SSL Configuration is broken in IE6 Only

[Guest Jason Robinson]

Hello friends,

Various aspects of this problem have been mentioned in different threads, but I haven't found a solution that fixes my problem yet.

After a great deal of blood & sweat (and a lot of help from the regulars on these forums — thank you! — I have finally established a perfect working install of CC 3.0.7 using PayPal Pro and a shared SSL certificate...

Perfectly working in Firefox or Opera, that is. IE6 is a bust.

All browsers (including IE6) work fine if SSL is disabled, and Firefox and Opera both work fine with SSL enabled.

But, when using Internet Explorer *AND* SSL is enabled, I run into the following errors:

• Unable to register a new customer account OR log in to an existing one (kind've like THIS PROBLEM) — I receive the security alert and am returned to the home page in a "logged out" state.
  
• Unable to log in to Admin section (kind've like THIS PROBLEM and THIS PROBLEM) — I receive the "No adminstration session was found" error.
  

Here are the details about these problems:

CUSTOMER LOGIN/REGISTRATION:

• After clicking "Login", I receive the familiar IE Security Alert box "You are about to be redirected to a connection that is not secure..."
  
• If I click "No", I return to the login page and nothing happens. If I click "Yes", I am silently returned to the (non-secure) store home page and remain logged out (Status in upper-right reads "Welcome Guest [Login | Register ]" ).
  
• The URL displayed in the Address bar is: "http://shop.browntowns.com/index.php?ccUser=6c892f9d578d2a467acca38e65c21d49". No double-slash, and in fact the URL looks exactly like the URL that appears when everything's working properly in another browser (though of course the string of hex is different).
  
• The details are exactly the same when attempting to register a new user.
  

ADMIN LOGIN:

• After clicking "Login", the page reloads with the message "No administration session was found." displayed at the top. My browser still shows that I am in a secure section of the site.
  
• The Address bar URL is: "https://brown_towns.secure.myhosting.net/admin/login.php?goto=https://brown_towns.secure.myhosting.net/admin/index.php" (rather than the "https://brown_towns.secure.myhosting.net/admin/index.php?ccUser=" it should be displaying.
  

OTHER THINGS YOU MIGHT WANT TO KNOW:

My configuration is as follows—

Admin Control Panel > Directories & Folders

Root SECURE Public HTML folder: /

Absolute SECURE URL: https://brown_towns.secure.myhosting.net

Server SECURE Root Directory: /var/www/domains/shop.browntowns.com/docs

global.inc.php

$glob['rootDir'] = '/var/www/domains/shop.browntowns.com/docs';

$glob['rootRel'] = '/';

$glob['storeURL'] = 'http://shop.browntowns.com';

• The errors are occuring when I test using IE 6.0.2 on WinXP, SP 2.
  
• I have tried resetting my DNS, clearing my IE cache, cookies, and setting security to receive ALL cookies, but to no avail.
  
• My hosting company tech support says they are able to log in and create new users just fine when they try to log in to the store, which *completely* baffles me, because I have tried to log in to the store on FOUR different computers using IE6, and have had the same problems each time. (I haven't been able to test using older versions of IE, or any browsers on the Mac platform).
  

I'd be interested to know whether any of you are able to log in and/or create a new user? You are welcome to try:

http://shop.browntowns.com

login: [email protected]

password: test

***

Thanks so much for taking the time to review this post. If I can't find an answer here, I'll take a ticket and see whether the CubeCart folks can help me out.

Cheers,

Jason

[email protected]

[Guest]

I tried to register an account and it appeared to work until it redirected me back to non secure homepage and i was still a guest

using xp and ie6

[Guest lcools]

Didn't notice any problems with safari 1.3 and Mozilla 1.7 fyi.

Leila

[Guest sunshine]

You have a Comodo wildcard for secure.myhosting.net. I'm on IE6sp2 and it gives me the nonsecure message too BUT if you change the path url to https:// and the name of your CCwebsite, it works. So this means you've got your path input in admin incorrectly because the CORRECT secure path leads me to your

This is your temporary index.html file.

Replace this file with your own index.html file.

Got to fix your path in admin. */*

[Guest Jason Robinson]

You have a Comodo wildcard for secure.myhosting.net. I'm on IE6sp2 and it gives me the nonsecure message too BUT if you change the path url to https:// and the name of your CCwebsite, it works. So this means you've got your path input in admin incorrectly because the CORRECT secure path leads me to your

This is your temporary index.html file.

Replace this file with your own index.html file.

Got to fix your path in admin.

Thanks sunshine! But actually (sigh), I *think* it's a bit more complicated than that...

After encountering this problem with IE and SSL, we purchased the Comodo SSL certificate from our hosting company, thinking that it was worth the money to avoid these Shared SSL problems. Unfortunately, *after* purchasing the certificate, the hosting company informed us that the cert can't be used in combination with CubeCart (they say the cert can only be configured on their Windows servers, but they only have PHP [and thus, CubeCart] installed on their LINUX accounts). So, I'm the proud owner of a dedicated SSL certificate that can't be used in combination with any application that relies on PHP. Lame? Yes.

My *actual* (shared) secure site is at:

https://brown_towns.secure.myhosting.net — try it out!

I did notice that the $glob['storeURL'] variable in my global.inc.php is set to http://shop.browntowns.com, which differs from the Absolute Secure URL entry in the Admin panel... On a whim, I tried setting $glob['storeURL'] to my secure address ( https://brown_towns.secure.myhosting.net ), but it just caused the connection to hang when I tried to log in.

(But perhaps this is a clue?)

***

Any other ideas?

~ Jason

[Guest sunshine]

H iJason,

The cert you are using for the domain mentioned above is a wildcard cert and is SAME one you are using in the link you provided in your last post here.

Unfortunately, *after* purchasing the certificate, the hosting company informed us that the cert can't be used in combination with CubeCart (they say the cert can only be configured on their Windows servers, but they only have PHP [and thus, CubeCart] installed on their LINUX accounts).

Your host is 100% incorrect in stating a Comodo cert can't be used with CC. This has absolutely no relevance when it comes to cert issuance. What does, is ensuring the path you want secured is specified during purchasing sothe cert can be made for the exact path and anything that follows thereafter. Now, this means, you either purchased a 'Wildcard' Cert, OR you just purchased a 'right' to use the hosts' servers wildcard cert and the reason it won't work is their wildcard cert is installed on THEIR server which is windows based. Did they ask you for pass phrase and such when you purchased it? Did you receive an email back with cert numbers? If you in fact, purchased a cert, you should be able to take it with you to whomever you decide to host with and it will work with any scripts that falls in line with the path to which you purchased the SSL for. Make sense? How much did you pay if you don't mind me asking? Comodo is a good cert, though chained, they are widely recognized but a little more dificult to install because of the extra ca bundle.

I forgot to mention the cert you are TRYING to use, is the one for myhosting(dot)(net).

[Al Brookbanks]

This is a tricky one. Maybe the solution is to completely turn the store into SSL mode all the time until a more indepth fix can be conjured up. This can be acheived by opening includes/sslSwitch.inc.php and adding:

After line 56:

$currentPageDir = $_SERVER['PHP_SELF'];

Add:

$enableSSl = 1;

This permanent switch to SSL is more server intensive but only problematic under very high server loads.

Another solution may be to buy a dedicated SSL Cert fron the hosting company if possible.

A longer term coding solution may be required once I've fully managed to bend my head around this issue.

[Guest Jason Robinson]

This is a tricky one. Maybe the solution is to completely turn the store into SSL mode all the time until a more indepth fix can be conjured up. This can be acheived by opening includes/sslSwitch.inc.php and adding:

After line 56:

$currentPageDir = $_SERVER['PHP_SELF'];

Add:

$enableSSl = 1;

This permanent switch to SSL is more server intensive but only problematic under very high server loads.

Another solution may be to buy a dedicated SSL Cert fron the hosting company if possible.

A longer term coding solution may be required once I've fully managed to bend my head around this issue.

Thanks for your quick response, Brooky... Unfortunately, the solution didn't work.

I followed your instructions, and the whole site is indeed encrypted by SSL now, which removes the IE Security Alert. But otherwise, the situation is exactly the same; I am still unable to log in as either a customer or an admin. Strange, yes?

~ Jason

[Guest Jason Robinson]

Unfortunately, *after* purchasing the certificate, the hosting company informed us that the cert can't be used in combination with CubeCart (they say the cert can only be configured on their Windows servers, but they only have PHP [and thus, CubeCart] installed on their LINUX accounts).

Your host is 100% incorrect in stating a Comodo cert can't be used with CC. This has absolutely no relevance when it comes to cert issuance. What does, is ensuring the path you want secured is specified during purchasing sothe cert can be made for the exact path and anything that follows thereafter. Now, this means, you either purchased a 'Wildcard' Cert, OR you just purchased a 'right' to use the hosts' servers wildcard cert and the reason it won't work is their wildcard cert is installed on THEIR server which is windows based. Did they ask you for pass phrase and such when you purchased it? Did you receive an email back with cert numbers? If you in fact, purchased a cert, you should be able to take it with you to whomever you decide to host with and it will work with any scripts that falls in line with the path to which you purchased the SSL for. Make sense? How much did you pay if you don't mind me asking? Comodo is a good cert, though chained, they are widely recognized but a little more dificult to install because of the extra ca bundle.

This is frustrating. From my conversation with MyHosting:

I am trying to set up a secure e-commerce site at shop.browntowns.com. I had a number of problems configuring shared SSL to work with CubeCart, and my client has just purchased a Comodo InstantSSL certificate in order to streamline the setup process. Currently, the domain 'http://shop.browntowns.com' is hosting our LINUX account, and is mapped to the directory 'http://browntowns.com/shop'. However, the secure domain 'http

s

://shop.browntowns.com' seems to be mapped to a nondescript index.html file at some other location. Please help me understand how to make our store appear under the SSL-secured 'https://shop.browntowns.com' URL.

> Unfortunatey the Comodo SSL certificates are only for the Windows

> portion of your accounts. You need to use the Vanity SSL.

So, is there any way to use this certificate with a CubeCart installation? How can I set up dedicated SSL with CubeCart?

> Only Vanity SSL Is supported on our Linux plans, which is means that our CubeCart, and ZenCart

> installations can only use the Vanity SSL certificate.

MyHosting didn't ask for a passphrase or any other info when generating the cert, so I don't believe I was ever actually given a certificate "of my own."

Here's what their site has to say about it (and the pricing info you asked about):

Q: How can I enable SSL in my site?

1. Use our shared certificate - your secure link will be similar to <a href="https://secure#.softcomca.com/domainname_com" target="_blank">https://secure#.softcomca.com/domainname_com</a> which maps to your original directory. With this configuration, FrontPage® Extensions won't work under secure connection. It costs US $9.95 to setup and US $4 monthly. You can sign up from your control panel at:
   
   
   <a href="http://support.myhosting.com/Upgrades/SSL/Shared.asp" target="_blank">http://support.myhosting.com/Upgrades/SSL/Shared.asp</a>
   
   
   
   With the SSL, we'll create a virtual directory that is mapping to your website's home directory. For example, if you have a form named form.html and you want it to be secured, all you would need is to put the link to it as:
   
   
   
   <A HREF="https://secure#.softcomca.com/domainname_com/form.html"> Form</A>
   
   
   
2. Purchase your own Comodo Instant SSL certificate through us.
   We'll take care of all the configuration and setup for you. All you need to do is pay the yearly certification fee, starting at only US$ 49.00 per year.
   
   
   You can sign up from your control panel at:
   
   
   
   <a href="http://support.myhosting.com/Upgrades/SSL/Comodo.asp" target="_blank">http://support.myhosting.com/Upgrades/SSL/Comodo.asp</a>
   
   
   
3. Get your own certificate. Your secure site will be <a href="https://www.domainname.com" target="_blank">https://www.domainname.com</a>. With this configuration, FrontPage® Extensions will work under secure connection. It costs US $30.00 to setup and US $4 monthly. Also, you'll pay for your certificate directly with the certificate authority (Verisign or Thawte or any other certificate authority). If you are interested in this option, please send an e-mail to [email protected].
   
   

After clicking the link given in option #2, I am presented with:

Secure your site with SSL and provide total peace of mind with variable Certificate warranties.

While using our shared SSL will provide 128-bit encryption, adding InstantSSL to your site will create greater trust with your visitors by conducting all secure sessions through your own domain (https://www.yourdomain.com).

If you sign up for InstantSSL Pro you not only get a higher warranty ($2500) but you also get the added benefit of the secure seal to the left which will display your organizations credentials.

With InstantSSL you get all the benefits and security of the other trusted SSL vendors without the cost.

After signing up, I received a message saying simply:

You currently have an InstantSSL certificate issued to www.browntowns.com

Does this seem weird to you? The lines in bold (emphasis added by me) seem to indicate to me that I was getting my own SSL cert, and I've never found a mention anywhere on their site of the fact that SSL won't work on the host's LINUX plans... When I purchased this option from them, I understood it to mean that I'd get a certificate of my own, and that it would be a full-fledged SSL solution.

But you're saying that isn't what I currently have? Please help me understand so I can draft my letter to them intelligently. Regardless, it baffles me that they would have things set up in such a way that it's impossible to use dedicated SSL with any e-commerce solution (or any other server-side software!) that requires PHP.

[Guest sunshine]

When you purchase an SSL, a passphrase is always required. You would also be sent your personal cert. if you have not been sent that, then i question whether you do in fact have your own cert. Maybe you do, but your not using it. What I see from your site, is a setup for a wildcard cert *issued* to myhosting(dot)com. My recommendation is to clarify exactly what you purchased and if you want to purchase something like RapidSSL for $30., I can guide you through installing it. Before you actually purchase one, let me know what your website url and your CC index (main page) so we can be sure you request the right path to be secured.

As for your above statement of your shop being:

http://browntowns.com/shop

I presume this is your CC. And if this is right, then your path to secure should be:

https://browntowns.com/shop and NOT 'https://shop.browntowns.com. This will not work.

;)

[Guest Jason Robinson]

My recommendation is to clarify exactly what you purchased and if you want to purchase something like RapidSSL for $30., I can guide you through installing it. Before you actually purchase one, let me know what your website url and your CC index (main page) so we can be sure you request the right path to be secured.

You've been so helpful, Sunshine... I'll PM you if I decide to purchase a cert and need your help installing it.

Regarding the weird morass of URLs... The CC files are in fact located at http://browntowns.com/shop, but they are installed on a Windows server that doesn't support PHP, which means that CC won't work. MyHosting.com's "solution" for this is to map a LINUX-based subdomain that *does* have PHP installed (http://shop.browntowns.com, in my case) to the Windows directory.

So, out there in ether-space, http://shop.browntowns.com/index.php and http://www.browntowns.com/shop/index.php are in fact the exact same file. It's all very silly, really.

I don't really blame CubeCart for being as confused as it is, given the nature of this hosting setup.

~ Jason

[Guest sunshine]

So, out there in ether-space, http://shop.browntowns.com/index.php and http://www.browntowns.com/shop/index.php are in fact the exact same file.

Hi,

Soooo they may be the same but.........

It looks like your host fixed it. Your store is completely in SSL mode which is no big deal. Your secure path is below. Check it out!

https://brown_towns.secure.myhosting.net

you may need to add a foward slash at the very end of that url

[Guest Jason Robinson]

A cap to finish off this thread...

Thanks *SO* Much to all who lent a helping hand (especially Brooky and sunshine!).

Brooky gave us a chunk of much-appreciated personal time on this issue and was himself unable to figure out the solution... In desperation, we finally pursued a weird whim, canceled our hosting account with MyHosting.com, and switched to a new provider, Dreamhost.

Voila!

Within a day, we had a functional test store up-and-running, using the latest version of CubeCart (3.0.8), an Instant SSL certificate from GoDaddy, and PayPal Pro!

Everything works *perfectly* now... Thanks Brooky for your hard work, and to the CC community for all of your help!

~ Jason