Printable View
Hi all..
Been searching the forums for days trying to find an answer.. but with no joy :no:
I'm getting the "This page contains both secure and nonsecure items... " warning on IE (and similar in FF) I've seen several people say hard coded HTTP: links are the issue, but I can see any on my site. The only thing I'm thinking it could be is the <base href=http in my code.
HOW do you change this to <base href=https ? Or is this not the problem?
My website: www.sourcetech.co.uk
Please help!!
Mike
What values are you putting in your configure.php files for:
PHP Code:define('HTTP_SERVER', 'http://xxxxxxxxxxxxxxxxxxxx');
define('HTTPS_SERVER', 'https://xxxxxxxxxxxxxxxxxxxx');
Hi fairestcape, both my configure files say the following:
That seems right. I just tried adding "/shop" onto the end, just on the off-chance that this worked.. and it managed to kill the entire site! Not such a good idea then! :unsure:Quote:
define('HTTP_SERVER', 'http://www.sourcetech.co.uk');
define('HTTPS_SERVER', 'https://www.sourcetech.co.uk');
These paths to http and https look quite correct.
(Is your SSL cert for www.sourcetech.co.uk, or just sourcetech.co.uk?)
HTTPS is invoked by zencart only when necessary - ie: when sensitive data is being transmitted. (Names, Addresses, Checkout process).
Most of the time, it operates in http mode.
If you are getting "Insecure elements" warnings when logging in, or going through checkout, then this is generally a result of a http:// URL embedded somewhere in the code calling https: (It could be in a define page, or a template file.
When the message appears, say "No, don't display insecure items", then look at the output to see what's missing... That's your clue as to how to resolve it.
Here are the insecure items...
Code:<script language="javascript" type="text/javascript"><!--
function session_win() {
window.open("http://www.sourcetech.co.uk/shop/index.php?main_page=info_shopping_cart","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>
Code:<script type="text/javascript" src="http://download.skype.com/share/skypebuttons/js/skypeCheck.js">
Code:<img src="http://mystatus.skype.com/balloon/mike.r.backhouse" style="border: none;" width="140" height="56" alt="My status" />
~MelanieCode:<a onClick="window.open('http://www.shopmania.co.uk/?m=139'); return false;" alt="Visit Sourcetech.co.uk on ShopMania" target="_blank" href="http://www.shopmania.co.uk"><img border="0" title="Visit Sourcetech.co.uk on ShopMania" src="http://www.shopmania.co.uk/img/cert/shopmania-store-uk.gif" alt="" /></a></p>
<p>
Thank you for replies, really blows me away when people take the time to help.
fairestcape, I'll check our SSL certificate, my MD who actually bought it, is under the impression that it IS minus the www, so that could well be the problem..
mprough, I noticed the same things when checking the source code. So I've now switched off the skype sidebox and the box that contained the shopmania link. Cant for the life of me figure out where that bit of javascript's coming from:
So I'll take a better look at that asap.Code:<script language="javascript" type="text/javascript"><!--
function session_win() {
window.open("http://www.sourcetech.co.uk/shop/index.php?main_page=info_shopping_cart","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>
Question.. if there are ANY hard coded links on the site, even to external sites, then this will cause issues with HTTPS? How do I get round linking to say http://www.google.com, when there isnt an HTTPS alternative? :unsure:
Internal links can be absolute... External links must be to secured pages.
If your www/non www was incorrect on the SSL it would display an error and not load the page at all....
~Melanie
How deep does the rabbit hole go?....when on the login page, which should be secure I see a base href ofwhen ti should beCode:<base href="http://www.sourcetech.co.uk/shop/" />
That is causing all of the stylesheets and images on the page to be called unsecure on the secure page.Code:<base href="https://www.sourcetech.co.uk/shop/" />
Who is the hosting company?
A few hosts are known to be unable to support SSL using conventional methods.
If your ZC is configured properly, the base url should change dynamically.Quote:
Originally Posted by barco57
includes/configure.php
secure checkout set to true?
admin/includes/configure.php ssl catalog false?
~Melanie
exactly my point, it isn't changing correctly.
<base href="http://www.sourcetech.co.uk/shop/" /> this may cause CSS problems, but it is a secure link as its an absolute link to the same domain... not an external link.
~Melanie
You can not call stylesheets and images unsecure into a secure page even if it is the same domain. Use firefox and check the dependencies on the page. I troubleshoot these issues everyday. once those are cleared up the page will work.
Hmmmm...
So why is it not switching correctly then.
Check these settings...
includes/configure.php
Code:define('HTTP_SERVER', 'http://www.sourcetech.co.uk');
define('HTTPS_SERVER', 'https://www.sourcetech.co.uk');
// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'true');
admin/includes/configure.php
~MelanieCode:define('HTTP_SERVER', 'http://www.sourcetech.co.uk);
define('HTTPS_SERVER', 'https://www.sourcetech.co.uk');
define('HTTP_CATALOG_SERVER', 'http://www.sourcetech.co.uk');
define('HTTPS_CATALOG_SERVER', 'https://www.sourcetech.co.uk');
// secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'false');
define('ENABLE_SSL_ADMIN', 'false');
And this I don't think is going to fly
I don't think this will work... I actually had to make a way to use a lightbox script I wanted, but on SSL pages it would not stop making errors... So since it isn't used on SSL pages, now its not included.Code:<script language="javascript" type="text/javascript"><!--
function session_win() {
window.open("http://www.sourcetech.co.uk/shop/index.php?main_page=info_shopping_cart","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>
Also, your shopping cart page is SSL and should not be, this is likely a config error.
~Melanie
I would be curious to see what the following line in includes/templates/iC_AthemeV1.3/common/html_header.php looks like:If this has been changed to a hard coded url it would exhibit this behaviorCode:<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />
Hi Drbyte.. Who's the hosting company? We are!! We have our own webserver in a rack locally
I was wondering about the base HREF=http: etc.. I presume this has been the issue, but no idea how to change it!
Hi Drbyte.. We have our own webserver in a rack locally, so host our own websites. Which is both handy and annoying all at the same time!
I was wondering about the base HREF=http: etc.. I presume this has been the issue, but no idea how to change it!
Checked the 2 config files, definately ok
Checked the html_header.php and that lines definately ok thanks
Shopping cart IS SSL, but definately isnt causing the problem, because I was having these problems before setting that to SSL. That said, I'll change it back anyway
Cant find the javascript which is causing the problem, I would love nothing more than to remove that! I'll carry on the hunt!!
Code:<script language="javascript" type="text/javascript"><!--
function session_win() {
window.open("http://www.sourcetech.co.uk/shop/index.php?main_page=info_shopping_cart","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>
Things I have noticed.
- SSL Cert is issued to sourcetech.co.uk
- site does not work without the 'www' in the URL
- invalid characters in JS starting at line 96 of page output
);
//отслеживание дополнительных элементов
//addListener(document.getElementById('element-id'),
Fixing all of the above will help to sort out some or even a lot, of problems.
The SSL is issued to the www... Non www links are not displayed, but rather 404 as no redirect exists either.Quote:
Originally Posted by Website Rob
~Melanie
- SSL Cert is issued to sourcetech.co.uk << this is easily confirmed
- site does not work without the 'www' in the URL << this is an incorrect setting in Apache
Another error noticed.
Access denied to http: //www. sourcetech. co.uk/shop/csshover.htc
(link seperated to prevent SE indexing)
Maybe I am missing something...Quote:
Originally Posted by Website Rob
Website Identity is listed as www.sourcetech.co.uk
The sourcetech.co.uk is the common and organizational name. The token is also sourcetech.co.uk, but this is a GoDaddy dumb thing.
Also, GoDaddy doesn't supply the canonical url in the certificate fields. Also, oddly, says it has the CA bundle, but does not appear to have it installed.
All these things led me on a hunt..... I think the SSL is not installed correctly and it may be the result of the server DNS configuration.... On trace the site pulls no IP or route. On lookup no IP either.... and there are no authority records. Then there is this ....
and thisQuote:
The server name or address could not be resolved
SSL request - No headers downloaded
Suggest the DNS be resolved correctly and the certificate reinstalled... with the CA it will need an IP and it has none.Quote:
Ping
[sourcetech.co.uk]
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Bad destination
Average time over 10 pings: 0 ms
~Melanie
Do you have any other domains configured for SSL use, on the same server? Or is SSL entirely new for you?Quote:
Originally Posted by mikebackhouse
Hi Drbyte.. yes, this is completely new to us!
My MD is actually in charge of installing it etc.. and this is the first one we've done (that I'm aware of)
So it seems from mprough's comments that the SSL is installed incorrectly.
We've now had the domain name updated, so sourcetech.co.uk will forward to www. so that should all be working
Ok, stupid question of the day! - What does csshover.htc do? I have several zen cart sites set up, and NONE of them have this file, neither does my zen cart install folder or any of my templates! What does this do exactly? :wacko:
UPDATE: I've just noticed the csshover.htc file was in the includes folder, so now moved it to the route folder. is this going to help?!
One of the common SSL config mistakes I've seen is in relation to OpenSSL support not being enabled properly. And, of course, as others have mentioned, incorrectly configured or installed SSL certificates.
If you need assistance properly setting up SSL support on your own self-managed server, I recommend discussing it someplace where hosting and server configuration are the primary focus of discussion ... perhaps such as webhostingtalk.com
Once SSL is working correctly, your Zen Cart should automatically use it (when your configure.php settings are set to use it).
Hi all.. just been having a think.
Our web server runs IIS, and to get apache to work on it, we installed a program called "IIS MOD-RE WRITE" which tells IIS where to look for the website. Within the config file is a hard coded link to our website, I'm wondering if this might have something to do with the problems I'm having with my SSL certificate?
Has anyone ever come across IIS MOD-RE WRITE before?
DONE!! :clap::clap:
I can't really believe how I managed to fix it, in the configure.php file, I changed the http:// to https:// and its now working! How? Why? I have no idea!
define('HTTP_SERVER', 'https://www.sourcetech.co.uk');
define('HTTPS_SERVER', 'https://www.sourcetech.co.uk');
Thanks for all your help everyone! :smile:
So, now you're running your entire site in SSL?
I wouldn't call that a fix at all.
It may be a workaround, but certainly not a fix.
Did you try disabling your IIS addon for mod-rewrite simulation?
Oddly enough, my boss has just pointed out that the whole site is running SSL and wants that changing! I hadnt realised, but of course makes perfect sense!
So, back to square one. The IIS-mod Rewrite is a program running on our server which links the Apache server (running our zen cart sites) to IIS. We're looking to change the server soon to run soley run Apache. So if I disable it, it will kill all our Zen cart sites! not a great idea ;)
During my investigations I couldnt see any reason why this bit of software would prevent the SSL from running... :no:
Um ... I "get" that IIS-mod-rewrite is akin to the apache mod-rewrite capability.Quote:
Originally Posted by mikebackhouse
What I *don't* get is what you mean by "which links the Apache server to IIS".
If you're running BOTH Apache and IIS on your server, I'm not surprised that things are confuzzled, and would recommend you engage the services of a professional who has a specific understanding of the technical complexities of what you're doing and why ... and determine whether you really need to make it as complicated as it sounds like you've got it.
See, the problem is, we have a web server running which we've had for a while and need it to run IIS due to older websites we have on there, and that my MD has a good understanding of Microsoft technologies..
When we decided to go down the zen cart route, it became apparent that IIS wouldnt work with mysql etc.. So my brother came in (who has had over a decade of working with apache servers and is a general geek/software developer!) and installed apache, but of course this needed to link in with the existing IIS server, the only way of doing this was to install the IIS-mod rewrite (micronovae.com/ModRewrite/ModRewrite.html)
I realise this is a completely upside down way of doing it, in a perfect world we would have shut the server down, installed Apache from scratch, and installed IIS ontop of it, but that would have lead to too much downtime for our, and our customers websites.
Anyway, waffle over, bottom line is I cant see any reason why it should be creating any HTTPS issues as it clearly DOES work, just not how we would like it!
Hi All.. Still having problems
The current issue is that by setting the whole site to SSL, its putting a massive load on our server..
Does anyone have any suggestions? I'm wondering if its something to do with the images on the site? Is the image folder secure? Could Image Handler be the issue?
PLEASE HELP!! :no:
I'd be surprised if images were the sole problem; granted, ImageHandler does create additional PHP load on the server.
I'm still inclined to say that your problems are more specifically related to your server config.
I'm not sure how you came to that conclusion. In its default configuration, installing PHP and the PHP connector for MySQL should make MySQL available to PHP, which in turn allows PHP scripts running from IIS to be able to access the database fine.Quote:
Originally Posted by mikebackhouse
Granted, if you've got something else amuck, maybe that's interfering with the normal operation in additional ways also.
AAGGHH!!!.. my last remaining option for getting the damn SSL working hasnt worked!
I thought it would be the IIS ModRewrite, as it has a hard-coded link to http://www.blahblah...
But I have been informed by the software developers that this isnt the issue :no:
So, I've now switched off any sideboxes that contained hard coded http: links, been through the whole site checking for any hard coded links and got my server guy to re-install the SSL certificate..
And I'm still in exactly the same situation.. Please please can someone help me? I'm at a total loss, I either have SSL running on EVERY page of the site, creating a HUGE drag on our webserver and slowing our website down, or I only have it on the checkout but with errors, either way its going to lose customers... please please help! :(
Mike... we sympathise... but the one person who can help you (DrByte) has tried and given that you have a unique "arrangement" on your server, little more can be done without having direct access to the server - and I imagine that you'll need a guru to look into the issues.
How imperative is it that you host the ZC store on this server? Perhaps hosting on another server (incl box) may be the better option.
Consider even, hosting with someone else... ?
Ok.. It's not VITAL that its hosted on our own servers.. just a LOT more convenient! I really have no idea what's happening, but I will carry on..
We have a few ZC sites running on the server with SSL certifs.. and each one is having issues, so it must be something server-side. Ah well..
Thanks for all your help everyone.. looks like I must go-it alone! :P