SSL issue

Hi all

I have installed an SSL certificate on my OC website. I have enabled the SSL from System Settings. I have also edited the admin/config.php file so that the HTTPS_SERVER and HTTPS_IMAGE lines are https, not http. Finally, I added a .htaccess file to the admin folder, which is:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.mystoreurl.com/store/admin/ [R]

When I open my website, flameslongton.co.uk, in Google Chrome, I get a red HTTPS prefix on the address bar, and a red line though it. When I open the website in IE9, the images are not present, and all the formatting seems to have disappeared. There is a message which says 'Only secure content is displayed'. There is a button next to this message which says 'Show all content'. If I open the website in Firefox, I get a message saying 'This connection is untrusted' - I then have to add the website to an exception list to access it.

Is there any way to avoid getting all these 'unsafe website' messages from each of these browsers? Have I not installed the certificate properly, or have I missed something? Please help!

Also, with the .htaccess file I added above, I cannot access the admin login page using a http address, it forces the webpage to open as https. Is there any way to do this for the rest of the site? As currently, I can just enter http://www.flameslongton.co.uk and this will not load the SSL secured version.

Finally, if I enter 'flameslongton.co.uk' as the address and press enter, the address automatically changes to https://flameslongton.co.uk/store. This is due to a domain redirect on my cPanel. But if I then navigate to any other link on the site, eg My Account, the https changes to http. How can I make the site secure wherever I may go? Especially if I wanted to login on the My Account page?

Sorry for all the questions, but we all have to start somewhere
Naz

Thanks

We cant help if your site is in maintenance mode...

Do you have pictures you manually inputted into the header.tpl file? if so, you have to change the links of the html code for the pictures too. If it still has http:// for the image source, chance it to https://

If that doesnt fix it, you might have installed your certificate wrong. Especially because I am getting it at your home page. It should only come up for the "login-in" and "registration" portions of OpenCart.

Goodluck,

- Christian

Hi and thanks for the reply!

I have changed the site to take it out of maintenance mode now, sorry about that.

Also, the site is completely standard, I havent made any changes except doing most of the recommended security stuff from a couple of websites. So the header.tpl hasnt been changed.

From what you are saying, the certificate has been installed incorrectly. My steps for installing it were based on what my hosting provider told me, and I cant remember exactly what I did now. The only thing that was complicated, and I wasnt sure about, was the hostname to use. I wasnt sure whether it needed to be www.flameslongton.co.uk, or flameslongton.co.uk. I set the hostname for the certificate to flameslongton.co.uk. Is that correct? Or should it have been something else? I can go to my cPanel, and see the SSL details, so it seems as if it is fine.

I then set up a permanent redirect using cPanel for domain flameslongton.co.uk, to https://www.flameslongton.co.uk/store. This was redirecting with or without www, and is NOT a wildcard redirect.

For setting up the certificate with Opencart I used the following:

http://opencarthelp.com/a/?q=improve-opencart-security

With this link, I enforced the use of SSL with the Admin login, and also changed System Settings to use an SSL certificate.

Any clues as to what may be the issue? Maybe it is the redirect? From what you are saying, the SSL should not be used with the homepage - is that correct?

Also, you said the SSL should come up with the Login portion of Opencart. For some reason, when I select the Account Login link, the site goes to a HTTP webpage, not HTTPS:

http://www.flameslongton.co.uk/store/in ... ount/login

How can I enforce the SSL to be used when someone goes to login? Also, when they want to pay, I need it to be enforced there too, do I need to do something else to make that happen?

Thanks a lot for your help
Naz

You need to go into both config files and change your https settings. I know you have not done that because when you visit your login page or even your admin login it does not switch to HTTPS.

You need to LOSE the 301 on your htaccess and use what Open Cart has given you.

This is what the code will look like in your config files.

// HTTPS
define('HTTPS_SERVER', 'http://www.bla.com/');
define('HTTPS_IMAGE', 'http://www.bla.com/image/');

Change http to https

open your config.php file in your root directory. Your settings in that file should look exactly like this for it to work correctly:
- Christian

Thanks Avvici and Christian for your help. Are you both saying that I need to edit both the root config.php file AND the Admin/config.php file? As I have currently only edited the Admin config file as per your instructions.

Thanks
Naz

Edit the root file. Thats the important one for your front end. The admin config is for your administration back end only. I would leave SSL out of the admin completely because it can cause issues while editing the store.

- Chris

Thanks Chris. I have changed the root config file, and now the web address changes to HTTPS when I go to My Account link or Checkout, which is perfect.

I have just two issues left now. The first is that if I open the site in IE8, and then go to one of the secured areas eg My Account, the address bar doesn't go green, as it should when you go to a secure page in IE.

The second issue is that if I open the site in Firefox 12, and then go to a secured area eg My Account, I get a message on screen saying 'This connection is untrusted'. The Technical Details area of the page says:

The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

However if I open my site in Google Chrome there doesnt seem to be any issues. Opening the site in Google Chrome 18, and going to a secured area eg My Account, shows a green padlock symbol on left side of address bar, and the HTTPS part of the address becomes green. I opened Google Docs, and it is the same there. Also, I checked the information behind the padlock symbol and both my site and Google Docs show similar information. So I am thinking there are no issues when opening secured areas in Chrome.

Is there any way I can resolve these two issues?
Many thanks
Naz

Um, no. IE browser bar doesn't go green. In fact none of them do. If you want to Pay Verisign boat loads you can get a pretty green bar though You are still having issues with your encryption

boat loads is right ...

Naz, have a look at this:
http://www.sslshopper.com/ssl-checker.h ... gton.co.uk

It suggests you may be missing an intermediate certificate:

"You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following Comodo's Certificate Installation Instructions for your server platform (use these instructions for InstantSSL). Pay attention to the parts about Intermediate certificates."

If that's the case, either you or your host would want to look at the SSL cert installation again.

Thanks Moggin, you solved it, it was an intermediate certificate that I needed! Cheers!!

This issue can occur when you enable your site to work under https and when your hosting provider uses an SSL Reversed Proxy / Load Balanced SSL Proxy. You can check to see if your host is using SSL load balancing / proxy, and if so there is now a vQmod available to fix any issues that you are experiencing:
http://www.opencart.com/index.php?route ... n_id=11280