Seems like most of the issues have been sorted out. There are nuances in getting everything pushed correctly from:
http://ninjette.org
http://www.ninjette.org
https://ninjette.org
https://www.ninjette.org
to all be correctly pushed to and served from:
https://www.ninjette.org
even when there are subdirectories past the main domain coming in on the query, for all 4 choices. It takes a combination of mod_rewrites to add the www, and redirects between apache virtual servers to push all http traffic to https. For fun, go check any of your favorite sites that use SSL, and try all 4 combinations to see what happens. Just found out my main company's site is borked by a couple of these (Fortune 20).
Also learned that SSL certs are tied directly to "ninjette.org" or "www.ninjette.org", but not necessarily both. Many providers do not create certs that will work on both, and you have to pay extra for wildcard-type certs to cover that case. GoDaddy certs apparently include the
domain.com and the
www.domain.com, so it is working here by dumb luck, not because I understood that ahead of time.
Added a "site seal" in the footer, which allows the truly paranoid a separate check that my cert provider confirms that this is actually the right site, and the cert was obtained and installed correctly.