Making SSL Work With CC 3.0 Final

[Guest]

OK, so we log into Admin (usually http://www.yoursite.co.uk/cubecartinstallfolder/admin), + goto Store Config -> General Settings

Then you will find in the section below Meta Data another section entitled Directories & Folders with the following:

Root SECURE Public HTML Folder to store: (Include Trailing Slash)  

Absolute SECURE URL to store (e.g. https://secure.domain.com): 

Server SECURE Root Directory (e.g. /path/to/your/secure/webstore):

Enable SSL (Warning: This change takes place immediately after submit. Please ensure your secure Root Directory and Secure URL are correct and working before setting this to Yes): Yes No

This is where almost everyone who wants SSL seems to be coming unstuck (especially those with shared SSL).

Root SECURE Public HTML Folder to store:

This is simply whatever value you entered into the "$glob['rootRel'] =" in the global.inc.php for most of us (ie: /cubecartinstallfolder/), but could be different if you had (for example) a networked system with all SSL file requests handled through a seperate server.

Absolute SECURE URL to store (e.g. https://secure.domain.com):

If you had a domain mycubecartsite.co.uk + a certificate for mycubecartsite.co.uk then this would likely be something along the lines of: https://mycubecartsite.co.uk/cubecartinstallfolder

Two things to note here:

i:) If you are using shared SSL, then the domain name part of your address will probably be a combination of your web host + the secure server on which their SSL certificate is installed followed by your user name (eg: https://orion.myhost.com/~auser/cubecartinstallfolder or https://secure6.likethishosting.net/~anothe...installfolder/).

ii:) If you have your own certificate take careful note of where the certificate was intended for use with. - If you have a domain name mycubecartsite.co.uk, with a certificate issued for use with secure.mycubecartsite.co.uk then your address here would be: https://secure.mycubecartsite.co.uk/cubecartinstallfolder NOT, for example, https://www.mycubecartsite.co.uk/cubecartinstallfolder.

Server SECURE Root Directory (e.g. /path/to/your/secure/webstore):

As with the "Root SECURE Public HTML Folder to store" this is simply whatever value you entered into "$glob['rootDir'] =" in the global.inc.php for most of us (ie: '/home/yourusername/public_html/cubecartinstallfolder'), but could be different if you had (for example) a networked system with all SSL file requests handled through a seperate server.

Finally, try testing your https:// address(es) in a new browser window before enabling SSL. - Not foolproof, but at least if the address won't work you know you are not ready yet to enable SSL.

Also, if SSL works, you will find that the Admin login page will be automatically redirected through SSL (ie: you will now logon in a window with a padlock at the bottom of the page).

You might also wonder why someone should go for their own certificate (apart from the SSL address looking allot prettier than https://secure.somesite/~user/cubecart). - The main reason is the popups that you get asking if you want to trust xyz certificate or not when you or a customer want secure pages. - These can be really annoying + past hacker endeavours have shown that such things can be used very efficiently to allow trojans/malware/etc. onto visiters systems when the popups have been crafted to hide background activities.

The answer to the above problem can be purchased for under £10 now http://www.registerfly.com. - The certificates can be a real pain to install, + will need to be installed by your webhost (in most cases) short of you having full Shell Access (or similar), which is very rare. - A number of webhosts will now install these free of charge (don't use Surfspeedy!).

Hope this helps somebody .

[Guest vrakas]

Thanks i will try this one out and i am sure a lot more that were complaining about SSL will also try it. :huh:

[Guest]

I hope it works for you.

If you are still struggling just shout + hopefully we can fix the problem.

I should also point out that the popups I mentionned don't occur on all sites using their host's, or shared, SSL. - I looked at the site of one CubeCart member who had been posting about an SSL problem (very) early this morning + found that their host used something called a wildcard certificate which is clever solution that shouldn't cause those popups when installed correctly. - Your https:// address with this kind of shared hosting, though, would still be something like (for example) https://www.secure.adhosting/~yoursite/cubecartinstallfolder.

[Guest]

Using SSL Manager:

If you have SSL Manager on your cPanel you may be able to use this to generate your Key + CSR, + then (later) for installing your certificate.

Key: You need this first, in order to generate your CSR. - You will also need this exact Key later when you come to install your certificate (so don't overwrite or loose it!).

CSR: You need this next in order to create your Certificate. - Quite often a CSR will be rejected if the format is not exactly right + a major problem area here, when it comes to certificate generation, is the country code (GB may be acceptable, but UK won't be, etc.).

SSL Manager is not featured on the cPanels of some webhosts because it is buggy. - The CSRs it generates are prone to being rejected, + it can refuse to install perfectly valid certificates. - The certificate on my site, for example, is valid + successfully installed but cPanel believes that there is an error with it.

The information typically required for generating a CSR, whether through cPanel or through your webhost, will be:

EMAIL SEND TO (Email Address That The Completed Certificate Should B Sent 2):

HOST (*):

COUNTRY (If U live in the UK this code is likely 2 B "GB" (without the speech marks ):

STATE (Or Your County If U Live In The UK):

CITY (Town/Village/Hamlet/Whatever Name Usually OK 2):

COMPANY NAME (+):

COMPANY DIVISION (+):

EMAIL FOR CERTIFICATE (^):

PASSWORD (This Is A Password 4 The Certificate Only) ($):

*This will be the root secure web address that your site's secure transactions will go through. - So, using yoursite.co.uk would mean that all secure URLs for your site would need to start with https://yoursite.co.uk in their address, whereas www.yoursite.co.uk would mean that all secure URLs for your site would need to start with https://www.yoursite.co.uk in the address, + something like secure.yoursite.co.uk would require that you have a subdomain (check that your hosting will allow subdomains) "secure," so all secure URLs for your site would need to start with https://secure.yoursite.co.uk in their address.

+Try not to leave these blank (but don't put anything stupid here, either, because these details can be seen by visitors to your site ). - Some of the required processes for your certificate can be real funny about blank fields in the CSR.

^This email address can be seen by visitors to your site + is the email address for any queries relating to your certificate + (usually) any security concerns relating to using your site.

$There are limitations on this, + how complex you can make it, so be careful!

[Guest wdriver]

Thanks for the help above, i have installed info the http directory and about to put variables in for the https information as you have written above.

Only qu i have is what files should go into the https directory?

My end purpose is to create a system where credit card numbers are collected securely into a database for manual processing which i can develop myself.

Thanks in advance :-)

w.

[Guest]

Once you have the SSL side of things working with your CubeCart installation you just access your files as you were doing before, but with https:// instead of http://.

For example:

If you have your CubeCart installed in a folder called "shop" then without SSL the address of any pages for a visitor to your site would be something like: http://www.yoursite.co.uk/shop/requestedpage.html or https://www.yoursite.co.uk/shop/requestedpage.html with SSL (ie: the pages themselves wouldn't need to be altered + they wouldn't need to be placed in a different folder. - It's just that all file requests to + from your CubeCart folder would be encrypted).

Don't forget, though, that the SSL address to your CubeCart folder may be different depending on the details used to generate your certificate. Eg: If you have a certificate installed which was created for https://yoursite.co.uk then all https:// requests for files in your CubeCart folder would have to be addressed (using "shop" as the folder where you installed CubeCart again) as https://yoursite.co.uk/shop/requestedpage.html otherwise you or the visitor would receive an error message. You shouldn't have to worry about this, though, if you have set up SSL correctly as these details are all part + parcel of the SSL setup + will function correctly if you used the correct paths in the setup .

[Guest cheekyann]

Hi, I have used the SSL manager within my control panel and now have the key the csr ann the certificate all saved ready to use, thing is where do I now install them? Do I upload and install them with my ftp prog? or is it all done within the cp? Sorry have no clue, hope someone can help.

One last thing though, is it absolutely needed?

Many thanks

Ann

[Guest Luxebot]

Sweet, just wanted to say thanks, these tips really helped ;)

[Guest drodrigz]

Hi there,

I have a dedicated SSL cert. I used my SSL Manager (on my cpanel) and generated the Key, CSR and CRTs. If I log onto my site securely, it works fine (i.e: https://www.mysite.com), and I followed your instructions and added the paths to the CC admin. They seem to work fine, as I enabled the SSL and I do not get any error messages, but when I try to log into the store securely, it re-directs me to the store but in a unsecure way. In other words, I type:

https://www.mysite.com/store

and it loads

http://mysite.com/store/index.php?&ccUser=

notice that it removes the "https" and the "www." part of the address, and then adds the index.php&ccUser= part, which sometimes comes with a large string of characters after it.

Can anyone help me? Any help will be greatly appreciated!!

Thanks!

daniel

I forgot to mention that I'm using CC 3.0.6 :w00t:

[Guest drodrigz]

I'm about to launch the store and it keeps "kicking" me out of the secure page!!! help!! I've tried everything I can think of, re-doing the certificates, etc.

The weird thing is that not only the above symptoms persists, but weirdly enough when I log into the admin page of CC, it DOES switchs to SECURE pages!!! The padlock and the https://... etc appears and everything is fine, UNTIL i try to go to the store, then it re-directs me to:

http://[myunsecureddomain].net/shop/index.php?&ccUser=

I even updated to 3.0.7-pl1, and removed ALL the mods I had... In other words, I have almost a fresh install!!

I'm not a programmer, so I can't really troubleshoot it further...

please please please can someone help me?

Thanks!!!

Daniel

[Guest saz]

Hi Daniel,

I could be wrong but I think that everything is set up the way it should. The cart only goes into secure mode when needed, like when you log into admin or a customer registers etc.

I'm a newbie to cc so hopefully some experienced members will also reply to your query!

Sally.

[Guest drodrigz]

Hi SAZ

Thanks for your reply. I'm now noticing that it switches to "secure" when going to "register" or the cart. The only thing is that none of the images show up! Not even the logo or the menu bars... And if I even go to the admin page, none of the images are loading! weird huh?

Daniel

[Guest Hootiekai]

:) Well im hosed, I put in the path that is in $glob['rootDir'] =" and I cannot get into admin any more ?

Ive played around with the path's in the browser address bar till im blue in the face without luck.

Anyone have any ideas what php file to hack to let me back in ?

Thanks for your help.

[Guest Hootiekai]

Well that wasnt sooooooooo bad. I used the CubeCart_Config_Tool, removed the settings pertaining to

$config['storeURL_SSL']

$config['rootDir_SSL']

$config['rootRel_SSL']

and changed

$config['ssl'] from 1 to 0 and Im not locked out now,WHEWWWWWWWWWWW

Still not accessable thru SSL yet but I'll sleep a little better tonight.

Just thought I would post this in case by some SLIM chance it happens to someone else.

Sure wish I could figure out how to use my host SSL, those paths pertaining to SSL kinda sorta throw me.

[Guest mgrech]

Pls someone help. I enabled my SSL, and now I cannot get to my admin page to change anything. My store is at www.jamesgrech.com/store2. I downloaded the file that is supposed to fix this problrm but I do not know how or where to upload it to. I need help urgently!! My store is online and taking orders!!

[Guest Hootiekai]

Pls someone help. I enabled my SSL, and now I cannot get to my admin page to change anything. My store is at www.jamesgrech.com/store2. I downloaded the file that is supposed to fix this problrm but I do not know how or where to upload it to. I need help urgently!! My store is online and taking orders!!

Sounds like you started correctly by downloading the tool, be sure to read the readme file with it. upload it into the folder where your others are located, ie.. base folder for your cart, set this tool files permissions to 755 and then go to it with your web browser. follow the message before yours in what to remove and change, it workd fine for me and should for you.

Good Luck,

P.S. be sure to delete the tool file from your base folder when your done.

[Guest ROC]

Having promlems!

First one line is /v3.1/ easy

Second one (according to my webhost) is https://sslhelm.com/my-site-com odd, but makes sense

This is my "$glob['rootDir'] =" though: 'D:\\Webspace\\my-site.com\\wwwroot\\v3.1' what do I put?

I've tryed a few things, been locked out and had to use the tool to get back in. Can anyone give me a hand please?

[Guest ROC]

So can anyone help?

[Guest sunshine]

Second one (according to my webhost) is https://sslhelm.com/my-site-com odd, but makes sense

You've got the domain under your main domain. The secure path must match precisely the path to your shop so that should be just as your host told you, if what they said is correct.

https://sslhelm.com/my-site-com Note Here: it should be .com not -com as you posted.

Are your CC folders residing in the public_html or www directory of my-site.com? If they are, then it should read https://sslhelm.com/ccsite.com. If you put all the CC folders into one big folder that resides in either the public_html or www, then it would be https://sslhelm.com/ccsite.com/foldername instead.

If your still having problems, you can send your CC shop to me via PM and I'll tell you what your cert and patch should be.

[Guest ROC]

Second one (according to my webhost) is https://sslhelm.com/my-site-com odd, but makes sense

You've got the domain under your main domain. The secure path must match precisely the path to your shop so that should be just as your host told you, if what they said is correct.

https://sslhelm.com/my-site-com Note Here: it should be .com not -com as you posted.

Are your CC folders residing in the public_html or www directory of my-site.com? If they are, then it should read https://sslhelm.com/ccsite.com. If you put all the CC folders into one big folder that resides in either the public_html or www, then it would be https://sslhelm.com/ccsite.com/foldername instead.

My hosting insist it's https://sslhelm.com/my-site-com . I've tried it your way anyway (just incase they were talking out of their arse), and once again got locked out. Also tried it with my version with the /foldername idea, locked out again.

?????????????????????????????????????????????????????????????????????????????????

This is becoming a bit of a nightmare!!!