Jump to content
OSCNewbie2

HOW TO INSTALL "LET'S ENCRYPT" SSL IN OSCOMMERCE v2.3.4?

Recommended Posts

Hi folks,

I'm trying to figure out how to install the free SSL certificate "Let's Encrypt" into an existing osCommerce v2.3.4 installation that had a COMODO SSL certificate in it..
Have searched the forum and cannot find anything that specifically deals with this question.

(I have installed the Let's Encrypt into a WordPrss website before, so I have some idea how it works, but not with osCommerce.)

I have FTP and cPanel access.

Any help much appreciated, thanks!

os Newbie in Florida

Edited by OSCNewbie2

Share this post


Link to post
Share on other sites

The SSL certificate is before the PHP software, so there is no osCommerce configuration to change when you change certificates.  You should be able to follow the exact same process as with the WordPress website (minus changing from HTTP to HTTPS in the PHP files if that was an addition). 

The only time it would matter would be if you had SSL disabled in your configure.php files.  But if you already have Comodo SSL working, then the exact same osCommerce configuration will almost certainly work for Let's Encrypt.  It's just Apache/Nginx configuration that changes.  It's also vaguely possible that the directory would change, but that seems unlikely. 

If you want to post your process for switching to Let's Encrypt, we could let you know which changes are WordPress configuration changes that you do not need to do.  But the hard parts are what you have to do in cPanel and that's specific to your host.  Some hosts allow you to just say, "Generate a Let's Encrypt certificate and use that instead of Comodo."  Some hosts may require you to do some number of steps manually.  We can't really help you with that portion of it.  That's something to get support from your host to do. 


Always back up before making changes.

Share this post


Link to post
Share on other sites

Thanks very much for that feedback, let me dive into that right now and see what I can do. I'll post the outcome or progress here. Thanks again!

 

Share this post


Link to post
Share on other sites

HELP!  I GOT SSL INSTALLED BUT BROKE ACCESS TO THE ADMIN LOG ON :o

OK, so I carefully followed the instructions from sslforfree dot com and got Let's Encrypt installed without too much trouble, as you can see here -
https://www.tymbercreekfabrics.com

BUT now we lost access to the Admin page athttps://www.tymbercreekfabrics.com/tymberadmin/login.php
When we try to log in as usual, we just get kicked back to the login page again.

Part of the Let's Encrypt SSL install process was adding the following lines to the TOP of the ,htaccess file in the public_html folder, as instructed per the video I followed -
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://tymbercreekfabrics.com/$1 [R=301,L]

There is a lot of other stuff in that .htaccess file though, but that's all now BELOW the above three lines. I didn't want to change or delete any of that without knowing what it does.

I read all the instructions and suggestions at - topic/362064-unable-to-access-admin-after-adding-ssl-cert/
but the only changes I could see that might have been required (and which I did) was making these changes in the public_html/includes/configure.php file  -
define('HTTP_SERVER', 'https://mysite.com');
to
define('HTTP_SERVER', 'http://mysite.com');


But that didn't change anything and we still can't log in to Admin.

If any one can tell us why we lost Admin Access after installing the SSL Certificate, that would be appreciated, thank you!


 

Share this post


Link to post
Share on other sites

You might try clearing the cache and cookies in your browser.  Sometimes using an entirely different browser (e.g. Microsoft Edge instead of Chrome or vice versa) helps.  Or a browser on a different computer. 

If you have a second

 RewriteEngine On

line in your .htaccess, you might try deleting the second one. 

if you have a .htpasswd_oscommerce file in your admin directory, you might download and back it up, then delete it on the server.  Then try logging in again. 

Make a backup of your database in general and then (separately) the administrators table in something like phpMyAdmin.  Then truncate (empty) the administrators table and see if it lets you create a new administrator account.  If it doesn't, restore the administrators table from your backup (which is why you back it up separately). 

If you can view error logs on your server, you might go look in them to see if they show any errors. 


Always back up before making changes.

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks very much for the suggestions, certainly appreciated, will try the first three suggestions and see what I can do.   I'm going to leave making the backups and changes to the administrators table for later as I'm not 100% confident about doing those.

You may be right about the browser issue - the owner of the site CAN still log in as the Store Administrator if she uses Windows Explorer, but not if she uses Chrome of FireFox. I don't have Win Explorer on my Mac (only Safari, Chrome & FireFox) so I can't try that, and I long since deleted Explored off my old MS PC which is still running WindowsXP :D

FYI I'm attaching the ,htaccess file for reference from the public_html/ folder, in the format it was BEFORE I made your suggested changes.
[I've made a notation in there above the three lines that I added - "#These three lines are what I added on March 7th 2020"]

As you suggested, I will remove the following "RewriteEngine On" which is below my new three lines that I input, and see what happens.

Also - what about all those references to the "pki-validation" which you can see further down repeated a few times? I believe those were for the previous versions of the SSL, which was a COMODO SSL, and were installed and updated by the hosting company, before I got involved. Maybe I should delete al of those too, to clean up he file generally?

Thank you!

htaccess

Edited by OSCNewbie2
Added more explanations and uploaded the referenced file.

Share this post


Link to post
Share on other sites
Posted (edited)
On 3/9/2020 at 5:30 PM, OSCNewbie2 said:

Also - what about all those references to the "pki-validation" which you can see further down repeated a few times? I believe those were for the previous versions of the SSL, which was a COMODO SSL, and were installed and updated by the hosting company, before I got involved. Maybe I should delete al of those too, to clean up he file generally?

It looks like they were allowing access to the PKI files, which probably shouldn't have been in the webspace in the first place.  You can almost certainly delete (or comment out) the pki lines safely.  You probably should not delete the cpaneldcv lines without discussing it with your host. 

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://tymbercreekfabrics.com/$1 [R=301,L]

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

should probably be

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.tymbercreekfabrics.com/$1 [R=301,L]

You should not comment out a RewriteRule without also commenting out its RewriteCond lines.  E.g. either comment out every line in

#added by ensys Raj Monday, August 31, 2009
RewriteCond %{HTTP_HOST} ^174\.127\.108\.43 [OR]
RewriteCond %{HTTP_HOST} ^tymbercreekfabrics.com
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
#RewriteRule (.*) http://www.tymbercreekfabrics.com/$1 [R=301,L]

or replace it with

#added by ensys Raj Monday, August 31, 2009
RewriteCond %{HTTP_HOST} ^174\.127\.108\.43 [OR]
RewriteCond %{HTTP_HOST} ^tymbercreekfabrics.com
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
#RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule (.*) https://www.tymbercreekfabrics.com/$1 [R=301,L]

In general, you can replace the http: with https: in those RewriteRules.  That might be causing your redirect problem.  As the first rule says redirect port 80 to https without the www while several later rules attempt to redirect to http: with the www

Delete (or comment out)

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)index.php  http://www.tymbercreekfabrics.com/index.php [L,R=301]

That redirects https to http (port 80).  So it undoes what the first rule does. 

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This does the same thing as the first rule.  So you probably only need one of them. 

Edited by ecartz

Always back up before making changes.

Share this post


Link to post
Share on other sites

OK many thanks for all that! 

I was about to post a long list of issues, but let me try your suggestions right now (hopefully I'll be able to figure all that out lol) and see what happens.

I'll be back here shortly (with a bit of luck).

Share this post


Link to post
Share on other sites
Posted (edited)

MADE SOME PROGRESS!

OK, I tried to make all the changes you suggested, BUT I might have missed the https changes you mentioned, I couldn’t quite figure out where I needed to make those edits.

I HAVE ATTACHED THE CURRENT .htaccess file for reference.


WEBSITE STATUS NOW:

1) ADMIN LOGIN PROBLEM SEEMS TO BE FIXED! 🎉
I made all the changes I could from your last suggestions, and now I can log in to admin without any apparent problem from any browser. Thank you!


PROBLEMS STILL HAPPENING -

2) SECURITY WARNING:
After installing the Let’s Encrypt SSL over a week ago and getting NO apparent security errors that we could easily detect after it was installed, now suddenly I’m getting “This is a non-secure form” message when I try to add something to the cart, UNLESS I’m using Chrome, then there’s no warning. (Screenshort attached).


3) PROUCT NOT FOUND WHEN USING DESKTOP OR LAPTOP BROWSER:
WHEN ON A DESKTOP OR LAPTOP: In addition to the security warning mentioned above, if I click through the security warning, it now returns a “product not found” response and nothing is added to the cart. This seems to happen with every product IF one is using a desktop or laptop browser.
WHEN ON AN IPHONE: There is no security warning and one can add the product to the cart, no problem. 😮


4) PAYMENT GLITCH:
The PayPal payment now has apparently stopped working and seems to be hung up. This may have happened when I installed Let’s Encrypt as only one order was received through the store on March 8th since I installed Let’s Encrypt, and that’s the order with the payment problem. Apparently a customer made a payment, but no payment was received in the owners PayPal account.
[We have “PayPal website payments standard” set up and connected, and it was working before I installed Let’s Encrypt.]


OK so that’s where we’re at. To bed here now, will check back tomorrow Saturday morning EST USA.

Any help or suggestions would be very much appreciated. THANK YOU 🙏

htaccess

Screen Shot 2020-03-14 at 12.23.32 AM.png

Edited by OSCNewbie2

Share this post


Link to post
Share on other sites
1 hour ago, OSCNewbie2 said:

After installing the Let’s Encrypt SSL over a week ago and getting NO apparent security errors that we could easily detect after it was installed, now suddenly I’m getting “This is a non-secure form” message when I try to add something to the cart, UNLESS I’m using Chrome, then there’s no warning.

I suspect that you were getting this prior to installing the Let's Encrypt SSL.  You just hadn't noticed when it was Comodo SSL. 

In includes/configure.php, find all instances of http: and replace them with https: -- in particular, change the HTTP_SERVER.  Set ENABLE_SSL to true.  You should probably do the same with admin/includes/configure.php

I'm not the best person to help with troubleshooting a PayPal problem, but you may want to check if there are any log messages giving more information.  Also, perhaps check if you don't have an up-to-date https://github.com/gburton/CE-Phoenix/blob/master/ext/modules/payment/paypal/paypal.com.crt

PayPal recently started requiring that file to be up-to-date.  If all else fails, try asking PayPal what the problem looks like from their side. 

1 hour ago, OSCNewbie2 said:

Apparently a customer made a payment, but no payment was received in the owners PayPal account.

This seems a really weird problem to have.  Are you sure that the customer successfully made a payment?  Because I've never heard of a payment being subtracted from the customer but not added to the store.  A more typical problem would be for the payment to be in the shop account but to have never notified the store.  But the money should be there.  I could see that happening in the midst of your SSL problems.  It could have the same problem as the admin.  But the customer going to PayPal and having the amount removed from the customer's account but not deposited in the shop account would be a problem with PayPal, not osCommerce. 


Always back up before making changes.

Share this post


Link to post
Share on other sites
4 hours ago, OSCNewbie2 said:

Any help or suggestions would be very much appreciated. THANK YOU 🙏

Much of you site content is still producing http:// links espacialy on product pages. Depending on which browser is beeing use some will just warn others will block. There is no point in haveing only part SSL it's all or nothing these days.

If your forms are producing none SSL links then they too will give you problems. Some hosts now even block any site that has none secure forms.


 

Share this post


Link to post
Share on other sites

ecartz you da man! (or woman!) :D 

I made the changes you suggested and it looks like those fixed everything -
- no more “product not found” messages
- no more “insecure” pages (or parts of them)
- and the test PayPal payment I just made, went through without a hitch.

I really appreciate your help.

Where’s your tip jar?! I told my friend she owes you.

Share this post


Link to post
Share on other sites
16 minutes ago, OSCNewbie2 said:

Where’s your tip jar?! I told my friend she owes you.

I think there is one in the Phoenix Club where you can show your gratitude.  😀

Dan

Share this post


Link to post
Share on other sites

Gotcha thanks!

I'm not a part of that Phoenix group yet and hadn't planned to upgrade this site to Phoenix, because I believe this install has some custom changes made to various files which might break if we upgrade.

But I'm doing the research to see what I can find to check out the best options.

Share this post


Link to post
Share on other sites
3 hours ago, OSCNewbie2 said:

I'm not a part of that Phoenix group yet and hadn't planned to upgrade this site to Phoenix, because I believe this install has some custom changes made to various files which might break if we upgrade.

You don't have to update but it is a good opportunity to see the latest developments, what is planned and the support that is offered.  You'll also ensure that any requests you have for help are seen by those who can help.   Many of them are no longer active in the open part of this forum, or at least don't frequent it as often as they once use to. 

Dan

Share this post


Link to post
Share on other sites

Yeah, it's not so bad... plenty of people still using and posting in the free and open forum.. Good news is another partner is working on and will be making available an alternative free community version and will hopfully keep his club open to all.

So looking forwared things look fine and people will have options to select from.


 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×