I thought it would take the entire root URL, not just the domain for trust_root. The problem is that, by lack of choice, my server is https. Now normally, if I just absolutely insisted on using port 443 and SSL, I'd just run another instance of apache with a virtual server redirect to https://, but since I sort of can't use port 80, that doesn't help much. I tried looking through the .pm files for OpenID and it doesn't seem to care too much on the difference. I'd like to just have it send the correct url so I don't have to hand correct it to get OpenID to verify correctly.