SSL Advice

[peskypup]

I would like to use SSL on a client's site hosted here at Jodohost. I've been searching a bit through the forum archives to find out exactly what that would entail from my end, and I'm afraid I'm just more confused than I was to begin with. If any can answer any of the following, I'd appreciate it.

1. Shared SSL is only available on win5, correct?

2. Shared SSL on win5 is extremely buggy and there have been all sorts of problems with it over the past few weeks. As we're not even on Win5, and shared SSL has been causing problems anyway, our only real option is getting a dedicated IP address and turning on SSL. Correct?

3. If we change over to a dedicated IP address, and turn on SSL, our site will go down. Do I have to contact someone at support to fix something in order for my site to work again?

4. If the answer to the above is yes, how long am I looking at as far as downtime? My client spent the 23 out of 24 hours yesterday unable to view his site, so will have a very low tolerance for further downtime at this point. Is there any way to know exactly how long it will take so I can warn him ahead of time (or better yet, make the change when I know he will not be looking)?

5. I believe I read somewhat that it may take up to 24 hours for the IP change to propagate across DNS servers world-wide. Is this correct? In the meantime, will I be able to provide my client with an IP address to access the site through so he can continue his pre-launch testing so we can stay on schedule?

I appreciate any advice I can get here. SSL is not absolutely required, but it would make the 3rd party shopping cart we're using a lot nicer looking it we can have it pull in a few images over a secure connection. If it's going to be a headache, I'll probably skip it.

 

[Yash]

wow, never get your information from the forum archives...

1) Shared SSL is working on all servers except Win1 and Win4. if you are on these servers, you can request your account to be shifted to Win5 or Win6.

2) The only issue was with a shared IP. Use a dedicated IP if you are using SSL or Shared SSL across all our Windows servers

3) If you switch to dedicated IP, your site may go down temporarily while the new IP propogates. If it does go down, run ipconfig /flushdns in 30min and your site should come back. Apart from that, there is no other downtime. Also, any such downtime will only affect those visitors whose ISP has cached the old IP.

5) Of course, you can even access it through the instant domain alias

 

[SubSpace]

3) If you switch to dedicated IP, your site may go down temporarily while the new IP propogates. If it does go down, run ipconfig /flushdns in 30min and your site should come back. Apart from that, there is no other downtime. Also, any such downtime will only affect those visitors whose ISP has cached the old IP.

Sorry to burst your bubble, but that's just not true.
If someone visits the website in question, his computer will cache the DNS entry for as long as the TTL parameter provided by the configured nameserver will allow it. This part can be solved using ipconfig /flushdns.

However, while it's being cached, the exact same entry is placed in the ISP's nameserver cache. After an ipconfig /flushdns there is thus a very large chance that it won't actually fix anything at all, because Windows will just query that same server again which will return that same (wrong) cached value.

Now most ISPs use 2 nameservers. If you're lucky, Windows will query the other nameserver after the ipconfig /fushdns, and if you're even luckier, this server will not have the entry cached, in which case it will help you.

Point is, no matter how often you use ipconfig /flushdns, it's far from a sure fix. Besides, most customers trying to reach a website don't go executing ipconfig /flushdns if the site doesn't work, they go "fook it", and go browse somewhere else.

 

[peskypup]

Thanks Yash and subspace. I think I'll probably turn it on tonight once I finish working for the night and hope for the best that by the time the client gets up in the morning, all is well. The site hasn't launched yet, so I figure it's better to do this now rather than after we launch at the end of the week.

I still want to supply him with the IP and/or instant domain alias regardless, which leads to another question: Immediately after signing up with jodohost we had to move from the server we were put on to Win2 in order to be on a server with ColdFusion. Should anything have been changed on jodohost's end at that time to make the instant domain alias work once the site was moved to a different server? Because I just tried to access it (http://d70122.u34.jodoshared.com/) and I get an error that "This page must be viewed over a secure channel". (Note: I have not turned on SSL yet) Accessing it via the domain name works fine.

Do I need to submit a trouble ticket to ask that the instant domain alias be updated?

Cheers!

 

[SubSpace]

Thanks Yash and subspace. I think I'll probably turn it on tonight once I finish working for the night and hope for the best that by the time the client gets up in the morning, all is well.

It's a bit sneaky, but if you know which ISP he's using, check his nameserver with nslookup (don't forget the trailing dots after the hostnames):

[i]c:\>nslookup
> server ns1.customerisp.com.[/i]
Default Server:  ns1.customerisp.com
Address:  x.x.x.x

[i]> set debug
> www.customerwebsite.com.[/i]
Server:  ns1.customerisp.com
Address:  x.x.x.x

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        www.customerwebsite.com, type = A, class = IN
    ANSWERS:
    ->  www.customerwebsite.com
        internet address = 64.156.223.130
        [b]ttl = 86296 (23 hours 58 mins 16 secs)[/b]

In the above example, that particular server will cache this result for 23 hours and 58 minutes, that's bad.
In this case, wait 23 hours or so, check again and verify the TTL is now less than 1 hour. Then quickly make dedicated the IP change and his ISP's nameserver should have the update within the hour.

Like I said, sneaky, but it keeps the customer off your back for an issue you have no control over...

 

[Logan]

It's a bit sneaky...

I don't consider this sneaky at all. If it was, nslookup wouldn't be part of a standard build. I use this all the time when I am trying to investigate DNS issues. It's just part of the standard toolkit in my opinion.

 

[SubSpace]

I don't consider this sneaky at all. If it was, nslookup wouldn't be part of a standard build. I use this all the time when I am trying to investigate DNS issues. It's just part of the standard toolkit in my opinion.

I'm not saying it's sneaky to use nslookup, but you're misleading your customer, in a way. For the rest of the world the downtime will still be up to 24 hours, just not for him.
Most websites are used by more people than just the customer himself

 

[Yash]

Sorry to burst your bubble, but that's just not true.
If someone visits the website in question, his computer will cache the DNS entry for as long as the TTL parameter provided by the configured nameserver will allow it. This part can be solved using ipconfig /flushdns.

However, while it's being cached, the exact same entry is placed in the ISP's nameserver cache. After an ipconfig /flushdns there is thus a very large chance that it won't actually fix anything at all, because Windows will just query that same server again which will return that same (wrong) cached value.

Now most ISPs use 2 nameservers. If you're lucky, Windows will query the other nameserver after the ipconfig /fushdns, and if you're even luckier, this server will not have the entry cached, in which case it will help you.

Point is, no matter how often you use ipconfig /flushdns, it's far from a sure fix. Besides, most customers trying to reach a website don't go executing ipconfig /flushdns if the site doesn't work, they go "fook it", and go browse somewhere else.

Thanks for correcting me. My answer was not well phrased. I never meant that you can clear your ISP's cache with ipconfig /flushdns. As far as the TTL value goes, I've seen in come in play with a very few ISPs.

 

[Yash]

I still want to supply him with the IP and/or instant domain alias regardless, which leads to another question: Immediately after signing up with jodohost we had to move from the server we were put on to Win2 in order to be on a server with ColdFusion. Should anything have been changed on jodohost's end at that time to make the instant domain alias work once the site was moved to a different server? Because I just tried to access it (http://d70122.u34.jodoshared.com/) and I get an error that "This page must be viewed over a secure channel". (Note: I have not turned on SSL yet) Accessing it via the domain name works fine.
QUOTE]

Just recreate your instant aliasby turning it off then on

 

[peskypup]

Thanks everyone. Yash, I was able to get my instant domain alias reset and working. Thanks.

I switched to dedicated IP and everything was fine... was able to access the site via the IP and the domain alias. A little while later I turned on shared SSL. A little while after that I decided to go back and check that everything on the site was stil working low and behold, now all I get is an "Under Construction" page whether I use the IP or domain alias. Why can't anything ever be easy?!

So... I've submitted a trouble ticket and am going to bed and hoping that when I wake up, everything will magically be fixed in time for the client to take his first look. (hey, a girl can dream, can't she?!)

Btw... to the person who mentioned it, the site hasn't actually launched yet, so at this time, the client is the only one I'm worried about looking at it... don't need to worry about visitors from around the world just yet.

 

[peskypup]

ARGH!

So I wake up and the site's back up and working and everything is good in the world... until I read the response to my trouble ticket which says:

"Also, please note that for ssl there is problem with win2 and we will shift your account to win5 if you are not using coldfusion...as the ssl is working fine on win5. Please update us if you are ready with it."

First of all I DO use ColdFusion. So this is not an option, as I already informed support. More importantly, though, what they're saying appears to match with what I'd read here on the forums. Yet I was assured shared SSL worked on win2 just yesterday. Yash, what's going on? ?(

 

[SubSpace]

Hmmm, I thought I read somewhere that JH changed their approach and were installing ColdFusion on all Windows servers..
Could be they changed their minds of course. Yash?

 

[peskypup]

I think I read that as well, but perhaps them meant all new servers they bring online going forward?

 

[Yash]

darn, there is so much miscommunication around here
Anyway, we are trying to get CF installed on this server but it keeps failing. we've emailed macromedia

I think they got SSL working for you, haven't they?

 

[peskypup]

I haven't gotten a response to my trouble ticket yet, so haven't tried it. I'm at my "day job" at the moment, so will have to give it a whirl later. (fingers crossed)

 

[peskypup]

It appears to be working. Many thanks!