

I use rapidsslonline.com cause it's super affordable, but there are TONS of providers out there!!

Answer 2 · 2013-04-24T05:27:54Z

April 24, 2013 5:27am

i'm not 100% sure I understand what you are asking here.

An SSL cert is for a Full Qualifyed Domain Name (FQDN) so it has to be exactly as you want the user to type it in the URL, e.g an SSL cert for www.domain.com is not valid for domain.com

Answer 3 · 2013-04-24T15:35:43Z

April 24, 2013 3:35pm

Second James' point. If you're not using a "wildcard" SSL certificate, it will only work for the exact domain name entered during the setup or purchase.

You can (and should) resolve those www redirects though. This can be done with .htaccess pretty easily.

Answer 4 · 2013-04-24T23:44:37Z

April 24, 2013 11:44pm

Well, that's the other thing I didn't address. I didn't realize you had to purchase the SSL certificate. I just 'forced' SSL on for my Wordpress login, realized that I actually needed to purchase an SSL cert for it to work, and disabled it.

Now when I try to login to my Wordpress panel at my website, I get a warning that it can't verify the identity of my site and displays a certificate for "downloadandplay[dot]com" (which is not my site).

Answer 5 · 2013-04-25T16:08:39Z

April 25, 2013 4:08pm

Hey Nathan,

Have you checked in with the SSL provider about the issues you're having? They may be WordPress related for sure, but it sounds like there might also be something going on with your SSL certificate.

Answer 6 · 2013-04-25T19:20:40Z

April 25, 2013 7:20pm

Hi Zac,

Sorry if I'm not clear: I don't have an SSL provider, as I never purchased an SSL certificate. I simply attempted to force-enable SSL logins in my WP-Config, without purchasing a certificate (one of the gaps in my knowledge being that I have to buy one--now I know :D ).

Answer 7 · 2013-04-25T19:55:39Z

April 25, 2013 7:55pm

:) well here's to learning!

Once you get that setup, let us know if it solves your problem!

Answer 8 · 2013-04-25T20:03:13Z

April 25, 2013 8:03pm

Thanks for your help and patience. :)

If I disabled the force-SSL, however, wouldn't we expect to see this error go away? I also tried clearing my cache to make sure there was nothing funky going on there. No dice.

One last thing, before I consult the ever-wise Google: is there a fan favorite, as far as SSL providers go? For the time being, all I need is something to secure my login page for a personal site. There's no business-level, commercial needs (at least not yet).

Answer 9 · 2013-04-25T20:31:11Z

April 25, 2013 8:31pm

Sure enough, setting it to false did the trick.

I'll check out RapidSSL. Thanks a lot, Zac.

This is why I like being a part of Treehouse.

Answer 10 · 2013-04-25T22:00:28Z

April 25, 2013 10:00pm

Oh great! Glad we got to the bottom of that :)

And that's why I like being a part of Treehouse too ;)

Welcome to the Treehouse Community

Looking to learn something new?

Nathan F.

Nathan F.

Wordpress + invalid SSL certificate (host name mismatch)

10 Answers

Zac Gordon

Zac Gordon

James Barnett

James Barnett

Zac Gordon

Zac Gordon

Nathan F.

Nathan F.

Zac Gordon

Zac Gordon

Nathan F.

Nathan F.

Zac Gordon

Zac Gordon

Nathan F.

Nathan F.

Nathan F.

Nathan F.

Zac Gordon

Zac Gordon