SSL is broken

[midwestwebsites]

Hi,

I have a live website running OSCMAX 1.5.5. My server is hosted with 1and1.com.

Problem: When clicking the "checkout" link or any other link that uses "https" the lock icon on the browser does not lock.

What 1and1 said: After 30-40 minutes of hanging on the phone with 1and1, the support rep told me the problem is due to the <base href="..."> tag causing the SSL not to work becuase this tag is set to "http://...". I confirmed that uploading a basic html page with simply and open and close html and body tag with the word test, does cause the SSL lock icon to work properly when accessing the link via https. So 1and1 appears to be correct in what they said.

Question: I thought that SSL used to work fine on my site but now it does not. I even checked out a new version of OSCMAX (1.7) which I made only minor appearance changes to the code to see if it was a possible edit I had done, and it too did not display the SSL lock icon correctly (it too has the base href tag). What can I do to fix this problem and get SSL working again?

Any help would be greatly appreaciated.

Oh:
I read some posts where people where asking about the configuration file so here's the important info. (BTW, the SSL certificate is dedicated not shared):

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.********.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.********.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.********.com');
define('HTTPS_COOKIE_DOMAIN', 'www.********.com');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Jonathan

[goaskmom]

Not sure if this is what it is, but your HTTP_COOKIE_DOMAIN and HTTPS_COOKIE_DOMAIN should not be www.********.com . They should be *********.com, if I am understanding it correctly.

Drop the www. on those 2 places and see if it helps.

[midwestwebsites]

Thanks for the reply.

I removed the www as you suggested, and the browser notifies me of going into secure mode, I even see the lock icon flash on momentarily (as it did when the www still existed in the configuration file) yet the lock icon still disappears by the time the page is fully loaded.

Any other ideas? Does your version of oscommerce have a base href tag in the code when you right click to view source?

Thanks
Jonathan

[michael_s]

In your main_page.tpl.php, the base href line should look like this:

Code:

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

This allows the <base href="..."> tag to change to ssl when required. If your tag looks like above, try changing the $request_type == 'SSL' to $request_type == 'HTTPS'

If your line of code does not look like the above, paste my code in and see if that helps...

[midwestwebsites]

Michael,

I only wish it had worked. The code was already the same as what you posted above, so I tried changing the request type to HTTPS as you said, but that too did not fix the problem.

As I said earlier, I've tried this with both my live shopping cart and a default Max 1.7 install and both carts have the SSL problem so I know it is not caused by one of the edits I made to my live cart.

Any other ideas on how to fix this? I'm desparate!!

Thanks

Jonathan

[michael_s]

The only other thing that it could be is that your configure.php urls or paths for https are not correct.

You need to find out your full path to both http and https servers and make sure the configure.php file matches correctly.

Do you have a url I can look at?

[midwestwebsites]

Here are the urls you requested:

A simple html file w/o <base href> tag: NOTE: SSL works correctly
Live site with <base href> tag: SSL doesn't work

Here's my complete configure.php file (minus the database connection info):

Code:

<?php
/*
  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2003 osCommerce

  Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
  define('HTTP_SERVER', 'http://www.*******.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://www.*******.com'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'www.*******.com');
  define('HTTPS_COOKIE_DOMAIN', 'www.******.com');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

//Added for BTS1.0
  define('DIR_WS_TEMPLATES', 'templates/');
  define('DIR_WS_CONTENT', DIR_WS_TEMPLATES . 'content/');
  define('DIR_WS_JAVASCRIPT', DIR_WS_INCLUDES . 'javascript/');
//End BTS1.0
  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/homepages/34/d95573876/htdocs/******/audio/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

Is anything set incorrectly?

Jonathan

[michael_s]

Both of these should just be your domain without the www.

Code:

  define('HTTP_COOKIE_DOMAIN', 'sacredaudio.com');
  define('HTTPS_COOKIE_DOMAIN', 'sacredaudio.com');

Make sure this is correct and matches the actual path:

Code:

define('DIR_FS_CATALOG', '/homepages/34/d95573876/htdocs/sacredaudio/audio/');

If that does not fix it, start looking at how SSL is handled on your server. Is it just aliased from the same directory or is there a separate directory where you have to place your SSL files? I have not seen this issue anywhere before (in over 4 years of working with osC) so I am tempted to say it is a configuration quirk on your server. Have you simply tried removing that base href line from the template and testing?

[goaskmom]

If your domain defined as www.sacredaudio.com or sacredaudio.com? I know it matters, and I also know I don't know the right terminology for all of that info. But I do know I have made the mistake before of setting up a domain without the www.

Just thinking out loud. Might be miles from the issue, but it's worth throwing out there.

[midwestwebsites]

I changed the cookie domain properites to remove the www but that did not solve the problem. I had it w/ the www b/c that is what the install script defaulted to during the initial setup. I don't have root access to the server but I do believe that server file path is correct. Since I do not have root access to the server, I do not know how 1and1 has the SSL setup.

I removed the base href tag from the template, and IT WORKS!!! I didn't know I could do this w/o breaking something.

One question though: I still get a security warning when switching from non-secure to secure. I believe this is being caused by the images not using the SSL causing the security zone to be mixed. Is there a way to force the images to use SSL when in secure pages so customers don't get this warning?

Jonathan