How to install SSL on OSC: A Simple 1-2-3 Instruction

[jpweber 8]

This is as simple as it gets -- how to install SSL, which is a mandate on every e-commerce site, easily and effectively on OSC:

 

(1) Inform your host. Tell your host you're going to install SSL through another company. They shouldn't charge you, but they might ... 10 bucks or whatever. They'll e-mail you a CSR (certificate signing request), which is really just a big clump of mumble-jumbled coding.

 

(2) Find an SSL Company. A popular one seems to be the RapidSSL by Geotrust, 'cause it's cheap, but there are plenty. Many people use Geotrust, Verisign, Networksolutions, GoDaddy, and others. A Simple Google Search can give you plenty of other options. Make sure it has at least 128-bit data encryption, and is compatible with all browsers. Make sure it has a trusted root. Make sure it puts a padlock in your browser. These are all questions you'll ask the SSL company.

 

(3) Purchase the SSL. E-mail the SSL company your CSR that your host gave to you. Be sure that both your host and the SSL company are on the same page -- assign your SSL to either http://www.yoursite.com, or http://yoursite.com -- but make sure the host and the SSL company are on the same page, and both do the same thing.

 

(4) Go back to your host. You'll receive an SSL Certificate Key from the SSL company once purchased. This will be more mumble-jumbled coding in your e-mail. E-mail the SSL Certificate Key back to your host. They'll install it for you.

 

(5) Alter your config files. All you need to do now is to alter your configure.php files. They're located in (path to catalog)/includes/configure.php, and (path to catalog)/admin/includes/configure.php. OSC is designed to protect the pages that require data encryption, and altering your config files will do this for you. These pages include login, create_account, checkout, etc,. and any other pages that require data-input by the end-user.

 

(6) In includes/configure.php, set the SSL to "true"; it should look something like this near the top, if you assigned the SSL to www.yoursite.com:

define('HTTP_SERVER', 'http://www.yoursite.com');

define('HTTPS_SERVER', 'https://www.yoursite.com');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.yoursite.com');

define('HTTPS_COOKIE_DOMAIN', '.yoursite.com');

 

(7) In admin/includes/configure.php, set the SSL to "true" and add an "s" after all the http's. So it'll look something like this, if assigned to www.yoursite.com:

define('HTTP_SERVER', 'https://www.yoursite.com/');

define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com/');

define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.com/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

(8) Save and upload your configure.php files to their appropriate directories, perhaps using your FTP tool, or other upload tool of choice, and your SSL should be running smoothly and efficiently.

[jasonabc 0]

Good article J. I'd also add that most hosting companies will also purchase and install the SSL for you for just a few bucks more if you don't want the hassle of doing this all yourself (I paid $50 for MediaTemple to purchase and install mine for example).

 

Once it's done all you do is alter your config files and you're away.

[surjer 0]

+1 vote for sticky :)

[jpweber 8]

Thanks. Ev1 SErvers even sells a Rapid SSL for $15, and I think that does the job 'cause it's Geotrust.

[CitizenZed 0]

Thanks for the guide. I followed all directions and have a few questions.

 

My Oscommerce admin panel still says "You are not protected by a secure SSL connection". But the cert is installed.... and I can go to https defined urls in shopping cart. I do get the "some items aren't..." thing but I have a module with links back to my non-cart site I could remove.

 

Oddly, the "cart contents" wants to send one to an http, whereas the other links defined by oscommerce want to go to an https. Why is that?

 

Finally, I may have a compliation insofar as I have "Powered by ECJoomCommerce V1.1.53" in order to make this stuff work in Joomla..............but, of course, any comments welcome.

 

One other thing, I don't know if it matters, I have an index.html file as an underconstruction page......and inorder to actually get to the "real" homepage, one has to type the /index.php. Could this screw stuff in that the directions way above stipulate entering "www.yoursite.com" without the /index.php part?

[jpweber 8]

Thanks for the guide. I followed all directions and have a few questions.

 

My Oscommerce admin panel still says "You are not protected by a secure SSL connection". But the cert is installed.... and I can go to https defined urls in shopping cart. I do get the "some items aren't..." thing but I have a module with links back to my non-cart site I could remove.

 

Oddly, the "cart contents" wants to send one to an http, whereas the other links defined by oscommerce want to go to an https. Why is that?

 

Finally, I may have a compliation insofar as I have "Powered by ECJoomCommerce V1.1.53" in order to make this stuff work in Joomla..............but, of course, any comments welcome.

 

One other thing, I don't know if it matters, I have an index.html file as an underconstruction page......and inorder to actually get to the "real" homepage, one has to type the /index.php. Could this screw stuff in that the directions way above stipulate entering "www.yoursite.com" without the /index.php part?

 

Hi. First, could you provide your web address so we could look? Secondly, there are only a few pages that require protecting in SSL. The only pages that require SSL protection are login, create_account, my_account, checkout, etc., etc., ..... basically, pages that require data input on the end-user's behalf. SSL encrypts this data, so that when it passes through other servers, it's unreadable. This is good for a lot of privacy issues, and espcially when you're dealing with credit card numbers!

 

Why would you have both an index.html, and an index.php? Get rid of one of them so customers can just type in www.gotowebsite.com! Make it as simple on the customer as possible! Besides, I don't understand the point in having two pages. The directions that were stated, however, were completely related to your catalog/includes/configure.php and catalog/adming/includes/configure.php files. Regardless, NO, it will not screw up your configures just because you have two separate index files. Your configs will still be www.yoursite.com, and https://www.yoursite.com ...

[jpweber 8]

Special note to shared SSL users, in particular bluehost users. Now I don't really recommend Shared SSL, although it's worked for many. I'd prefer the real thing. Anyway, with bluehost, your config files would look like this (note: "username" refers to the username given to you by Bluehost):

 

Includes/Configure.php:

define('HTTP_SERVER', 'http://www.yoursite.com');

define('HTTPS_SERVER', 'https://secure.bluehost.com/~username');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.yoursite.com');

define('HTTPS_COOKIE_DOMAIN', 'secure.bluehost.com/~username');

 

Admin/Includes/Configure.php:

define('HTTP_SERVER', 'https://www.yoursite.com');

define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com');

define('HTTPS_CATALOG_SERVER', 'https://secure.bluehost.com/~username');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

As is any case with Shared SSL, you'll have to contact your host for the proper configure files, but a simple google search will help, seeing as that many users using the same Shared SSL have already installed OSC beforehand, and have posted about it. So search the web, or call your host -- but if you're going through Bluehost, you already know now. Good luck!

[Biancoblu 56]

Please can you help?

I have a dedicated SSL certificate and it's working fine on my pages, except that in admin I get this message:

***You are protected by a unknown secure SSL connection.***

 

How can I fix it?

 

My Webpage

[jpweber 8]

Anna, yes, you have Geotrust, so make sure that in your catalog/admin/includes/configure.php file, everything is set to https://, like I have in the directions.

 

define('HTTP_SERVER', 'https://www.arlisa-bijoux.com');

define('HTTP_CATALOG_SERVER', 'https://www.arlisa-bijoux.com');

define('HTTPS_CATALOG_SERVER', 'https://www.arlisa-bijoux.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

 

Furthermore, let's take a look at your catalog/admin/index.php. You will have coding in there that looks like this:

if (getenv('HTTPS') == 'on') {

$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

$contents[] = array('params' => 'class="infoBox"',

'text' => tep_image(DIR_WS_ICONS . 'locked.gif', ICON_LOCKED, '', '', 'align="right"') . sprintf(BOX_CONNECTION_PROTECTED, $size));

} else {

$contents[] = array('params' => 'class="infoBox"',

'text' => tep_image(DIR_WS_ICONS . 'unlocked.gif', ICON_UNLOCKED, '', '', 'align="right"') . BOX_CONNECTION_UNPROTECTED);

}

 

You may need to change the (getenv('HTTPS') == 'on') part if you've changed it before to get ssl working. As to the wording of the message, I've yet to use a server which actually returns anything for (getenv('SSL_CIPHER_ALGKEYSIZE') so the message will be the one that BOX_CONNECTION_UNKNOWN points to in your language file.

 

By playing with those lines and your language file you can get any result you wish.

 

If the problem still persists, e-mail/message me ... Yahoo Messenger name is on there. Good luck.

[jpweber 8]

Oops ... left incomplete instructions. For instance, try:

 

(getenv('HTTPS') == '1')

 

and change the definition of BOX_CONNECTION_UNKNOWN in admin/incldues/languages/index.php

 

http://forums.oscommerce.com/index.php?sho...mp;#entry744686

[Biancoblu 56]

Thanks for your reply Jason.

The only way I could change that was by editing the definition of BOX_CONNECTION_UNKNOWN in admin/incldues/languages/index.php

So basically whether admin states you have an unknown or known ssl connection doesn't make any difference to how the actual certificate works?

I'm slightly confused. :blink:

[jpweber 8]

Yes. The key is that you have a padlock in your browser and an httpS:// in your address bar within your browser.

[Biancoblu 56]

Thanks. I've been worrying about that for nothing then. :lol:

[captneil 0]

Anything different about how this works with Open SSL on my own server?

I'm using Paypal's Website Payment Pro setup for the credit cards, and there's no lock showing up in my browser, although the payment module works (I was thinking it wouldn't if Paypal didn't detect SSL)...

I show OPEN SSL support enabled in OSC info.

 

www.smartgirlteesinc.com/storefront

 

Thanks.

Neil

[captneil 0]

Additionally, I had to alter the following two lines in order to work on the admin side of my cart:

 

define('HTTP_SERVER', 'https://www.yoursite.com/');

define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com/');

 

If you use an httpS:// for http:// pages, it won't load.

-N

[Biancoblu 56]

Jason, I have a question :blush:

 

After trying to install my SSL seal I realised my site was coming up as unknown at Geotrust. I phoned them and they said my cert was issued at www.arlisa-bijoux.com and that I had configured the files without the www. Furthermore, I was told a pop up was alerting visitors about unsecure items.

So that's how I changed my files, can you check if it's correct please?

 

catalog/includes/config.php

 

define('HTTP_SERVER', 'http://www.arlisa-bijoux.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.arlisa-bijoux.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.arlisa-bijoux.com');
define('HTTPS_COOKIE_DOMAIN', 'www.arlisa-bijoux.com');

 

catalog/admin/includes/config.php

 

define('HTTP_SERVER', 'https://www.arlisa-bijoux.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'https://www.arlisa-bijoux.com');
define('HTTPS_CATALOG_SERVER', 'https://www.arlisa-bijoux.com');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

[jpweber 8]

Your SSL seems to be functioning perfectly, Anna. Config files are fine. For future reference, if you do get a popup box in IE that says "this page contains both secure and nonsecure items. Do you wish to view the nonsecure items?", then this is your problem:

 

You have *something* in your code that has an http:// link in it. This might be a reference to an image, such as http://www.arlisa-bijoux.com/shop/images/image1.jpg, or it could be a link, such as <a href="http://www.yahoo.com">Visit Yahoo Personals Today!</a>. Or it could be an embedded flash file.

 

The solution:

If you cannot rid the http:// and do something like ../images/image1.jpg, then find the page you have the http:// link on, and add an 's' to it. So it'll look like this: <a href="https://www.yahoo.com">Visit Yahoo Personals Today!"</a>. Just add the 's' to it, and you won't get that error.

 

Furthermore, there are some things regarding your site that I'd really like to talk to you about, Anna. It's a very nice website, nice color scheme. You have PWA in there, good. You have changed the default look of OSC, good. Have your own buttons, good. But there are some serious things that I'd like to talk to you about, Anna, because this is too nice of a site to let go to waste.

 

Et moi, je parle un peu de francais, aussi! Send me an e-mail, or find me on messenger (all of that's in my profile), and we'll go from there.

[Biancoblu 56]

Jason, thank you for your help. I appreciate it.

 

I pm'd you. (your e-mail's private)

[harryedwards 0]

(6) In includes/configure.php, set the SSL to "true"; it should look something like this near the top, if you assigned the SSL to www.yoursite.com:

define('HTTP_SERVER', 'http://www.yoursite.com');

define('HTTPS_SERVER', 'https://www.yoursite.com');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.yoursite.com');

define('HTTPS_COOKIE_DOMAIN', '.yoursite.com');

 

(7) In admin/includes/configure.php, set the SSL to "true" and add an "s" after all the http's. So it'll look something like this, if assigned to www.yoursite.com:

define('HTTP_SERVER', 'https://www.yoursite.com/');

define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com/');

define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.com/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

Jason,

Thanks for making this simple. I'm currently looking into installing SSL on my site and this has helped a lot. In the process of researching this I found your post and a few others. On one of the posts the person said we should change the /configure/php to:

 

a) catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

b ) admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

The difference appears to be in the additional "s" in the http. Your solution calls for the extra "s." Why is that?

[jpweber 8]

Harry:

 

In your catalog/includes/configure.php, your cookie domains should have 2 periods in 'em -- start with a period, and then the .com (or .net, or whatever).

 

So in this case:

define('HTTP_COOKIE_DOMAIN', '.yourdomain.com');

define('HTTPS_COOKIE_DOMAIN', '.yourdomain.com');

 

Regarding putting the extra "s" in after http:// in catalog/admin/includes/configure.php, so it's https:// in each one, that just comes from experience dealing with OSC. I can't give you a technical reason one way or the other. I'm not sure if it's a bug, or what, but it didn't work in mine until I added the extra 's', and the same is true for just about anyone and everyone I've ever talked to.

[captneil 0]

The "s" is for "secure". http:// addresses are not secure.

https:// addresses are secure.

-Neil

 

The difference appears to be in the additional "s" in the http. Your solution calls for the extra "s." Why is that?

[captfc 0]

Hi Jason,

First off, thanks for the great tutorial! I found it extremely helpful and I have it bookmarked for future use.

 

I have a quick question for you or any other knowledgeable vet OS Commerce people.

 

I just installed an SSL certificate on my client's server.

 

This is what I put on the catalog/includes file

define('HTTP_SERVER', 'http://lymphedivas.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://lymphedivas.com/catalog/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.lymphedivas.com');

define('HTTPS_COOKIE_DOMAIN', '.lymphedivas.com');

 

I realized that the bolded part was necessary after it repeatedly would look for pages like www.lymphedivas.comlogin.php (note lack of slash or catalog/, should read lymphedivas.com/catalog/login.php). I had to add the "/catalog/" for it to find any pages in that folder.

 

The cart works well on every page and checkout until I go to login, then if you go to login here:

https://lymphedivas.com/catalog/login.php

 

it will then spit out

https://lymphedivas.com/catalog//catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

 

Notice the bolded area. In this one instance it adds the "/catalog/"

 

Any idea of how to tame that? I need it to go to https://lymphedivas.com/catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

 

Thanks in advance!

 

Please let me know if I need to add more info.

[captfc 0]

Hi Jason,

First off, thanks for the great tutorial! I found it extremely helpful and I have it bookmarked for future use.

 

I have a quick question for you or any other knowledgeable vet OS Commerce people.

 

I just installed an SSL certificate on my client's server.

 

This is what I put on the catalog/includes file

define('HTTP_SERVER', 'http://lymphedivas.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://lymphedivas.com/catalog/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.lymphedivas.com');

define('HTTPS_COOKIE_DOMAIN', '.lymphedivas.com');

 

I realized that the bolded part was necessary after it repeatedly would look for pages like www.lymphedivas.comlogin.php (note lack of slash or catalog/, should read lymphedivas.com/catalog/login.php). I had to add the "/catalog/" for it to find any pages in that folder.

 

The cart works well on every page and checkout until I go to login, then if you go to login here:

https://lymphedivas.com/catalog/login.php

 

it will then spit out

https://lymphedivas.com/catalog//catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

 

Notice the bolded area. In this one instance it adds the "/catalog/"

 

Any idea of how to tame that? I need it to go to https://lymphedivas.com/catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

 

Thanks in advance!

 

Please let me know if I need to add more info.

 

Fixed. Had the wrong extension in the separate config file.

 

Once again. Thanks a million for the help!

[jandl 0]

I have a dedicated SSL cert. My hosting company creates 2 directories for me, public_html and public_ssl. HTTP requests are directed to public_html directory and HTTPS requests are directed public_ssl directory. Do I need to install osc in both directories in order for it to switch back and forth?

 

Thanks in advance.

[jpweber 8]

Kevin: it appears that your certificate is issued for www .... so you might want to put your site's configure/includes files all in www.lymphedivas.com, not http://lymphedivas.com. You could run into some issues with some browsers.

 

Secondly, on your index page -- I'm not sure if it's catalog/index.php, or catalog/includes/languages/english/index.php ... anyway, somewhere, somehow, you have an http:// link there. Add an "s" after the http:// ... so it looks like https:// ..... do this for every http:// link, or else you'll get the ol' Bill Gates "do you wish to display nonsecure items?" box every time.

 

Just add that 's' in your index.php file, wherever the http:// links is.

 

Good luck.