Jump to content

Archived

This topic is now archived and is closed to further replies.

germ

SSL Implementation Help

Recommended Posts

I am using a certificate from Godaddy on one of my domains. The OS shopping cart is using an addon called ECHO or electronics clearing house for my payment gateway. So that should be all PCI Compliant.

 

I just finished setting up another copy of the OS shoping cart where the secure certificate is at. Again I am on a server where I have a main domain and several sub-domains. So path wise and database wise I can conncet to the same database from my main store and from the website that has the cert. I have everything working from the site with the cert except 1 thing right now. I can give you URL via another way and you can see what I have. Not sure if creating a new customer is working correctly becasue I am just loggin in to the same account to test.

 

Here is what I have so far. You put an item in the cart, in the store, and click on cart contents and then on checkout you go to the secure site with the cert. You login and then get the delivery information and click on what you want to use and then click on continue. This is where it hangs up. It is looking for checkout_shipping.php file which it just used but can't find or the connection to the database from the website with the cert is not allowing the session id to work because it really is from another website and the original website did the creation is all I can think of that is stopping this to work.

 

You said above that it was fishy that my ISP will not allow php files to work with a shared cert any reasons why they might do that? Security concerns?

 

You also said that you would need seperate certs for each store you build. Is that only becasue the sharred certs will not work ands I need to have one then for each store?

If you try to use a certificate that wasn't issued to the domain you're on you'll get certificate errors in the browser.

 

That'll scare away customers quicker than ants to a picnic...

:o

 

That being said, I'm not sure what "server magic" is employed to get shared SSL certs to work correctly??

:unsure:

 

And I still think it sounds fishy that the shared SSL won't work for PHP files. You'll just have to ask them why.

 

But I've honestly never piddled with SSL and subdomains, so maybe everything I've said is nothing but fallacy.

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Now I can't access admin any thoughts on that issue Here is my admin/configure.php code:

 

define('HTTP_SERVER', 'https://www.bodylily.com');

define('HTTP_CATALOG_SERVER', 'https://www.bodylily.com');

define('HTTPS_CATALOG_SERVER', 'https://www.bodylily.com');

define('ENABLE_SSL_CATALOG', 'true'); //secure.hostmonster.com/~shutter1/bodylily

Your SSL URL is:

 

https://secure.hostmonster.com/~shutter1/bodylily


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Yes sorry i changed it trying to get it to work no luck though her is what it is now

 

define('HTTPS_CATALOG_SERVER', 'https://secure.hostmonster.com/~shutter1/bodylily');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

 

Your SSL URL is:

 

https://secure.hostmonster.com/~shutter1/bodylily

Share this post


Link to post
Share on other sites

I assume you've renamed the admin to something else (and I don't want you to post that info for security reasons) because if not it's been deleted somehow.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

After a lot of work I just got everything working.

 

I basicaly have 2 OS setups. One full one on the main Domain and a partial in the domain with the SSL certificate. I am not getting any certificate errors and had to change some things right in some files to get everything to work. I basically put in the files one at a time so I could work out the bugs. About the only thing that I do not like is on the thank you page, or checkout_succses, where the box is for getting notifications I had to put a statement above the continue button that let them know they were going back to a non secure store. Becasue they are in the secure ssl site the warning comes up and tells them that they may be sending info and I am letting them know that it will happen.

 

If I could not have that warning come up I would. I would love it to be able to go to the http address for the checkout_success but it gets the same error so I just put the note on the final page. If you have an idea on that let me know.

 

So If anyone has a website with more than one store and has sub-domains you can set up one SSL certificate on a sub-domain and share all of your stores to use that cert.

 

Now I can finish up a few things and go make 3 more stores.

Share this post


Link to post
Share on other sites

hey germ,

 

so the problem was that the file permission were set to 444, read only for everyone. i didn't see this when FTP'ing the file up. hence, my changes never went in. so now i have the permission changed and am able to change the file. HOWEVER, i get this nice PINK error at the top of my screen now:

 

Warning: I am able to write to the configuration file: /home/epickit1/public_html/store/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

i have changed the permissions to 644 but, am not able to get them back to 444. i have an email into support to ask why this won't go to 444. any other way through the admin tool to change file permissions?

 

thanks for the time.

 

kt

 

 

Check the files on the server as described in the first post in the thread.,

 

Your HTTPS_SERVER needs the "www." in it, but it currently doesn't have it (regardless of what you may think).

Share this post


Link to post
Share on other sites

Most people have to use the web hosts cPanel (NOT FTP or osC Admin) to successfully make permission changes.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

That's odd because when I try the same thing on my file on my server it works?

:blink:

 

Anyway, I made a minor chnage and uploaded a new version.

 

Try it out.

:)


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

My SSL is working, which is good. However, the index.php doesn't seem to translate over to https:// - it has a different background picture, etc.(if you move to index via catalog button after you've completed an order, for example) Also, want to get rid of goofy pictures that load with successful registration, etc, and the changes I make in the files don't seem to get to the https. I've read through your implementation help, but obviously don't know enough to understnad everything. I appreciate any help.

Lea Sandoz

Violet Crown Soap

Share this post


Link to post
Share on other sites

The index page isn't supposed to be, nor have any reason to be HTTPS

 

I visted the site and it looks like the SSL is working as it should.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I've been getting the dreaded message 'contains unauthenticated content' and my configuration files have been updated, so have the direct links to images, links etc.

 

My problem is for example: I have code in my application_top.php that references the home page

<td class="logo"><a href="<?php echo tep_href_link('index.php')?>">

 

 

 

my problem is the function tep_href_link - translates the link to be http: instead of https and this is for every link that uses the tep_href_link.

 

I also noticed that in the function page html_output (please bear with me it could be the web page of the template or the original osc file)

 

I'm including the code for the function here: I'm hoping someone can help me fix it so that it will be SSL when the page is https etc..

 

// The HTML href link wrapper function
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
   global $request_type, $session_started, $SID;

   if (!tep_not_null($page)) {
     die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine the page link!<br><br>');
   }

   if ($connection == 'NONSSL') {
     $link = HTTP_SERVER . DIR_WS_HTTP_CATALOG;
   } elseif ($connection == 'SSL') {
     if (ENABLE_SSL == true) {
       $link = HTTPS_SERVER . DIR_WS_HTTPS_CATALOG;
     } else {
       $link = HTTP_SERVER . DIR_WS_HTTP_CATALOG;
     }
   } else {
     die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine connection method on a link!<br><br>Known methods: NONSSL SSL</b><br><br>');
   }

   if (tep_not_null($parameters)) {
     $link .= $page . '?' . tep_output_string($parameters);
     $separator = '&';
   } else {
     $link .= $page;
     $separator = '?';
   }

   while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);

// Add the session ID when moving from different HTTP and HTTPS servers, or when SID is defined
   if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
     if (tep_not_null($SID)) {
       $_sid = $SID;
     } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == true) ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
       if (HTTP_COOKIE_DOMAIN != HTTPS_COOKIE_DOMAIN) {
         $_sid = tep_session_name() . '=' . tep_session_id();
       }
     }
   }

   if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
     while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

     $link = str_replace('?', '/', $link);
     $link = str_replace('&', '/', $link);
     $link = str_replace('=', '/', $link);

     $separator = '?';
   }

   if (isset($_sid)) {
     $link .= $separator . tep_output_string($_sid);
   }

   return $link;
 }

Thanks!


"Be who you are and say what you feel, because those who matter don't mind, and those that mind, don't matter." (Theodor Seuss Geisel)

Share this post


Link to post
Share on other sites

okay - I was able to fix the code and now all my links are https - and I STILL get the dreaded padlock with a question mark. The website is hosted on godaddy - and the certificate is registered without the www - does this info give anyone a clue as to how I can make my webpage question mark free?

 

I also ran myenv.php under http://

the page shows SSL Status: [undefined!]

but under https://

SSL Status: [on]

 

does the Undefined mean anything or is that another clue?

 

I appreciate your help!


"Be who you are and say what you feel, because those who matter don't mind, and those that mind, don't matter." (Theodor Seuss Geisel)

Share this post


Link to post
Share on other sites

I can't help without your URL - either posted here or in a PM.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I can't help without your URL - either posted here or in a PM.

 

Sent! Thx.

 

Now, I was playing around with the above mention code for tep_href_link but it's not working the way I need it to. So I reverted the code back to the way it was before. Now, from my understanding of other people's issues. The website should be http until you click on a link that should be secure i.e. logging in, checking out an order etc. My problem is that to test if the webpage is loading securely I just typed in https://mywebsite.com/ I get the lock with the question mark. Fine. I view the page and see that most of the links are http://. Okay. But they aren't images or javascripts or any other kind of includes. They are just links. Would that make a website insecure? If yes - why aren't the links reverted to https? Does that mean the code is wrong? Would I have to include something like if $request_type is SSL then make the link use HTTPS_SERVER?


"Be who you are and say what you feel, because those who matter don't mind, and those that mind, don't matter." (Theodor Seuss Geisel)

Share this post


Link to post
Share on other sites

As far as I can see the SSL is working properly.

 

The login and create account in the header aren't using HTTPS and you need to remove the "www." from them as well because the SSL cert is issued to your domain name WITHOUT THE WWW.

 

They need to be like this:

 

<td id="m4" onMouseOut="this.id='m4';" onMouseOver="this.id='over_m4';" onclick="document.location='https://YOUR_SITE.com/create_account.php'" nowrap="nowrap">Create an Account</td>

<td id="over_m5" onMouseOut="this.id='over_m5';" onMouseOver="this.id='over_m5';" onclick="document.location='https://YOUR_SITE/login.php'">Log In</td>


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

As far as I can see the SSL is working properly.

 

The login and create account in the header aren't using HTTPS and you need to remove the "www." from them as well because the SSL cert is issued to your domain name WITHOUT THE WWW.

 

They need to be like this:

 

<td id="m4" onMouseOut="this.id='m4';" onMouseOver="this.id='over_m4';" onclick="document.location='https://YOUR_SITE.com/create_account.php'" nowrap="nowrap">Create an Account</td>

<td id="over_m5" onMouseOut="this.id='over_m5';" onMouseOver="this.id='over_m5';" onclick="document.location='https://YOUR_SITE/login.php'">Log In</td>

 

I did as you suggesed but that that doesn't correct the problem - the page still displays with both authenticated and non authenticated items - any other suggestions?


"Be who you are and say what you feel, because those who matter don't mind, and those that mind, don't matter." (Theodor Seuss Geisel)

Share this post


Link to post
Share on other sites

It works fine in IE7.

 

My Firefox 3.0 has a problem with it. I just noticed that.

 

I examined the source. There are no "unsecure" items in the source that I can see.

 

Firefox suggests it's a problem with the SSL certificate itself (or possibly it's installation).


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

IE 8 works now but Firefox (3.6.3) doesn't. If I create a simple page and change the url to https and run it on firefox then it works but if I run a whole oscommerce page it doesn't perhaps firefox isn't happy with something on the page. I just can't figure out what it is. grrr.


"Be who you are and say what you feel, because those who matter don't mind, and those that mind, don't matter." (Theodor Seuss Geisel)

Share this post


Link to post
Share on other sites

A thread dedicated to those with problems implementing SSL in their stores.

 

First stop: Read this:

 

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

 

That thread contains the basics on modifying your /includes/configure.php file to enable SSL.

 

Common mistakes YOU can make that prevent SSL from working:

 

1. Forgetting to make the HTTPS_SERVER define with https in the URL.

Correct:

 

  define('HTTPS_SERVER', 'https://yourdomain.com');

Incorrect:

 

  define('HTTPS_SERVER', 'http://yourdomain.com');

If you can't see the difference - LOOK CLOSER!

 

2. Forgetting to enable SSL in the configure file.

This turns it ON:

 

  define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

This turns it OFF:

 

  define('ENABLE_SSL', 'false'); // secure webserver for checkout procedure?

3. Modifying the configure file on your local PC then NOT making sure the new one gets to the store website.

If you modify it locally and use FTP, Dreamweaver, Frontpage, or whatever, to transfer it to your site MAKE CERTAIN THE MODIFIED VERSION GETS TO YOUR SITE!!!

Sometimes file permissions can prevent a successful transfer to your website.

 

4. Not checking for and examining the contents of /includes/local/configure.php if it exists on your site.

This file isn't present on all installs, but if it is, ANYTHING IN IT OVERRRIDES ANYTHING IN THE "NORMAL" CONFIGURE FILE!!

Check for it, and if found examine it's contents.

It may not look like the normal configure file in one respect:

 

  define('ENABLE_SSL', 1);

The define for ENABLE_SSL may have a 1 or a 0 instead of true or false. If so, remember that 1 = true, 0 = false.

 

OK.

 

So you've done all that and it still doesn't work. All your images are X!

 

This probably means osC isn't getting the cue from the server that SSL is active.

 

The code that tests to see if SSL is active is in /includes/application_top.php around like 41:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Unfortunately this doesn't work an all servers.

 

If you're on "1 and 1" Hosting, this usually works:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

If it's a Windowz server, try this:

 

// set the type of request (secure or not)
 $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';

If neither of those are true for you try this:

 

// set the type of request (secure or not)
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

Always backup any file on your site before making any edits.

 

A file that doesn't work quite like you want it to is better than one that won't work at all.

 

And sometimes none of those settings work.

 

I've written a few programs to assist in debugging, and implementation of SSL and have made a contribution of them.

 

I will post a link to it and a brief explanation after it's uploaded.

SSL contribution and the file changes worked. thank you so much...

still couldn't see images on secure pages. Fixed it though, by looking at the url.

The shared ssl on my server is appending a symbolic link directory name after the web address.

I added the name in https: for cookies and catalog sections of config.php that fixed it.

Then I thought I had at a different time done something to cause this to be necessary (like add a redirect to the server).

I think that the path for ssl should be the same, but... mine is not http://----.com/catalog and https://---.com/~username/catalog.

The ssl and picture cookies everything is working though. Am I missing something or being paranoid.

Share this post


Link to post
Share on other sites

If you can see the pictures, and also put something in the cart THEN LOGIN AND IT"S STILL IN THE CART, I think you've got it whipped.

:)


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

This is a bit strange. I have my SSL certificate implemented and am unable to login to my admin. when I enter the usual address, xxxxxx.com/catalog/admin/

the address converts to this:

http://www.xxxxxx.comdir_ws_adminlogin.php/?osCAdminID=pfk6i7ssouahjrq0gp7idlf5i2

and I have no adminlogin page.

 

Can you help?

Thanks in advance.

Share this post


Link to post
Share on other sites

Look at the link you posted closely:

 

http://www.xxxxxx.comdir_ws_adminlogin.php

 

You've lost the define for DIR_WS_ADMIN in your admin configure file.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Germ,

 

I've made the changes to my configure.php file:

define('HTTPS_SERVER', 'https://www.mdpromptpay.com');

define('ENABLE_SSL', true);

 

After I login from my index.php I modified my index.php to allow a person to link to another script (products_new.php) using the below code:

<td class="main"><img src="images/arrow_green.gif"><a href="http://www.mydomainname.com//products_new.php?osCsid=93e8654b737865920ed459edc56e3be2"><b> View or Change your Medical Statements</b></a></td>

 

BUT

 

When I change the code to add the 's' to the http it takes me to the LOGIN.PHP script

<td class="main"><img src="images/arrow_green.gif"><a href="https://www.mydomainname.com//products_new.php?osCsid=93e8654b737865920ed459edc56e3be2"><b> View or Change your Medical Statements</b></a></td>

 

Can you tell me why this my be happening?

 

Rick

 

 

Share this post


Link to post
Share on other sites

×