SSL and subdomains

[Guest mr underhills]

I've installed cubecart at http://mrunderhills.com.au/online_shop and need to add SSL for manual c/c purchasing.

I've installed an SSL certificate on https://secure.mrunderhills.com.au (as this seemed to be what was needed looking at the general settings config page).

Now when cubecart switches to SSL it looks for https://secure.mrunderhills.com.au/online_shop which, not surprisingly, it can't find as it isn't there.

Help! Have I stufffed up? Presumably if I reinstall cubecart at htttp://mrunderhills.com.au/secure/online_shop it should sort it?

I was doing so well . . . :)

[Guest Brivtech]

You don't need to re-install, simply use download the config tool from the downloads section at the top of the page (Under the 3.x folder), and you can alter the settings back again.

Remember to delete this tool after use, as it poses a security risk.

Also, try using the search facility on the forum, as there's plenty of topics that discuss SSL setup and correct configuration.

[Guest mr underhills]

Thanks for the reply, Brivtech. Believe me, I've spent days searching the threads - in all those that look close, the originator's managed to sort but hasn't said how. As for the editconf tool, I'm working on how to sort the problem my server reckons at line 60 - but I'll take care of that.

My question was really: if I have a secure area (my subdomain with the SSL) and a non-secure area (say, my store directory), surely some files have to be located in each area.

I started with all the files in my store directory and then I added SSL. Don't some files now need to be moved to the secure subdomain? Otherwise when cubecart switches to SSL and goes to the subdomain, it won't find anything there. And that's just what's happening.

[Guest Brivtech]

My experience of SSL certificates have been that it's merely a switch in the server in the way that it sends the data out. The files location is the same.

But to tell the computer that you're asking for encrypted pages rather than the normal pages, the https works the switch.

Typical settings I use are always on this basis, and perhaps it may help with your configuration problem:

Root secure: /

Absolute Secure: https://www.website.com

If you have an additional folder where you have the store, then the Absolute Secure would be:

https://www.website.com/additionalFolder

By you adding in the word secure, you'd implying that there's a subdomain you're using called "secure". There's no harm in that, but you would need to copy all the files into there, and replace the www with the subdomain name in the examples I gave.

My recommendation would be to keep the domain at www instead of using the subdomain, otherwise, you're just duplicating all your files for no real reason, and causing complications in the process.

I'm sure there's many variations of this with different hosting configurations though.

[Guest Sierra Dynamic]

Hi, I'm new here, just looking for Shopping Cart Software at this time and checking out all the different options to see first hand what people are having problems with and how well the different offerings are supported. Must admit, so far CubeCart is very impressive.

Any how, I'm by no means a Cube Cart expert yet, hope to be, but not yet, in reading this post though I seen something that doesn't look like a working option for this person, or at least wouldn't make much sense.

By you adding in the word secure, you'd implying that there's a subdomain you're using called "secure". There's no harm in that, but you would need to copy all the files into there, and replace the www with the subdomain name in the examples I gave.

My recommendation would be to keep the domain at www instead of using the subdomain, otherwise, you're just duplicating all your files for no real reason, and causing complications in the process.

It looks like it's too late for that to be working advice, if you go to this persons URL they specified they do already have this subdomain set up, and the certificate they already purchased and paid for is not a wild card cert, it's only been assigned to this subdoamin.

https://secure.mrunderhills.com.au/

They have to either use this subdomain, or if they take the advice given then purchase an additional certificate that was created specificly for www.mrunderhills.com or a wild card certificate that would allow them to use SSL on the main domain and all subdomains.

It's doubtful most people need to go through the expense of either a Wild Card Certificate, or in this case buying a second certificate. If I were this person I would just set everything up for your shopping cart in your subdomain you have, and then just use the certificate you already paid for on this subdomain being as how that is what it was assigned to when it was created.

Some additional advice that I happened to notice about your web site,

Your on an Apache Server, hosted web site, I'm guessing your probably also then using cPanel, you should go in and turn off your indexing in your index manager option of cPanel, this will keep people from being able to see what files are in a directory that lacks an index file (as in the example subdomain URL you provided).

If your not sure how to do this, then another easy option would be to just make a dummy blank file, it doesn't even have to have any data written into it, name it index.htm and drop it in your directories (folders). Then, if you ever do decide or need to insert a real index.htm file you can just let the new one over ride the blank fake one you'd be using.

Try it on the example you gave us and see what I mean.

Anyone then going to...

https://secure.mrunderhills.com.au/

would automaticly then only see...

https://secure.mrunderhills.com.au/index.htm

instead of your directory structure and any other files that may be in there.

Sorry if I couldn't help you with your original question though, just wanted to keep you from thinking the prior advice given to you would be required and save you some time and expense in case you were to follow it. Not that it was bad advice, I think Brivtech just didn't realize you already had the subdomain created and the SSL certificate assigned to it already.

[Guest]

Most all certificate providers will re-key the certificate for no charge. I would do that and setup the cert for www.mrunderhills.com.au. And USE the www. most people are used to typing it, so leave it that way. Then set all your paths to www.mrunderhills.com.au and don't sweat it.

I say this because unless you have the ability to manually edit your server's httpd.conf (and 99.9% of shared hosting won't allow it) you're not going to easily get your site working as you have it.

:)

[Guest Brivtech]

Not that it was bad advice, I think Brivtech just didn't realize you already had the subdomain created and the SSL certificate assigned to it already.

I didn't actually see anywhere that stated that the subdomain was already set up. To me it appeared rather that the certificate had been set up wrongly to the store over the mis-interpretation of the name secure, that as I stated would have become a subdomain, and resulted in a duplication that was un-necessary.

To further my point, mr underhills stated that the server couldn't find the URL,"as it isn't there", making me believe that my last point contributed accordingly.

Depending on the information that has been provided, it can often be difficult to provide an exact solution to a problem. It's often equally difficult to describe a problem if you have little technical expertise, and it's often a good idea to provide a simple solution that can be later verified if it didn't at first fit the full scope of the original problem

Sir William added a very good point that certificates can be re-keyed. To add to this second point, I strongly agree that unless you have a special requirement for CC to run on a sub-domain, you're far better off running it from the root. This doesn't mean that it can't be done, but you may expect a lot of fiddling to get it right if you're a novice - This describes my experience when I was first introduced to CubeCart 16 months ago.

[Guest Headquarters on Crown]

Just a final clarification please on a similiar problem.

My main website is www.headquarters.com.au. This operates independantly of the on-line store, but you can go into the store form the website.

The shop is installed in www.headquarters.com.au/store , but for convenience there is a sub domain called

shop.headquarters.com.au

which automatically redirects to www.headquarters.com.au/store

I wanted the shop to run independantly from the website.

OPTION 1

Get my SSL certificate for shop.headquarters.com.au,

Then the shop will have to be moved to shop.headquarters.com.au ( this I understand but would prefer not to do).

OPTION 2

Get my SSL certificate for www.headquarters.com.au, then the shop is covered and CC is OK.

BUT will this automatically mean that everything on the main website will be in secure htpps: mode ?? (Something that is not necessary/needed)

[i guess I am a little confused over the SSL thing since CC very cleverly goes in/out of SSL mode)

The answer to this will determine which option I take.

[Guest]

Just because you have a certificate on a domain does not mean you have to use it. In fact, it's quicker to not use it except on pages that need it for some reason....hence why CC jumps in and out of SSL mode as necessary.

I'd put the cert on www. so you can use it for other things down the road if you wish.

:huh:

[Guest mr underhills]

Thanks to all for their advice. I apologise if I wasn't clear.

At present, I have CC working with my cert on the secure domain. I can see the advantage of moving the cert to www.mru but my hosting people charged me for installing the cert (reasonable, I suppose if they had to sey up a fixed IP address) but I'm reluctant to pay them the same fee just for moving the cert.

What I have works, but if I have problems I'll know what to do and will move the cert.

I think, maybe, the CCmeister might consider changing the example, https://secure.domain.com/store, on the General Settings page to https://www.domain.com/store.

I appreciate the point about security and will look into it. I am using Cpanel and there's something there about setting password protection for files but I haven't got round to doing it - as I'm too busy trying to configure my CC!

Thanks again.

[Guest devstudent]

Brivtech,

You didn't need a very detailed explanation, I thought his question was written perfectly clear myself. I just clicked on the links in the examples he provided right in his post and could quickly see the sub domain and the certificate already existed.

I've never heard of anyone getting a new key created for a different domain for free by any of the CA's, in fact most charge just to recreate the same key for you if you lose it. I sell SSL Certificates and there isn't even an option available to me to change a persons key at no cost. That's not to say you couldn't try this I suppose, anything is worth asking, but I certainly wouldn't be advising people they can just do this because I find it rather unlikely it's going to happen.

In fact, it's quicker to not use it except on pages that need it for some reason....

That's because running SSL on the server is resource intensive. If you wanted your main page on your web site to run in SSL mode you could just by changing the URL your connecting to it to be https:// instead of http://, there certainly wouldn't be a need to do this. It will not by default run all your pages on your web site though in SSL mode unless something tells it to like Cube Cart, or you ask it to by adding the s into your url's, otherwise you'd never even know it was there.

[Guest]

Devstudent, you read that line wrong. I've been doing this for 20 years. I know WHY it's slow. I was saying that unless a page needs SSL for some reason, don't use it because it's slower. I wasn't questioning why SSL is slower.

Plus add in the client side resources to decode the encryption to the server side resources to encode and you get slower overall page responses. It's the price we pay for security.

:)

[Guest devstudent]

Ha ha ha, I knew you did, I couldn't help it though, you left that one wide open.

I've been doing this for 20 years

Don't remind me, you make me feel old, I started out on a super powerful 8 MHz 8086 myself that didn't have an owners manual and I didn't know anyone else who even knew what a computer was. Someone actually gave it to me back then because they couldn't figure out how to use it. So I had many long nights teaching myself and figuring the thing out on my own back then, though I'm not sure how you could have been doing this for 20 years?

We didn't have message boards like this back then where we could just ask questions and demand/expect immediate attention and replies. We did have to walk to school, up hill, both ways, in waste deep snow, even in the summer, and when we had computer related problems or questions we had to figure out how to solve them on our own. Of course in fairness to the youth of today, things were a lot simpler back then and a lot less that could actually go wrong.

We didn't have the internet, or Web, till 1989, thats only 18 years.

We didn't have SSL till 1994, thats only 13 years.

and we didn't have PHP, actualy "PHP/FI" at that time, till 1995, thats only 12 years ago.

So it looks like you have a few of those 20 years that you need to account for now, please don't respond however if in your accounts of those missing years you may incriminate yourself regardless of the statute of limitation rules that may or may not apply.

[Guest Brivtech]

DevStudent, why the attack all the time? What's such a big deal with the way I responded? This is an informal support forum that's run by enthusiasts, not a dissertation for a doctorate that's awaiting publication into an industry journal.

Like Sir William, I've also been in the computer industry for a very long time. My first computer was just 1Mhz, with 1K RAM - This was 27 years ago for me - I actualy built this computer myself, with a soldering iron, solder, and a lot of patience.

Bulletin boards really were wide-spread instead of the internet, where you'd simply dial up into a server. There were no fancy images those days, just blocky graphics, and quite often, images rendered from ascii text. The internet wasn't widely used until much more recently. Compuserve was one of the first mass-market players that I remember, getting everyone connected. I could never afford their subscriptions until about 1994 when I signed up to AOL. I was loyal to them for about 6 years until my business interests in the internet became more widespread, and needed better service, so switched to a UK-based broadband provider, who I'm still with on 8mb down, and 2mb up, and a Mexican provider, who can barely manage a quarter of that although they like to boast other figures.

My first computer business was opened up 18 years ago. Although the internet wasn't in wide use until more recently, user groups abounded, with printed (or professionally photocopied) fanzines, and software distribution on audio cassette - Floppy disks were a God Send appearing later. Just imagine waiting about 5 mins for a 15K file to load, and then having a 360K single sided single density floppy disk that would load the same in a fraction of the time!

Ah yes, the memories come flooding back. I could be here all day, but I have work to get on with.

If we don't answer questions like you'd want us to, your input and alternative answer is always welcome. Excuse us in the mean time, it must be the senility creeping in. :)

[Guest devstudent]

why the attack all the time? What's such a big deal with the way I responded?

To avoid confusion, I changed my user name after making this original post, the original user name was an on the fly thing while initialy registering and I changed it because I did not want people to get the impression I was here for self promotion reasons, but only to help out as I can like a good little internet citizen should.

I think what bent me wrong was the original repy to this post was made in the hopes of stopping this person before they wasted a bunch of money buying a new certificate, and instead to explain to them how to pick up the pieces they left their self with and still make things work without having to spend any more money in buying a new certificate as reading your post seemed to imply they should do or would need to do when it wasn't a requirement for them to do so. Where I got bent wrong I suppose though is that reply was made but then hidden from everyone else in being able to read it for over 10 days "waiting on moderator approval". You'll notice it was Posted Mar 1 2007, 09:06 PM, but didn't get opened for viewing till Mar 11 2007, 01:36 AM and I felt this was because you didn't like the way I didn't agree with the advice you had given, or at least brought atention to the fact that you misread the information the person provided you with.

If I can make note though in defense of your implication that I'm attacking, I don't consider something to be an attack when instead its a comment for clarification inregards to a post you have made in which it would appear you did not correctly read, or look into what the person was asking. I suppose it may be a fine line trying to distinguish the difference, particularly when it applies to you personaly, but please, and I assure you, I have no malformed intents aimed towards you personaly. I've read literly hundreds of your posts here and if I were to be cornered into providing you with my direct thoughts of you I'd say I find your postings to be informative and enjoyable to read and you, it would seem to me, to be one of those very likeable kind of guys. So don't take it so personal please, I was just trying to spare this person from the need of spending more money than they already had when it wasn't necessary to do so, that's all.

[Guest Brivtech]

Where I got bent wrong I suppose though is that reply was made but then hidden from everyone else in being able to read it for over 10 days "waiting on moderator approval".

Posts on the cubecart.com forum are not hidden awaiting moderator approval, so I'd appreciate if you could clarify this point further so I can look into this. We run a very open forum, and I am not aware of any such activity (Hidden posts are viewable by all moderators).

Your comments and critisisms are always welcome, even if they are unpalletable - It helps keep us on our toes, even if we don't agree with them .

[Guest devstudent]

ha ha ha I like this touch...

even if they are unpalletable

Posts on the cubecart.com forum are not hidden awaiting moderator approval, so I'd appreciate if you could clarify this point further so I can look into this.

Not sure what else to tell you, the post I made above on March 1, after I hit the Add Reply button gave me a message that said clear enough that the reply I had submitted was pending moderator or admin approval. Also clearly enough, the reply I had submitted was not viewable til Mar 11 when Sir William added his own reply to this post. I've never used this particular Mesage Board software your running here so I don't know what more to tell you other than maybe its an option you have in your own Moderator screen that accidently got turned on for this particular post?

I'm almost relieved now though that you brought all of this up, because I wasn't going to say anything about it, just kind of grumble under my breath over it. It's never happened to me here on any other posts I've submitted. At first, being as how it was only my second post here ever I think I assumed it was the standard operating procedure around here to handle new submissions in this way, then when it never happened again on any additional posts it added to the mystery. I thought maybe the person who started this initial post I was replying to was some sort of special circumstance that you were wanting to handle yourself directly, or who knows what. You've cleared up a lot now though by explaining that you yourself were not even aware this had happened and its not standard policy here.

[Guest Headquarters on Crown]

Back to my problem:

SSL Certificate is for www.headquarters.com.au just installed my my web hoster.

settings in admin panel are:

Root Secure www.headquarters.com.au/store/

Absolute secure https://www.headquarters.com.au/store without final /

When enabled, I am getting error -12263 from www.headquarters.com.au either in ADMIN and also when doing SSL type activities as a user.

Any ideas?

store URL is via www.headquarters.com.au/store/

( I have read all the conflicting info on this forum , and am no better of)

ADDED:

1. tried just /store/ for root secure - no change

2. Checked with the config tool and noticed that rootDir_SSL is blank ( but there is nowhere in in the ADMIN panel to change it). Checking on the global.inc.php file I see that is says /webhome/www.headquarters.com.au/store Do I need to put this in the database

and the only way would be through the editconf tool.

[Guest devstudent]

Your problem isn't an issue with Cube Cart, you need to get your SSL up and working first on your server before you start worrying about getting Cube Cart to play nice with your SSL Certificate.

Just going to...

https://www.headquarters.com.au/

Tells me everything, and at the same time tells me nothing.

The everything it tells me is clearly your SSL isn't up and running on your server, or if it is, you don't have your certificate installed correctly. There are a lot of possibilites here that fall under that second part tells me nothing issue.

So lets back you up here a bit, your getting ahead of yourself, stop worrying for the moment about anything to do with Cube Cart and lets see if we can get your SSL up and working.

I'm going to assume some things here, not the way I like dealing with this stuff, but I know it's annoying to have someone help you trouble shoot who asks dumb questions.

I'm assuming like you imply, you made it past the SSL steps in getting your CSR done, got your certificate back from the CA and have installed the certificate on the server in mod_ssl or where and what ever your doing this in.

Lets look at the most common mistake people over look, after installing a new SSL certificate you have got to shut down and restart.

If you've already done that much, which most people don't realize has to be done, then I'd question if when you copied and pasted the text in for your SSL Certificate if hopefully that all went right.

Also would be helpful to know, have you ever installed and set up SSL on a server before? If never that's fine, it lets me know what we need to cover in explaining and helping you here, if a few times I can skip basic stuff, if all the time then why are you here asking?

Also, where did you get this SSL Certificate from, or more specificly, who's your CA?

Is this a single root certificate or a chained certificate.

And P.S.

By the way...

Back to my problem:

What do you mean "back to your problem", you never indicated you were having a problem for us to get back to by the way, you asked questions about buying a certificate in relation to using a subdomain in your only other post in here and they were answered. Your bringing in a completely new problem, that technicaly isn't even related to this preexisting post someone else started.

[Guest Brivtech]

Back to my problem:

What do you mean "back to your problem", you never indicated you were having a problem for us to get back to by the way, you asked questions about buying a certificate in relation to using a subdomain in your only other post in here and they were answered. Your bringing in a completely new problem, that technicaly isn't even related to this preexisting post someone else started.

DevStudent, he means that you were actually hijacking the thread by moaning at us for the way we answered it, whereas he had a ligitimate question extending on from the topic.

[Guest devstudent]

You guys are really trying to make me cry aren't you? I'm a very sensitive guy!

Yea I caught that this is what he was implying, which is why I wanted to point out he hijacked the thread first by bringing an entirely new issue into it that is different than the problem that started this thread in the first place, which did get resolved (I think, right?).

That means this thread turned into a floater, destined only to drift many pages back in the forum and likely never to be seen again.

Its all good anyhow, we'll get him up and working, I think "billindetroit" started a new thank you thread tonight anyhow that probably has the links in it to the information our fine "Headquarters on Crown" person here needs, once we get his SSL working that is. Those docs in the knowledge base should be modified to avoid this confusion though. It does lead one to think that they should check their SSL by testing it into Cube Fart first. This is going to cause this very type of confusion and get people messing up all kinds of things trying to fix it when the problem isn't even in Cube Cart.

If it were I, I'd edit the knowledge base dock to have people check that their SSL is working by just pointing them directly to their own domain with https instead of sending them to check the same to a directory in their Cube Cart install like it currently reads, check your cube cart directory then after you can at least confirm that the SSL works on the domain.

[Guest devstudent]

This is somewhat misleading, confusing to some I'd suspect, and while very good, could be just a touch better. If I may point out some things with it that would improve the overall quality of it...

https://www.cubecart.com/site/helpdesk/inde...4&nav=0,2,4

It starts out stating the following...

"How to I configure SSL for secure https transactions?"

The information doesn't really tell you how to do that though, instead what it explains would be better written as so...

"How do I configure SSL with in Cube Cart for https?"

Because no where in that document does it give anyone specific information on how to actually configure SSL, granted, this information is beyond what Cube Cart should be expected to support, you have to draw the line somewhere or you'd have a document for how do I open a web browser and surf the internet.

No big deal, just a minor point since I was on the subject anyhow, here though however is what needs to be rewritten a little better in that doc...

How do I test SSL is working?

Before we do anything we need to test that the SSL domain has been configured correctly.

In this example we will assume your webstore is located at http://www.example.com/store

If you have dedicated SSL simply go to your master doman and store directory using your browser.

http://www.example.com/store

You should now be presented with your CubeCart store. If not, you have either typed the wrong URL or your it has not been installed properly.

I'd start right with the example url given, drop the /store part off of it, it shouldn't be there because as you read down the doc it creates even more confusion when you get to the bottom of my quote there and read "it has not been installed properly".

I can certainly see where if this was what Headquarters on Crown here, or anyone else was reading, then why they would be jumping into their cube cart installation looking to fix the problem with no luck of course. Again, if I may suggest, I think that very valuable documentation could be of even more valueable if modified to read more like so instead...

How do I test if SSL is working on my web site?

Before we do anything we need to test that the SSL domain has been configured correctly.

In this example we will assume your website is located at http://www.example.com/

If you have dedicated SSL simply go to your master domain using your browser.

http://www.example.com/

You should now be presented with your web site. If not, you have either typed the wrong URL or there is another problem directly with your web site. NOTE: Newly registered and set up domains can take 24 -48 hours to propagate to DNS servers before they work from your web browser without using the direct IP address.

To test if your dedicated SSL certificate is working change the protocol in the address bar from http to https.

https://www.example.com/ and press return.

If it has been installed correctly the web site should reload and a padlock will appear in the status bar of your browser software. If, on the other hand you get any warning messages or other errors please contact your hosting company to resolve the issue.

It may at first look to be a casual difference in wording, but I think it would make a huge difference in problem avoidance and understanding, particularly to a person who might not be understanding it very well in the first place, which would be the type of person reading this information in the first place.

[Guest Brivtech]

Good grief.

Topic closed. Anyone having SSL problems with subdomains now, please start a new topic. This one has become saturated in rhetoric.

DevStudent, I would appreciate if you kept your feedback out of the individual topics, and if it's really of such concern to you, please discuss it in the General Discussion area for further debate. I'm afraid I will otherwise be deleting any such postings.