Archived

This topic is now archived and is closed to further replies.

jpweber

How to install SSL on OSC: A Simple 1-2-3 Instruction

486 posts in this topic

Jan ....

 

You should use your public_html directory.

Share this post


Link to post
Share on other sites

Thanks for the reply.

 

That's what I did. But when I go to the checkout page, or any page that requires security, the 'https://www.mydomain.com/pagename.php' URL is fetched, and I get a 'not found' error, 'cause pagename.php is not found under public_ssl directory. Do I need to move all the secure pages to public_ssl?

 

Jan ....

 

You should use your public_html directory.

Share this post


Link to post
Share on other sites
Special note to shared SSL users, in particular bluehost users. Now I don't really recommend Shared SSL, although it's worked for many. I'd prefer the real thing. Anyway, with bluehost, your config files would look like this (note: "username" refers to the username given to you by Bluehost):

 

So search the web, or call your host -- but if you're going through Bluehost, you already know now. Good luck!

 

Thank you Jason for the great tutorial on SSL.

 

But I must ask you, I am using Bluehost for my server. Do I "have" to use a Shared SSL or can I get the real thing?

 

I would like to follow your instructions and be as secure as possible.

 

TIA,

Share this post


Link to post
Share on other sites
Thank you Jason for the great tutorial on SSL.

 

But I must ask you, I am using Bluehost for my server. Do I "have" to use a Shared SSL or can I get the real thing?

 

I would like to follow your instructions and be as secure as possible.

 

TIA,

 

 

Jean -- your secure pages (checkout, login, create account, etc.) should remain where they are.

 

Tia, you can use the bluehost shared SSL -- but you don't have to, no. But the bluehost shared SSL should be secure. If you want your URL's to be like .... https://www.yourdomain.com instead of https://secure.bluehost.com/~username/, etc., when a customer goes to a secured page like login, create account, or checkout, then yes, go with some type of RapidSSL or QuickSSL or something like that. I'm not supposed to recommend particular brands openly in these forums, 'cause that's considered "soliciting" or whatever. Regardless, shared with Bluehost will still be secure, and if it's cheap (or costs nothing), and you're on a budget, there's nothing wrong with it.

Share this post


Link to post
Share on other sites
Jim, you can use the bluehost shared SSL -- but you don't have to, no. But the bluehost shared SSL should be secure. If you want your URL's to be like .... https://www.yourdomain.com instead of https://secure.bluehost.com/~username/, etc., when a customer goes to a secured page like login, create account, or checkout, then yes, go with some type of RapidSSL or QuickSSL or something like that. I'm not supposed to recommend particular brands openly in these forums, 'cause that's considered "soliciting" or whatever. Regardless, shared with Bluehost will still be secure, and if it's cheap (or costs nothing), and you're on a budget, there's nothing wrong with it.

 

I think I have it now Jason, I should have mentioned I am a newbie at all this. :blush:

So when a customer goes to my site - http://handeshobbies.com/catalog/ and they head to a page that needs to be secure, instead of the URL address bar showing - https://secure.bluehost.com/~username/ it will stay as http://handeshobbies.com/catalog/whateverpage if I use a NON-Shared SSL. Did I follow along correctly?

 

I appreciate the help,

Jim

Share this post


Link to post
Share on other sites

Yes ... with shared ssl, when a customer goes to login, it will look like https://secure.bluehost.com/~handeshobbies/catalog/login.php ...

 

With an independently-boughten SSL, like RapidSSL or QuickSSL (among others), when a customer goes to login, it will look like https://handeshobbies.com/catalog/login.php, or https://www.handeshobbies.com/catalog/login.php ...

Share this post


Link to post
Share on other sites

Thank you very much for helping me out Jason.

 

I truely appreciate it!

 

:thumbsup:

 

Jim

Share this post


Link to post
Share on other sites
Furthermore, let's take a look at your catalog/admin/index.php. You will have coding in there that looks like this:

if (getenv('HTTPS') == 'on') {

$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

$contents[] = array('params' => 'class="infoBox"',

'text' => tep_image(DIR_WS_ICONS . 'locked.gif', ICON_LOCKED, '', '', 'align="right"') . sprintf(BOX_CONNECTION_PROTECTED, $size));

} else {

$contents[] = array('params' => 'class="infoBox"',

'text' => tep_image(DIR_WS_ICONS . 'unlocked.gif', ICON_UNLOCKED, '', '', 'align="right"') . BOX_CONNECTION_UNPROTECTED);

}

 

......... As to the wording of the message, I've yet to use a server which actually returns anything for (getenv('SSL_CIPHER_ALGKEYSIZE') so the message will be the one that BOX_CONNECTION_UNKNOWN points to in your language file.

 

I have finally conquered this little beast; well at last as far as any Linux boxes running Apache & PHP 4.4.4

 

Apache environment not making the ModSSL environment variables available to virtual accounts, probably to cut down on the overhead. The solution is to add the following line to the catalog/admin/.htaccess file:

 

SSLOptions +CompatEnvVars

 

This now opens all of these variables to use

 

SSL_KEYSIZE <--this is the one we need!

HTTPS_SECRETKEYSIZE

SSL_EXPORT

SSL_PROTOCOL_VERSION

SSL_SECRETKEYSIZE

SSL_SERVER_C

SSL_SERVER_CERT_START

SSL_SERVER_CERT_END

SSL_SERVER_CERT_SERIAL

SSL_SERVER_CERTIFICATE

SSL_SERVER_CN

SSL_SERVER_DN

SSL_SERVER_IC

SSL_SERVER_ICN

SSL_SERVER_IDN

SSL_SERVER_IO

SSL_SERVER_IOU

SSL_SERVER_ISP

SSL_SERVER_L

SSL_SERVER_O

SSL_SERVER_OU

SSL_SERVER_SIGNATURE_ALGORITHM

SSL_SERVER_SP

SSL_SSLEAY_VERSION

 

Now open your catalog/admin/index.php and...

find near line 180 this code:

$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

and replace with this:

$size = (($_SERVER['SSL_KEYSIZE']) ? $_SERVER['SSL_KEYSIZE'] . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

 

Now, when you view the index page in your admin section it will read:

You are protected by a 128-bit secure SSL connection. or whatever your SSL strength is. B)

Share this post


Link to post
Share on other sites

Hi there

 

I now have an SSL certificate however reading these instructions I fear I may have some bits missing from my config file. Can someone take a look?

 

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', ''); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', false); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.jbosolutions.co.uk');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '');

 

Is this correct? and if so should I just fill in my site address where it is not present?

 

Thanks a lot

Share this post


Link to post
Share on other sites

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');

define('HTTPS_COOKIE_DOMAIN', '/');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

Share this post


Link to post
Share on other sites
define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');

define('HTTPS_COOKIE_DOMAIN', '/');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

 

 

Thanks very much for getting back so quickly.

 

I will begin to implement the changes

Share this post


Link to post
Share on other sites

Ok

 

I have carried out the changes in the first configure.php

 

define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');

define('HTTPS_COOKIE_DOMAIN', '/');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '');

 

should I have anything in the https_cookie_path?

 

now I come to admin and I find this:

 

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.jbosolutions.co.uk');

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

 

is the SSL I need to set to true the catalog one or am i missing something?

 

Thanks for your help

Share this post


Link to post
Share on other sites

If in fact you have purchased SSL, and your host installed it, then yes, set it to 'true' and define the servers and paths as mentioned i my post above.

Share this post


Link to post
Share on other sites
If in fact you have purchased SSL, and your host installed it, then yes, set it to 'true' and define the servers and paths as mentioned i my post above.

 

 

Yes my host did install it, as long asI am not missing anything I will just add in the paths. It was the https_cookie path but i will leave that as it is.

 

Thanks for your help.

Share this post


Link to post
Share on other sites

I would really have to take a harder look at your includes/configure.php file. Something isn't right in there. You can go ahead and e-mail me if you'd like.

Share this post


Link to post
Share on other sites

i try and edit my configure.php files and it says i do not have permission to do so - how can i change it so i can?

Share this post


Link to post
Share on other sites

There's more than 1 answer to this, but here's one way.

 

1) Go and download an FTP too, such as WS FTP LE - http://www.inno-tech.com/support/ftp_program.html

 

2) Save it to your desktop, and unzip it, and set it up.

 

3) Profile Name: Anything you wanna call your website

Host Name/Addy: domain.com (no www)

Host Type: Automatic Detect

User ID: The user ID your host gave you

Password: The password your host gave you

* Leave anonymous unchecked, and check off save password

* leave account and comment blank

 

4) Start WS FTP. The left side is your hard drive, the right side is your server. Focus on the right side. Find public_html, or httpdocs, or wherever your files are kept. Click it. Find your (catalog)/includes/configure.php file.

 

5) Right-click it, and select CHMOD (Unix)

 

6) Change permissions to 644, where only the owner can read/write, and everyone else can only read -- not write and execute. Do this by unchecking the boxes "write" and "execute" for 'group' and 'other' and you should be all set.

 

Good luck.

Share this post


Link to post
Share on other sites

Oops ... Set it to 777 temporarily -- read/write/execute for all, so you can edit it. When you're done, be sure to switch your configure.php files back to 644, so nobody else has permissions to read/write/execute your config files.

Share this post


Link to post
Share on other sites

Hello Jason and G'Day from Australia, :thumbsup: , I was wondering if you could advise me on an SSL matter,.....PLEASE. Cannot display the page error for all 'secure' pages.

I have had a few different tries at securing my osCommerce install but I seem to be missing something, brain cells I suspect :lol: . My site is installed as/in a sub-domain(/shopping). Certificates are in place for both Domain(www.mysite.com) and Sub-Domain(www.mysite.com/shopping) This is 'bound' as a sub-domain, not just a folder.

 

admin/includes.configure has been modified as below

 

define('HTTP_SERVER', 'https://mysite.com/shopping'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://mysite.com/shopping');

define('HTTPS_CATALOG_SERVER', 'https://mysite.com/shopping');

define('ENABLE_SSL_CATALOG', 'true');

 

includes/configure also modified

 

define('HTTP_SERVER', 'https://mysite.com/shopping'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://mysite.com/shopping');

define('HTTPS_CATALOG_SERVER', 'https://mysite.com/shopping');

define('ENABLE_SSL_CATALOG', 'true')

 

I have some suspicions as to where I have got it wrong (other than the brain cell thing :blink: ) but I just can't seem to get it right.

Do you think you could straighten me out on this? I have looked all over the place for a solution but havent found anything that quite fits the bill in terms of subdomain install. Really hope you can help, Cheers and all the best. Rob

Merry Christmas to you and yours and all of that

Share this post


Link to post
Share on other sites

Hmmm!?

Now I feel really dumb, because it is a sub-domain it can be accessed by either, www.shopping.mysite.com , or , www.mysite.com/shopping ,

Should my defines be for the first syntax or the second? uummm

Share this post


Link to post
Share on other sites

Well, for starters, you say the cert was issued to www.yourdomain.com, but your config files are without any www ... they're just set to http://domain.com. Of course, this will cause problems. But other than that, I'd really have to get into your site to figure it out, because your situation sounds too confusing, with different subdomains, various SSL's, etc., etc., ... But you never even gave me your URL. Anyway, use the e-mail link (not the message one) in my profile if you'd like.

Share this post


Link to post
Share on other sites

Neil, I can't get any URL to work. The log you posted says a lot, but doesn't say much. E-mail me (hit my profile, do not message) for help if you would like .....

Share this post


Link to post
Share on other sites

Hi Jason, you seem to know what you're talking about when it comes to ssl so i was hoping that you might be able to help me out. I just barely installed my ssl certificate onto my server for my osc store and things are fine, i followed your instructions at the beginning of the this post and edited both of my configure files as well. Here's the problem, when i access any of the pages on my site that should be secure, such as shopping cart and checkout, there is the S in the http://, indicating that it is not secure.

the site that i am working on can be found at OutfitterWarehouse.com

I can manually enter httpS://www.outfitterwarehouse.com and it brings up my site with no problem, but as soon as i click on a link it reverts back to the normal http://.

Can you please take a look and maybe help me figure out what is going wrong, thanks.

Share this post


Link to post
Share on other sites