The Joys of Having an Expired SSL Certificate

A frustrating waste of time.

A few months ago, when it became clear that the Republican led congress was going to allow ISPs to sell our browsing history to the highest bidders, I got a bit more concerned about security. In my research, I came across an article that recommended that users never visit a website without an SSL certificate.

If you don’t know how to tell whether a site has an SSL certificate, the easiest way is to look at the full URL. If it starts with https:// instead of http:// it has an SSL certificate. Think of that extra character, the s, as standing for secure.

Also, some web browsers display a special icon — such as a lock — near the URL or possibly in the status bar at the bottom of the page.

One thing is for sure: You should only enter personal data in pages that are SSL-protected. So if you don’t know how to check for a secure page in your browser, learn.

Of course, at the time, this blog did not have an SSL certificate. I’d done some research in the past and decided it wasn’t worth the cost. After all, although I do get a few donations — thank you generous supporters! — it isn’t as if this site earns any money for me. Hosting costs enough money; buying a certificate wasn’t in the budget.

Still that article made me wonder if I were losing visitors because I didn’t have that certificate. So I did some more research and discovered that my WordPress host, Bluehost, offered a free SSL certificate for subscribers. I made a few calls, clicked a few links, installed a WordPress plugin, and voila! I had a coveted https:// URL.

And then I pretty much forgot about it. After all, typing in the old URL (without the s) still pointed people to the new one. And who types in the whole thing anyway? If you put in any combination of URLs to get to this site — or if you clicked a link that took you here — some sort of behind-the-scenes magic put you on a secure page.

Yesterday changed that. I went to check the site and was faced with the following message:

Page is Not Secure

WTF?

Of course, I discovered this about 30 minutes before a friend was due to arrive to detail my helicopter and I had about a half dozen other things I wanted/needed to do before he arrived — like get dressed? (It was 5:30 AM.) So I did the easy thing: I called Bluehost and asked them what the hell was going on.

The support guy I got was very fond of the hold button. I don’t know if it’s because he really needed help or if he was working on more than one call at a time. I was on hold for most of the 45 minutes our call lasted. While I waited, my friend came, I greeted him in my pajamas, I made him coffee, and I put a bowl of cherries in front of him, occasionally interrupting our conversation to speak with the Bluehost support guy when he came back on the phone.

My big concern was this: people would be scared away by that message. They’d click a link, get to my site, and leave, thinking they’d get a virus or something. I needed the problem resolved quickly.

I was told that Comodo, the organization that provided the SSL certificates, had sent me some sort of verification email that I needed to click a link in. I told him I’d never gotten a message, although it could have been sorted into spam and automatically deleted. He asked me to check a specific email address. I told him I didn’t have that email address. “Well, that’s where the message was sent.”

This made no sense. It was not the email address I had on file with Bluehost. It was an email address on my domain that I had never set up. I checked and verified that it didn’t exist. Comodo had sent an email message to an address that I’d never created or used.

Seriously: WTF?

Mr Hold Button told me to create the address, which I did while he waited. Then, after putting me on hold for a while longer, he told me they’d send a new message and that I should follow the instruction in it.

By this time, I was tired of dealing with the problem. I needed to get dressed. I needed to pull the helicopter out so my friend could get started on it. I needed to do the other things I needed to do. So I told him I’d check in a while and hung up.

And then I forgot about it.

You see, I have a life and that life does not revolve around dealing with computer issues. That was my old life. My new life is far more interesting.

Besides, I had no intention of adding that new email address to any of my email clients on any of my devices. That meant I had to sit at a computer and go to the Webmail feature on Bluehost to check the message. Not exactly something I’m likely to remember.

But I got reminded again this morning when it still didn’t work right. One of my readers emailed me. I also noticed when I attempted to approve two comments.

I checked that stupid email inbox. Empty.

I got on the phone with Bluehost.

This time I got a guy who didn’t like touching the hold button. He stuck with me while we worked through the problem. There was a lot of silent time. He was texting with Comodo. I was starting to write this blog post. Occasionally, he would update me. Occasionally I’d whine to him about how ridiculous the whole thing was. He was suitably sympathetic. I was as apologetic as I could be. After all, it wasn’t his fault.

In the end, the email message finally came. I clicked the link — but not after lecturing him about how we’re not supposed to click links in email messages. I entered the secret code. He confirmed some stuff on his end. I snacked on some cherries. When he said, “Try now,” I did.

The problem was fixed. It had taken 22 minutes.

We wished each other a nice day. When I got the survey at the end of the call, I gave him a good score.

So it looks like this site is secure again — at least until the next time Comodo decides it needs to verify me.

And yes, this did impact site traffic. I had less than half my usual visitors yesterday and started today at about one quarter the traffic I should have had by noon.

2 thoughts on “The Joys of Having an Expired SSL Certificate

  1. With all the publicity that recent malware/ransomware attacks have been getting these days, I’m sure it’s got people on edge as regards their computer security hygiene habits. Even though nobody is entering their credit card information on your blog, that “red flag” privacy warning really gets peoples attention.

    • Yep. Even I was afraid to click through this morning. Sheesh.

      I suspect this will happen again. But next time, I think I can resolve it quickly. Fingers crossed. Thanks for letting me know about it this morning.

What do you think?