I just shelled out the cash for a SSL certificate on my Bluehost account, on the basis I could use it for my online store. Two small problems.

Number one, if you have a primary domain and add on domains like I do, the SSL certificate only applies to the primary domain. If you try and access any of your add-on domain sites through https:// you'll first get an error message telling you the site url doesn't match the certificate, and then get redirected to the site on the primary domain ( way to foster trust among online shoppers! ). My store is on one of the add-ons.

Number two, it looks like the provider of the certificates is some el-cheapo unrecognised outfit. If I go to any page on the primary domain I don't see that comforting little yellow padlock in the bottom left corner. That means my customers don't see it either... and they leave my store and find one that is really secure.

To add insult to injury, to make the SSL work I also had to purchase a fixed IP for my hosting package. Within 2 minutes of paying this this I lost all my sites for 4 hours.

Can someone convince me why this product even exists? There's NO WAY I would have paid for it had I known it was utterly useless. I think people who might be considering this option need to know it simply isn't up to scratch.:mad:

Number one, if you have a primary domain and add on domains like I do, the SSL certificate only applies to the primary domain. If you try and access any of your add-on domain sites through https:// you'll first get an error message telling you the site url doesn't match the certificate, and then get redirected to the site on the primary domain ( way to foster trust among online shoppers! ). My store is on one of the add-ons.


SSL certificates are issued for a single domain-- wild carding TLDs would make the certificate completely useless for identification.



Number two, it looks like the provider of the certificates is some el-cheapo unrecognised outfit. If I go to any page on the primary domain I don't see that comforting little yellow padlock in the bottom left corner. That means my customers don't see it either... and they leave my store and find one that is really secure.


This has nothing to do with the certificate authority. Is every resource (image, css, javascript file) on your site being requested via https? If not, your site is using the cert, but the lock on most browsers will not light up.



To add insult to injury, to make the SSL work I also had to purchase a fixed IP for my hosting package. Within 2 minutes of paying this this I lost all my sites for 4 hours.


Adding a dedicated IP requires an update to the domain's DNS. The standard TTL on Bluehost is 14400 (4 hours). If the DNS server that your computer uses strictly honors TTL (most don't anymore) then you will resolve to the old IP until the TTL expires and the DNS server updates it's cache. There should be a rudimentary redirect in place that attempts to redirect to the dedicated IP for those whose DNS hasn't updated, but there are quite a few things that might get in the way of it working properly.



Can someone convince me why this product even exists? There's NO WAY I would have paid for it had I known it was utterly useless. I think people who might be considering this option need to know it simply isn't up to scratch.:mad:

Honestly, as far as I can tell, the certs work just as they should.

Thanks for the reply cade.


SSL certificates are issued for a single domain-- wild carding TLDs would make the certificate completely useless for identification.

Mmm...by that logic shared certificates couldn't work. Aside from that, it should work for the domain the customer choses... not the one Bluehost nominates. ;)



This has nothing to do with the certificate authority. Is every resource (image, css, javascript file) on your site being requested via https? If not, your site is using the cert, but the lock on most browsers will not light up.


No links to any images, css, script or embedded media in this file:

<html lang="en">
<head>
<title>Test SSL</title>
</head>
<body>
<h3>If SSL is working correctly, you shoud see a yellow padlock in the bottom right of your browser.</h3>
</body>
</html>

But the three Mozilla flavoured browers I tested reject the certificate. IE6 is the only one I've seen work.



Adding a dedicated IP requires an update to the domain's DNS.

Yup... I am down with that.... however, when I contacted support I was told there "was a problem with the fixed IP on that box that will take 4 hours to fix". That didn't inspire great confidence, as it seemed overly coincidental that this wasn't a problem until I added a certificate.



Honestly, as far as I can tell, the certs work just as they should.

OK what do you see when you go here?:

https://www.genx-online.net/testssl.html

I get the padlock in IE6... but Firefox / Flock / Opera reject it. Maybe it's working properly ( as in it's encypting data travelling to and fro ), but if I was a customer ready to punch in my credit card details I'd run a mile as soon as I saw that!

I stand by my point that the certificate is not recognised by many browsers, and therefore not suitable for ecommerce... in spite of what Bluehost suggest.

I'm seeing the yellow padlock at the lower right in FF 3.0.10, the yellow padlock to the right of the address bar in IE7, and the yellow padlock on the right end of the address bar in Chrome 1.0.154.65.

There's something wrong with your PC.

Thanks Early, I have had someone else verify that it works on FF 3.0.10 and IE7 on Vista Home... so I at least believe there's not a general rejection of the certificate by FF / other Mozilla browsers. Why I have not one, but three Mozilla based browsers that reject it, yet happilly accept other THAWTE / Verisign issued certiciates is mystifying. Clearly something I'll have to investigate another day...

I still do wonder how many people bought one of these certificates though, not knowing it only applied to the main domain and could not be used on any of the add ons ( Hostgator are the same ).

Had I known I would have just paid for the fixed IP and bought my own certificate from Comodo and applied it to the site I wanted. Wouldn't have cost that much extra either.

The main site on my package was just a placeholder for the domain... the site I wanted to secure was added later. I still have no use for the SSL on the main site, but I've done my money.

OK... fair enough... you live and you learn... but plenty of people NOT from an IT background would have learnt this the hard way... and be left with a certificate on a domain they have no need for. Sure... this is not something especially confined to Bluehost... but in the interests of being "better than the competition" it could be more clearly stated.

I checked it out in several browsers as well (Firefox, Safari and Opera) and did have a problem in Opera (and it may possibly exist in the others too). It appears that the cert is using a root certificate that isn't included in Opera's root cert bundle (that may be true of the other browsers that I tried, but I likely imported it at some point without thinking since I use them much more often). Opera seems to be pretty hush-hush about certs that will be included in the next update, but Comodo has been around for a long time so I doubt that they will have a problem with the audit process.

As for shared certificates, they work because traffic is funneled through the domain with a certificate-- not the originating domain. For instance, if you use secure.bluehost.com you would append your ~username to the URL. Secure.bluehost.com is a proxy server that grabs the content from the normal server and presents it on secure.bluehost.com.

The limitation of where certs can be installed is obnoxious, I agree. It actually originates from CPanel, not Bluehost (as you said it exists on Hostgator, a CPanel host, as well). EasyApache3 (the httpd config file manager) just doesn't play nice with multiple certs per account).

You should be able to have your account renamed to the domain that you would prefer to use for the certificate. Renaming the account will re-burn the certificate that you purchased to the new primary domain name.

If that doesn't work for you, you can cancel the cert as long as 5 days haven't passed and purchase it from a third-party. Then just email Bluehost support with the CA bundle and they will install it for you.

I checked it out in several browsers as well (Firefox, Safari and Opera) and did have a problem in Opera (and it may possibly exist in the others too). It appears that the cert is using a root certificate that isn't included in Opera's root cert bundle (that may be true of the other browsers that I tried, but I likely imported it at some point without thinking since I use them much more often). Opera seems to be pretty hush-hush about certs that will be included in the next update, but Comodo has been around for a long time so I doubt that they will have a problem with the audit process.

As for shared certificates, they work because traffic is funneled through the domain with a certificate-- not the originating domain. For instance, if you use secure.bluehost.com you would append your ~username to the URL. Secure.bluehost.com is a proxy server that grabs the content from the normal server and presents it on secure.bluehost.com.

The limitation of where certs can be installed is obnoxious, I agree. It actually originates from CPanel, not Bluehost (as you said it exists on Hostgator, a CPanel host, as well). EasyApache3 (the httpd config file manager) just doesn't play nice with multiple certs per account).

You should be able to have your account renamed to the domain that you would prefer to use for the certificate. Renaming the account will re-burn the certificate that you purchased to the new primary domain name.

If that doesn't work for you, you can cancel the cert as long as 5 days haven't passed and purchase it from a third-party. Then just email Bluehost support with the CA bundle and they will install it for you.

Thanks cade, some good info and advice there. :)

I had wondered about changing the primary, but I was a bit nervous about this and was unsure if it was even possible. That would be an excellent solution once I am convinced the certificate is OK in *most* browsers out there in userland ;).

I assume before this could happen I'd need to create a new site root folder under the main, and copy all the files that belong to the current top level site only to that. Then I'd somehow have to move all the files from the add on domain's root folder into the httpdocs root, and pray there's no relative folder references in any of the scripts or config files. Then I'd remove / add each site in the add-on page in CPanel. Being a big, busy site and I must admit this prospect makes me somewhat nervous! I'd say some outage would be inevitable.

Out of fear alone I might look at your second option, e.g. buy a certificate somewhere and have BH install it. But I guess I wonder what the cost for this ( installation ) would be, and whether it might actually be cheaper and less headache to buy a completely new hosting package ( with certificate ) and just move the entire site over to that.

For what its worth, I am also getting an "Invalid Certificate" error when I try to access it through Firefox 3.0.10.

I don't know why you're having a problem with the SSL. I manage three websites via bluehost, and each one has it's own SSL certificate.

Yes, we were somewhat miffed that we couldn't have a wildcard certificate for our several stores. But, after doing a little bit of reasearch, we discovered that a wildcard SSL certificate wasn't worth the expense, and it was simply cheaper to cop two more hosting accounts with SSL attached.

Someone else mentioned in the thread, but every file from your page needs to be served over HTTPS - I had to adjust some code in my store to make it work properly. (I wrote a custom solution for my stores).

I have tested each of my stores in all the major browsers - I get no errors, and nice padlocks everywhere. Inspecting the certificate shows me that my browser trusts the CA, and that's good enough for me.

jfcarr: hmmm... definitely seems to be some issue with FF3.0.10 and Comodo EV certificates. Finding lots of posts on forums about it. There was an old bug in FF2 with Comodo certificates, but this should be unrelated.

EvilChookie: post a link to any of them and I'll see if it gets rejected in my install of Firefox. I checked my certificates and Comodo is listed, but next to the EV certificates it says "Software Security Device" instead of "Built in token" like all the others. Not sure what that's about??

I just shelled out the cash for a SSL certificate on my Bluehost account, on the basis I could use it for my online store. Two small problems.

Number one, if you have a primary domain and add on domains like I do, the SSL certificate only applies to the primary domain. If you try and access any of your add-on domain sites through https:// you'll first get an error message telling you the site url doesn't match the certificate, and then get redirected to the site on the primary domain ( way to foster trust among online shoppers! ). My store is on one of the add-ons.

Number two, it looks like the provider of the certificates is some el-cheapo unrecognised outfit. If I go to any page on the primary domain I don't see that comforting little yellow padlock in the bottom left corner. That means my customers don't see it either... and they leave my store and find one that is really secure.

To add insult to injury, to make the SSL work I also had to purchase a fixed IP for my hosting package. Within 2 minutes of paying this this I lost all my sites for 4 hours.

Can someone convince me why this product even exists? There's NO WAY I would have paid for it had I known it was utterly useless. I think people who might be considering this option need to know it simply isn't up to scratch.:mad:

I have an instance where I need to build 5 stores. And I am wondering, do I need to have 5 SSL certificates to accomplish this... or is there an easier way to share a certificate across domains ??

Because there is a cost for each SSL certificate ... What do you recommend?

SSL certs are domain-specific. There is such an animal as a "wild-card" cert, but I believe the expense of obtaining one, and the difficulty of getting it installed properly, make it not worth the effort.

If an online store won't generate enough income to cover the cost of an SSL cert, it's probably not worth creating the online store!