Jump to content

Archived

This topic is now archived and is closed to further replies.

Simplyeasier

The SSL In OsCommerce Guide For The Innocent

Recommended Posts

Ok.. i have followed all the tips.. but I am still getting secure and non secure warning in my shopping cart.... if i choose do not display, the images don't appear.. so I know it is a simple fix..

here is my code from the includes/configure file

 

 

 

 

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.eadultparty.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.eadultparty.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://www.eadultparty.com');

define('HTTPS_COOKIE_DOMAIN', 'www.eadultparty.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', 'www.eadultparty.com');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/kunden/homepages/19/d185029666/htdocs/usr_eadultparty/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'db651.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'dbo195963683');

define('DB_SERVER_PASSWORD', 'wCp7Exgy');

define('DB_DATABASE', 'db195963683');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

?>

 

 

 

admin is here

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.eadultparty.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.eadultparty.com');

define('HTTPS_CATALOG_SERVER', 'https://www.eadultparty.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/kunden/homepages/19/d185029666/htdocs/usr_eadultparty/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/kunden/homepages/19/d185029666/htdocs/usr_eadultparty/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/'); // absolute path required

define('DIR_FS_CATALOG', '/kunden/homepages/19/d185029666/htdocs/usr_eadultparty/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

// define our database connection

define('DB_SERVER', 'db651.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'dbo195963683');

define('DB_SERVER_PASSWORD', 'wCp7Exgy');

define('DB_DATABASE', 'db195963683');

define('USE_PCONNECT', 'false'); // use persisstent connections?

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

?>

 

 

 

thanx

patrick

Share this post


Link to post
Share on other sites
Excellent thread Charles.

 

If I'm not mistaken. Aren't the <a href="http://www.notmy domain.com...> tags fine? You are not accessing anything else with that code. You are just setting up a link. Now, if you had a ...src="http://www.notmydomain.com/images/someimage...."> in that tag or in a css file that the tag uses, then that would cause a problem.

 

Another problem I came across that I haven't seen much is the <link > tag. Watch what is put in there. It will cause the same problem.

 

Again, very helpful thread.

Paul

 

Yeah, I have links on my secure page that do not cause a error. In my footer for instance there is a link to osCommerce and my site design company and they do not casue a problem. However my banner did so I had to change that one. Great topic though.

Share this post


Link to post
Share on other sites

I have read through this great post - however i still have a small problem:

 

For example if i was to login to my account (login.php) this is https, once i have entered user and password and select login i get the Security Alert message that i am about to be directed to a page that is not secure - which is index.php

 

how can i correct this without changing this line to https (which does fix the problem although i dont want the directory https

 

define('HTTP_SERVER', 'http://www.facepaintshop.co.uk'); // eg, http://localhost - should not be empty for productive servers

 

This is the config

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.facepaintshop.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.facepaintshop.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.facepaintshop.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'facepaintshop.co.uk');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/shop/');

define('DIR_WS_HTTPS_CATALOG', '/shop/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

Share this post


Link to post
Share on other sites

Ok I am having a very hard time trying to diagnose an SSL problem. This only occurs after a customer logs in. Can someone tell me if this is normal:

 

When a customer clicks on My Account, the Initial account.php page displays in nonssl until they click a link (ie edit "view or change my account...")

Or, when a customer clicks on Checkout, the Intial checkout_shipping.php page displays in nonssl until they hit Continue?

 

Is this right?

 

Shouldn't SSL kick in as soon as you goto the account.php or checkout_shipping.php pages? Why is this? Or how can i make in appear in SSL instantly rather than until you click something on that page?

 

Thanks everyone.

Share this post


Link to post
Share on other sites

Why when I add an item to my cart at http://mydomain.com/catalog/, it takes me to http://mydomain.com/catalog/shopping_cart.php and says "Your shopping cart is EMPTY", and it will not add the items on http://mydomain.com.

 

BUT

 

When I goto https://mydomainsecure.com/catalog/ I see the contents of my cart, and when I click on another item it takes me to http://mydomain.com/catalog/index.php?cPath=22 and my cart goes back to 0 items.

 

 

This all started with a restoration of a backup, then my header links to My Account and Checkout were https://mydomainsecure.com from a previous backup of SSL I never got working because of this problem. How can I get SSL working? Here is my catalog/includes/configure.php:

  define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://mydomainsecure.com/'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');
 define('HTTPS_COOKIE_DOMAIN', 'mydomainsecure.com');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/hsphere/local/home/gerhardd/mydomain.com/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'xxxxxxxx/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
 define('DB_SERVER', '127.0.0.1'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', 'xxxxx');
 define('DB_SERVER_PASSWORD', 'xxxxxx');
 define('DB_DATABASE', 'xxxxxx');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

 

admin/includes/configure.php

  define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
 define('HTTP_CATALOG_SERVER', 'http://mydomain.com');
 define('HTTPS_CATALOG_SERVER', 'https://mydomainsecure.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
 define('DIR_WS_ADMIN', '/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
 define('DIR_WS_CATALOG', '/catalog/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
 define('DB_SERVER', '127.0.0.1');
 define('DB_SERVER_USERNAME', 'xxxx');
 define('DB_SERVER_PASSWORD', 'xxxxx');
 define('DB_DATABASE', 'xxxxx');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', 'mysql');
?>

 

 

Does anyone know why my http and https sites won't work interchangingly? Is my SSL set up correctly? Does OScommerce need any SSL certificates or keys? I enabled "Check SSL Session ID" to 'true' in my Sessions under my OSC Admin panel, still no luck. Should I call my hosting company?

 

Thanks,


-Eric Schrader

Share this post


Link to post
Share on other sites

I changed my Admin/includes/configure.php to all https://mydomainsecure.com.

I changed my Catalog/includes/configure.php to:

  define('HTTP_SERVER', 'http://mydomainsecure.com/'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://mydomainsecure.com/'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'mydomainsecure.com');
 define('HTTPS_COOKIE_DOMAIN', 'mydomainsecure.com');

Still no luck. Do I HAVE to buy a SSL server or anything like that? I managed to check out somehow with my above post hopping between urls adding products to my cart, and paypal even returned me to my product when I bought it. My main problem is adding products to my cart and then checking out, its IMPOSSIBLE. THanks, please help.


-Eric Schrader

Share this post


Link to post
Share on other sites

catalog/includes/configure.php:

  define('HTTP_SERVER', 'https://toneworkmediamusic.c4.ixwebhosting.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://toneworkmediamusic.c4.ixwebhosting.com'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', '');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');

 

FIXED IT!!!

 

admin/includes/configure.php:

 define('HTTP_SERVER', 'https://toneworkmediamusic.c4.ixwebhosting.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
 define('HTTP_CATALOG_SERVER', 'https://toneworkmediamusic.c4.ixwebhosting.com');
 define('HTTPS_CATALOG_SERVER', 'https://toneworkmediamusic.c4.ixwebhosting.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

My hosting company changed the cookie domain to '' and now it works!!!! TRY IT!

Here's what they said my problem was:

In order to use shared ssl, your oscommerce site should be running at

 

 

http://toneworkmediamusic.c4.ixwebhosting.com and the oscommerce site has to be accessed at

 

http://toneworkmediamusic.c4.ixwebhosting.com only when using shared ssl, that's why please be sure to make following changes in toneworkmedia.com/catalog/includes/configure.php :

define('HTTP_SERVER', ''); to define('HTTP_SERVER', '

 

http://toneworkmediamusic.c4.ixwebhosting.com');

define('HTTPS_SERVER', ''); to define('HTTPS_SERVER', '

 

https://toneworkmediamusic.c4.ixwebhosting.com');

define('ENABLE_SSL', false); to define('ENABLE_SSL', true);


-Eric Schrader

Share this post


Link to post
Share on other sites

Just a simple question, what will happen after I buy the SSL certificate? Will they give me some info I can later use on my server or will I have to download some program?

 

Also I was planing on getting godaddys SSL Certificate, is that a good choice?

 

One more thing, is it possible to get SSL on ever webhost out there? I am planing on changing server soon and I dont want to buy some service I cant use.

Share this post


Link to post
Share on other sites

:'( I am new to OS Commerce. The guys at Concentric setup our OS Commerce for us at Bowtie Bits. What problem I am having is that I receive an error message whichs states: Error: I can not write to this file. Please set the right user permissions on: /web/osc//includes/languages/english/shipping.php How can I set the right permissions when it will not let me do anything?

I am extremely frustrated with OS Commerce. We had bcentral/E-CommerceManager and it was so easy to use. User Friendly. OS Commerce is a nightmare. I was also informed that I would have to reenter almost 3,000 products because E-CommerceManger could not be imported. I have my work cut out for me.

Right now, I am trying to enter information in my Shipping & Returns Policies, Conditions and contact information area. I am learning HTML as I go. Which is, of course, another reason I am so frustrated. HTML Challenged!

Please help me.

Thank you,

Marilyn

Bowtie Bits Antique Truck Parts

www.bowtiebits.com

 

 

What is (or Isn't) SSL ?

 

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

 

For an e-trader, SSL encryption protects your customers transaction details as they are passed back and forth between their browser and your server \ domain. The data encryption happens at one end using a key and is deciphered at the other end using an equivalent key. The permutations for how data can be encrypted are astronomical making it virtually theft and interference proof during transit.

 

SSL DOES NOT PROTECT your server from attacks, nor your admin or catalog from malicious hacks. In order to protect your server and files you need to use facilities such as firewalls, virus checkers, Apache and IIS user and password protection for directories and files.

 

Why Do I Need SSL ?

 

You need SSL if you are selling to the public for two very good reasons.

 

1) Your customers expect it - As surfers become more sophisticated they look at your site and want to make sure their details will be safe should they order products. SSL seals are part - but a big part - in that re-assurance process. If the choice between two sites comes down to which offers transaction security - <span style='color:red'>do you want to be the site that misses out ?</span>

 

2) Even if you have unsophisticated customers who do not look for SSL encryption before they buy - if the data they send you is intercepted and misused - you could land up being in heavy lawsuits for amongst many other things negligence. This is a small possibility - but <span style='color:red'>do you want to take the risk ?</span>

 

How Does SSL Work With OsCommerce ?

 

The workings of SSL with osCommerce are quite straightforward.

Once your SSL is installed - see sections below, you set the configuration paths for https:// in catalog/includes/configure.php and admin/includes/configure.php, enable SSL and the code takes care of the rest.

 

If you look through the code you will see example after example of statements that refer to SSL where osC is making a decision based on request type as to whether to display the secured or non secured pages.

 

In short neither you nor your customers has to type in https:// into the address line to get to secure pages. osCommerce will identify from the configuration if SSL is installed and direct browsers to the correct page depending on what the browser is doing on your site.

 

How Do I Get SSL ?

 

1) Surf and find a Certificate issuer you feel happy with where you buy your SSL cerificate for a period of time 1 year, 2 year etc etc)

 

<span style='color:blue'>Things to look out for are</span>

 

a) They own or have a trusted root in most browsers.

 

All browsers come pre-installed with so called Trusted roots.

 

These prevent Joe Shmoe and his cousin Joe Bloggs from issuing worthless certificates that cannot do the encrypting to unsuspecting buyers.

 

To see trusted roots if you use IE go to Internet Options under tools and select the content tab where you will see in the middle section all the trusted root certs installed on IE and their issuers.

 

b ) If they don't have a trusted root in most browsers make sure they have a cert known as a chaining cert that links whatever they sell to you with a trusted root.

 

What is the difference -

 

Trusted root sellers are EXPENSIVE and very well recognised brands.

 

Chaining certs are affordable - They are still 128 bit encryption hence no less secure - but the brands are less well known.

 

2) Get your host to raise a CSR (Certificate Signing request) - To do this the host will need certain information from you, especially if they are not also your registrar. Such info will be your domains registered admistrator. This info will be required by the SSL issuer. Along with the CSR they also generate a key that will be used to encrypt and decipher data transmissions from your server \ domain. -

 

<span style='color:blue'>Things to look out for are</span>

 

Your certificate will encrypt data in a very precise way - if the cert is issued to www.yourdomain.com it will NOT encrypt transfers between yourdomain.com and browsers and vice versa.

 

So make sure you instruct your host to get the CSR raised with the correct AND full name of the domain you want to be encrypted.

 

I normally use the domain name without the www. qualifier because servers for a number of reasons can strip the www. off, but I have yet to see a server add it on without a deliberate redirect.

 

3) Send the CSR to your cert issuer who will vet the details and write to the administrator noted when the CSR was raised.

 

4) Assuming you are the administrator of your domain - you will have to acknowledge the mail from the issuer and OK the SSL.

 

5) The issuer will raise a SSL cert and send it to you. If you are using a chaining issuer they will also send a chain certificate.

 

6) Send these to your host who will install as follows :

a) The SSL cert will be installed in a directory on your server along with the chaining certificate if applicable.

b ) They will also instal the key they generated in step 2 above.

c) They will then add certain statements known as directives to your Apache configure files. These tell Apache that the site has SSL encryption certification.

 

Making SSL Work With The Catalog and Admin

 

In order to make SSL work with osCommerce you need to set the correct configuration paths in

 

a) catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

b ) admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

<span style='color:blue'>* Note the assumptions above - The certificate was issued WITHOUT the www. qualifier and this shop is installed in Catalog directory ONE level below root. </span>

 

In normal working - these changes above will result in a small padlock being shown in the bottom right of your browser status bar when you navigate to a secure page AND your address line will show the https:// URL instead of http://

 

Trouble Shooting

 

1) Security Alert

 

The alert box says info you exchange with this site cannot be viewed or changed by others. However there is a problem with the sites security certificate.

 

The box has 3 levels of alert

 

a) The certificate is from a trusted certifying authority - Green tick for good or Red cross for bad will show

b ) The security certificate date is valid - Green tick for good or Red cross for bad will show

c) The name on the security certificate is invalid or does not match the name of the site - Green tick for good or Red cross for bad will show

 

If the problem is a) then you need to take account of How Do I Get SSL point 1 above !

If the problem is B ) you need to extend the certificates validity - refer to the issuer.

If the problem is c) Your certificate has probably been issued with or without the www. and you have used the other spellng in your configure files. Make sure the cert name as issued is used in the configure.php files. (See How Do I Get SSL point 2 above)

 

2) This page has both secure and insecure items

 

This alert appears if the secured page the browser is trying to show has objects or references that point to non secured domains.

 

So for instance if you had a graphical image of credit cards as processed by your gateway and say you were hotlinking to the images with a piece of code such as <img src="http://mycreditcardprocessor.com.....> That image is not on your encrypted domain hence the alert would show.

 

Often this problem will appear from one or more of three sources

 

a) Where you are hotlinking images for your products from the wholesalers server

b ) objects in your footer

c) objects in your boxes in the columns

 

3) Page 404 (unavailable)

 

If you set your site up and during instal you choose SSL security WITHOUT having done the stuff in here you may get 404's when you try to access secured pages.

 

Wrapping Up

 

1) Self issued certificates

 

Some people have dedicated servers and even on some shared server you can raise a self issued SSL certification. This does everything as above except the certificate root does not exist in browsers. Therefore your site may be secure (although I do not profess to know if self certificates offer 128 bit encryption), BUT your site visitors will ALWAYS get the alert in Trouble Shooting point 1.

 

Even though the alert says the site is safe, this is perhaps worse than not having a certificate as it alerts people to the fact that there is a problem with the certificate - and people do not like problems !!!

 

2) Shared SSL certificates

 

Talk to your host for the path you need to apply in your configure.php paths

 

Charles

Share this post


Link to post
Share on other sites

Hiya, having trouble getting ssl to work, i have tried to follow the threads in here, but am still having small problems.

i have a shared ssl for my site.

Can someone help, when i go to check out i get a 404 error.

My hosting company told me to create a ssl folder and copy the contents of my shop into the ssl folder.

for some reason, i can not get anything to work, after i have added the ssl website link.

 

this is my includes/configure

/ Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://tarantulahouse.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://ssl26.servage.net/BLANKED OUT/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'tarantulahouse.com');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/estore');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '/estore/');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

and this is my admin/configure

/ Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://tarantulahouse.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://tarantulahouse.com');

define('HTTPS_CATALOG_SERVER', 'https://ssl26.servage.net/BLANKED OUT/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home45c/sub001/BLANKED OUT/www/estore/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/estore/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/home45c/sub001/BLANKED OUT/www/estore/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/estore/'); // absolute path required

define('DIR_FS_CATALOG', '/home45c/sub001/sBLANKED OUT/www/estore/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

 

tHnaks

Barry

Share this post


Link to post
Share on other sites
:'( I am new to OS Commerce. The guys at Concentric setup our OS Commerce for us at Bowtie Bits. What problem I am having is that I receive an error message whichs states: Error: I can not write to this file. Please set the right user permissions on: /web/osc//includes/languages/english/shipping.php How can I set the right permissions when it will not let me do anything?

I am extremely frustrated with OS Commerce. We had bcentral/E-CommerceManager and it was so easy to use. User Friendly. OS Commerce is a nightmare. I was also informed that I would have to reenter almost 3,000 products because E-CommerceManger could not be imported. I have my work cut out for me.

Right now, I am trying to enter information in my Shipping & Returns Policies, Conditions and contact information area. I am learning HTML as I go. Which is, of course, another reason I am so frustrated. HTML Challenged!

You should start from the people who installed it. For us is not possible to know what version and with what modules osc was installed. The stoc osc latest version can be found here

http://www.oscommerce.com/solutions/downloads

There is a double forward slash with the path and that indicates the configuration is not done properly

/web/osc//includes......

Also how do you try to edit the files? Typically you should use an ftp tool and a regular editor. You download the file from the server, change its contents and re-upload it. osC uses php so it requires some knowledge to start editing code. The contributions section can help a lot by setting up various modules (like the information pages) you can edit the content of the pages you want directly from the osc Admin along with a nice word-processor - like interface - by using one of the html formatters available again from the contributions.

http://www.oscommerce.com/community/contributions,1026

Share this post


Link to post
Share on other sites

sorry might have to forget my message as it seems the hosting company gave me the wrong ssl links to use. just checking now.

Share this post


Link to post
Share on other sites
Thank you, very informative post.

Hey all,

My problem is that I got this "This page has both secure and insecure items...", so I've changed the configure.php to user -the HTTPS server for (both http:// and https:) and the problem is goan.

 

my code:

 

define('HTTP_SERVER', 'https://www.shop.blabla.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.shop.blabla.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'shop.blabla.com');

define('HTTPS_COOKIE_DOMAIN', 'shop.blabla.com');

 

 

------------------------------------------------------------------------------

 

the problem is that geotrust setup my ssl for www.shop.blabla.com and not shop.blabla.com

and I can not chage it for a 3 weeks

 

Is it OK if i use this code for now??

Share this post


Link to post
Share on other sites
I guess I better add this tip here, it's the logical place after all.

 

This is for people who are having trouble getting ssl to work, especially shared ssl. The way I've written it is oriented towards a 1&1 server but its use is general and applies to all servers. It's all about setting line 41 in application_top.php for those cases where the standard query does not work.

 

This is line 41:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

Now that's a very narrow test and lots of servers won't respond with on (or at all) to that. So the trick is to find out how the server does respond.

 

Create a little file, I named it myenv.php, with these lines:

 

<?php
 echo 'HTTP HOST: ' . "$HTTP_HOST";
 echo '<br>Server Port: ' . getenv('SERVER_PORT');
 echo '<br>SSL Status: ' . getenv('HTTPS');
 echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER');
 echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST');
 echo '<br>Fowarded By: ' . getenv('HTTP_X_FORWARDED_BY');
?>

 

If you put that somewhere on the server, probably root and run it like so:

 

https://ssl.shared.com/mydomain.com/myenv.php you'll be able to see how the server responds to these queries. You'll need to change this to fit your situation but you get the idea.

 

Some dedicated ssls respond with a 1 instead of on to No. 3 for example.

 

Shared servers may respond differently to 4 & 5 but 1&1 gives the same response to both.

 

Once you know how the server answers these queries you can figure out the best solution for line 41 in application_top.php.

 

If, for example, you have a dedicated ssl and query 3 returns a 1 then you simply change line 41 to:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

Frequently on shared servers you'll get no response at all to getenv('HTTPS'). This is where the other responses are useful (and most people have problems).

 

----- Quote cut short for obvious reasons -----------------

 

Thank you so much, I can now finally tell my customer that her site is done!


I'm kinda new to OsC, but I'm picking up quickly.

Share this post


Link to post
Share on other sites

I'm fairly new to OSC but not to the whole rodeo in general. This is why Im particularly frustrated. Hopefully someone can help.

 

Problem: When I go to check out, I receive a 404 error.

 

 

Information: I have two directories. One is a 'secure' dir, one is a public dir. I have NOTHING in the secure dir (which from the reading Ive done is correct) and I'm running OSC in the root of the public dir.

 

Here are snippets of my configuration files:

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.computers.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://computers.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://www.computers.com');

define('HTTPS_COOKIE_DOMAIN', 'https://computers.com');

define('HTTP_COOKIE_PATH', 'http://www.computers.com');

define('HTTPS_COOKIE_PATH', 'https://computers.com');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.computers.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.computers.com');

define('HTTPS_CATALOG_SERVER', 'https://computers.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/usr/local/pem/vhosts/119/webspace/httpdocs/computers/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/usr/local/pem/vhosts/119/webspace/httpdocs/computers/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/'); // absolute path required

define('DIR_FS_CATALOG', '/usr/local/pem/vhosts/119/webspace/httpdocs/computers/'); // absolute path required

 

 

 

Any suggestions would be greatly appreciated.

 

Thanks.

 

Joshua

Share this post


Link to post
Share on other sites

Ok, I have a self signed SSL cert through my hosting company, but when I contacted them with regard to the proper secure server to point Oscommerce to I got 2 different answers and I want to make sure before I sign up for anything additional I am getting what I actually need.

 

One person on the support message board (I opened a service request ticket so this is an actual employee of the host) told me I need to purchase a dedicated server for $99 a year

 

Another person in live chat told me I need to purchase a static IP address for $2.50 per month

 

Before I actualy got replies from my own host I was going to go through GoDaddy and do the Turbo SSL for $19.99

 

What is it exactly that I need?

Share this post


Link to post
Share on other sites
Ok, I have a self signed SSL cert through my hosting company, but when I contacted them with regard to the proper secure server to point Oscommerce to I got 2 different answers and I want to make sure before I sign up for anything additional I am getting what I actually need.

 

One person on the support message board (I opened a service request ticket so this is an actual employee of the host) told me I need to purchase a dedicated server for $99 a year

 

Another person in live chat told me I need to purchase a static IP address for $2.50 per month

 

Before I actualy got replies from my own host I was going to go through GoDaddy and do the Turbo SSL for $19.99

 

What is it exactly that I need?

 

FYI for anyone who may need it, I found on one of my regular coupon sites I use a coupon for 10% off your total order at GoDaddy valid until 5/31/07 Coupon Code: GADGET1

 

I haven't ordered yet, but I did call GoDaddy to verify I would need nothing else in purchasing Turbo SSL and they confirmed that I would not need to buy anything else for me to have a secure site, I asked specifically about dedicated server and static IP. Since the GoDaddy price beats my host, even though from the questions I asked GoDaddy I am thinking my host just wants to try and force me to purchase more crap that I don't really need, so with the coupon mentioned above Turbo SSL is in my cart for $17.99 a year, that works for me.

Share this post


Link to post
Share on other sites

OMG is this a never ending nightmare or what?? I signed up for the GoDaddy Turbo SSL cert and I am now awaiting for GoDaddy to get certification from my host! I already had that on my own self issued SSL cert. According to the email I received they need approval from my host to issue a certificate as well as my secure server info from them and if my host declines it, or never responds to the email since it was sent to a generic tech support address, I am still going to be in the same boat....this is a nightmare! The secure server info was what I was trying to get them to tell me from the get go thay they claimed I needed to purchase additional, so much for having called GoDaddy to verify I didn't need anything else including a static IP or dedicated server. So now I sit and wait for who knows how long to see what happens next. There has to be a simpler way to do this! I need to go spend some time on Club Pogo and decompress from all of this!

Share this post


Link to post
Share on other sites

Hi Everyone,

 

I have just installed a private SSL certificate, so far everything seems to work all right. However I am facing just one problem.

I am getting the following message: Warning: I am able to write to the configuration file: /public_html/catalog/includes/configure.php.

This is a potential security risk - please set the right user permissions on this file.

The configure.php files are set to 644, I tried 755 and 777 as well, but none worked out the problem.

Does anyone have any idea what should I do to fix it?

Any help is very much appreciated.

Kind regards,

BrazilianLink

Share this post


Link to post
Share on other sites

By "tempory," do you mean a self-signing cert that was generated in your control panel? If so, those are not meant to be used for a live site.

 

Jack

Share this post


Link to post
Share on other sites
By "tempory," do you mean a self-signing cert that was generated in your control panel? If so, those are not meant to be used for a live site.

 

Jack

 

Thanks Jack,

 

Is that the reason why the small lock does not show up on https pages? Is digicert a good company to purchase certs?

Share this post


Link to post
Share on other sites
Hi there, I installed a temporary certificate on my site, which works fine, however, even though the https page comes up, i do not get the tiny 'lock' icon at the bottom of the browser which shows that a site is secure : https://lizmannette.com/store/catalog/login.php

 

Can anyone please advise?

 

What you need to look out for is the way in which the server responds to the test for SSL or NONSSL connections.

 

In catalog/includes/application_top.php around line 41 look for the test and adjust to suit

 

This was original and did not work for me...

as it required the server to respond to the getenv() function with a meaningful answer.

 

// set the type of request (secure or not) 2 methods that did not work for my server setup....

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

// $request_type = (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on')) ? 'SSL' : 'NONSSL';

 

As you can see the $request_type variable needs to be set to SSL or NONSSL based on the getenv() function

 

For my server I needed to set it to the secure server name.

 

$request_type =($_SERVER['HTTP_HOST'] =='secure.rpc.com.au') ? 'SSL':'NONSSL';

 

There are hints most probably in this forum explaining a few tests you can do to see how your server responds.

 

Best of luck!!!

Share this post


Link to post
Share on other sites
Thanks Jack,

 

Is that the reason why the small lock does not show up on https pages? Is digicert a good company to purchase certs?

Most likely. I am not familiar with digicert but most companies selling certs are just resellers. So if they offer a good price and service, they are as good as any others.

 

Jack

Share this post


Link to post
Share on other sites

×