I ran into a situation where a client was accessing a test site and ended up getting a certificate from another site on the same server. Here is the setup:

I think that I have finally determined a solution that works for the sites I maintain. This seems to solve almost all the problems that I have encountered:

1. Install the non-ssl site in the sites directory: nonsecure.example.com
2. Create a new directory in /sites/ for the ssl site: secure.example.com
3. Copy the settings file from the nonsecure to the secure directory. Change the base_url to be the secure site's URL
4. Create symlinks FROM the nonsecure directory to the secure directory:
5. ln -s nonsecure.example.com/themes secure.example.com/

So you may have tried to do this according to my first blog post on the topic. If you did, you found that problems STILL existed!!

So I have created a patch to the securepages module (are you watching Gordon?) to allow this to actually work. And yes! It does work! There are some caveats though

• The user login block, which I use to use on my site, won't work in SSL mode unless you limit it to SSL pages only. That means you can't put it on your homepage and have SSL logins. It appears that the user block in core needs to be changed or a replacement block created.

I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out.

So here is the scenario:

• logins should occur via SSL
• everything else should occur via non-ssl
• the main site is www.example.com
• the ssl site is ssl.example.com