SSL Issue

[nishajh]

My wesite was moved to another server in bluehost. It is SSL enabled.

Changed the configuration file to the follwing

/**
* Enter the domain for your store
* HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
* HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
*/
define('HTTP_SERVER', 'https://www.sonasiya.com');
define('HTTPS_SERVER', 'https://www.sonasiya.com');

The issue I have now is sometimes the site gives the error connection not secure and halts.

When I checked the site http and https versions in

https://cheapsslsecurity.com/ssltool...er.php#results

it gives 2 different SSL

http://www.sonasiya.com
- gives hosting company SSL

Common name: *.bluehost.com
SANs: *.bluehost.com, bluehost.com

The domain name does not match the certificate common name or SAN!


https://www.sonasiya.com

Common name: sonasiya.com
SANs: sonasiya.com, www.sonasiya.com

How to fix this?
Thanks

[gohealth]

Hi, looks like the issue is with FORCE HTTPS on your webserver (ie, your webserver is not forcing the use of SSL.)

You may want to add a redirect to ensure a secure connection is used:

RewriteEngine On
RewriteCond %{HTTP_HOST} sonasiya\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.sonasiya.com/$1 [R,L]

Add to your .htaccess file.

Check out this link:
https://www.whynopadlock.com/results...2-559aa7aa2b1b

Chris

[nishajh]

Thank you for the response . I add this in htaccess in Public_html. Now added it to htaccess in /includes also.

RewriteEngine On
RewriteCond %{HTTP_HOST} sonasiya\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.sonasiya.com/$1 [R,L]

But while browsing the catalog I get 404.html and shows connection not secure. On looking at the certificate I see that it is connected to certificate to bluehost (hosting company) rather than my company certificate

[nishajh]

To add to my previous post.

Redirect is working in the website. Chrome is redirecting the link to https: but not always. Sometimes the link stops giving unsecured content error. Firefox shows error 404 some time redirects with out issue. Why is the site calling http instead of https: at certain times?
Is there any change to be done in ./includes/function/html_output.php or any other file? I checked for http in files and did not see any coded links to http.
Thank you so much

[mc12345678]

What is the setting for ENABLE_SSL in the file includes/configure.php and then similar for the admin, or rather just provide everything down to just before the first DB_* related constant... The name of the admin directory should not be present if the system has been properly maintained.

[nishajh]

define('ENABLE_SSL', 'true');

my site hits page 404 when I click on additional images in the product info page and go to listing or any page.

When I try to view the image
http://www.sonasiya.com/images/newit...0/9067DM_1.jpg - not found 404
https://www.sonasiya.com/images/newi...0/9067DM_1.jpg - ok

[mc12345678]

While there was a suggestion about how to force HTTPS, it is often recommended to use the method suggested by the host. Not sure if this will have an effect, but on their site: https://my.bluehost.com/hosting/help...-ssl-all-pages

They recommend:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This is different than reviewing for port 80...

To try to force to include www.:

Code:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www.sonasiya.com$ [NC]
RewriteRule ^(.*)$ https://www.sonasiya.com/$1 [L,R=301]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The new information came from: https://my.bluehost.com/hosting/help...s_redirect#www

The above accomplishes both checks/corrections.

The first identifies that the domain name is not the final desired domain name (will not work well if there are two or more domains and/or sub-domain in this path of files), the second forces secure communication if it is not currently active. Both are from the bluehost site.

It does seem like there is some sort off certificate/session setup issue. Just tried to use ssllabs.com to evaluate the site and it has had problems. Just did an internet search for sites hosted at the same location and although the server responded identifying that the server supported TLS 1.0 and 1.1 capping the grade to a B, the evaluation got further than before. This site was: lohp . berkeley . edu

[swguy]

It does seem like there is some sort off certificate/session setup issue.

WPPro from Bluehost seems to have some weird SSL issues (at least in this case). I suggested to the OP to find a new host, even at the cost of having to give up an existing hosting account and SSL cert.

[dbltoe]

Considerations:

With the ease of SSL acquisition and the tendency of Search Engines (SEs) to penalize the lack of SSL initiation and site duplication, https://docs.zen-cart.com/user/first_steps/hosting/ is a good read.

It's best for your site to resolve to only one location. Without specifying where you want the browser to go, it has four choices:

1. http://www.your_site.com
2. http://your_site.com
3. https://www.your_site.com
4. https://your_site.com

Your your SSL, two configure.php files, and your redirect all need to match one of the four above. Otherwise, all sorts of strange things can occur with customer/admin logins.

Recommendation:

Determine the setting of your SSL -- www, non-www, or both.
If both, pick whether to use the www or not. In today's internet, www is seldom used. Kind of like the you when someone says, "Go!". The "you" is understood and not really needed.
Once you have decided on www or none, make sure your two configure files match your choice.
If you do not have cPanel (or a similar controller) to set your redirect, there's a nice tool for setting your site's redirection to SSL and the correct www decision at https://websiteadvantage.com.au/HtAc...rect-Generator

[carlwhat]

WPPro from Bluehost seems to have some weird SSL issues (at least in this case). I suggested to the OP to find a new host, even at the cost of having to give up an existing hosting account and SSL cert.

i agree that finding a new host is a good idea. this should not be that hard with a competent host.