Has anybody got SSL working correctly?

[SkydiveUK24]

I have an SSL cert installed for my domain including the www. so all SSL pages need to be https://www.mydomain.com/shop/authentication.php?back=my-account.php etc. I have enabled SSL in the admin, however all SSL pages are redirecting me to https:// mydomain.com/shop/authentication.php?back=my-account.php and missing out the www. which is a big problem as it then displays a security message stating that the certificate is not for this domain and was issued for another.

Is there any way around this guys?

Any help, advice, any info at all would be appreciated and I need to have SSL enabled.

[SkydiveUK24]

OK, after a scout around a few places I think I have solved this problem by adding a permanent rewrite rule to .htaccess enabling pages to be redirected to www. mydomain.com

RewriteCond %{HTTP_HOST} ^mydomain\.com\
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R=permanent,L]

Is that solution ok to use permanently?

[Guest]

I'm just thinking if prestashop did test out the ssl setting before?

[Merchant]

SSL is working fine on the 2 shops we have.
We just selected the root as SSL map.

[Hoodgrown]

Merchant,
Pardon me being such a newbie, but how do you do that? I'm going to be setting up SSL in a few days and I have no idea where to even start. I couldn't find any real info on it so any information you can share would be appreciated.

[Pursuant]

Basically, just ask your host. They will usually set it up for you and thats all there is to it...

--Kevin

[Hoodgrown]

Thanks Kevin. I'll be doing that this weekend.

[Paul Reading]

I have asked my hosting company for SSL on my site, but they are asking me what URL to apply it to.

How do I answer this?

[Hoodgrown]

I have it working properly.

And what they're asking you is do you want it applied to

http://www.yourstore.com

or

http://yourstore.com


There's a difference. I would apply it to www.yourstore.com
and then use an .htaccess redirect to make sure that whenever someone types in "yourstore.com" it will automatically go to "www.yourstore.com"

Does that make sense? Lol

[Paul Reading]

On my site you can acess it by either

http://www.lightbulbsuperstore.co.uk
or
http://lightbulbsuperstore.co.uk


and if I do not what url should I ask them to apply the SSL to?

In which case do I need to edit the .htaccess file?

[Hoodgrown]

the ssl will only apply to one of them.. go with the "www" as people who are not web savvy are more likely to type in the "www".

As far as modding the .htaccess file

check here for that info

http://www.prestashop.com/forums/viewthread/16037/general_discussion/mystore_dot_com_to_automatically_redirect_to_www_dot_mystore_dot_com

[AnimeCYC]

When you buy a security certificate and add it to your domain it should work on both www.yoursite.com and yoursite.com as they are the same domain. Your certificate will cover both, I'm not sure why you would think it would only cover one end of your site. the WWW in the url doesn't change the location of the site it simply states that this site is on the World Wide Web and is not on an Intranet. For instance the security certificate I have for my clients site is registered to: www.medtress.com but will function the same if you were to visit medtress.com. As Merchant implied you may have a certificate that was not configured correctly ask your host to fix this for you. Out of the box PrestaShop's ability to discern between http and https is not that great and will result in you getting those security errors because you may have an linked item that carriers the http protocol and not the https protocol. I have developed a module based off of someones fix on this forum and it works beautifully to properly redirect to the correct protocol. I will post it as soon as I get time. If my information is wrong please correct me cause I can be really stupid at times lol

[Hoodgrown]

When you buy a security certificate and add it to your domain it should work on both http://www.yoursite.com and yoursite.com as they are the same domain. Your certificate will cover both, I’m not sure why you would think it would only cover one end of your site.

Not true. I guess it depends on the cert you use. I've purchased more than a few certs that would only let you use it on one or the other. Then again most of the certs I've purchased have been really inexpensive... $10 - $20 per year.

I don't think it's that big a deal.. it's better for SEO purpose to settle on either "www.yourstore.com" or "yourstore.com" as multiple instances can hurt your ranking.

[AnimeCYC]

When you buy a security certificate and add it to your domain it should work on both http://www.yoursite.com and yoursite.com as they are the same domain. Your certificate will cover both, I’m not sure why you would think it would only cover one end of your site.

Not true. I guess it depends on the cert you use. I've purchased more than a few certs that would only let you use it on one or the other. Then again most of the certs I've purchased have been really inexpensive... $10 - $20 per year.

I don't think it's that big a deal.. it's better for SEO purpose to settle on either "www.yourstore.com" or "yourstore.com" as multiple instances can hurt your ranking.

You should be able to add an alternate name to the certificate. Most commonly you would get the certificate registered to www.yourdomain.com, and would add the alternate domain yourdomain.com both of these URLs would be on the cirtificate. An example:

Subject = www.medtress.com
Subject Alternative Names = medtress.com
Issuer = UTN-USERFirst-Hardware
Serial Number = 273D59D59D9D8AD3A4264B569BE74C0F
Key size = 1024 bit
Signature algorithm = SHA1+RSA (good)

Notice the alternative name.

[Hoodgrown]

I understand what you're saying.. and that should be the case.. but the fact is.. it's not in all cases. I'm going to pose the question to my host who can probably answer it a lot better and post it here.

[AnimeCYC]

Hopefully the answer your host gives can shed light one this lol personally I haven't dealt with a certificate that didn't allow for an alias name.

For clarification when you mentioned the price range in which you bought your certificates I assume you purchased a single-site certificate if so then you would be correct in saying that you would be unable to use the alias yourdomain.com. Alias names are only available on SAN certificates.

[Hoodgrown]

My hosting company stated:

It's because of the distinction made by a webserver between the www. and the 'non-www' version. Let me explain:

The Internet has exactly one root, referred to as '.' (dot). You never see this because it is implied in most situations and thus omitted. It does however show up in things such as the configuration for BIND (DNS server software). Basically, there are master DNS servers for each TLD. TLD stands for Top Level Domain. A TLD is something like com, net, org, info, fm, biz, us, etc. http://www.com is a valid URL (try it!). To look up how what the IP of www.com, your computer first queries your local DNS server, which then would query your ISP's DNS server, which would eventually (if no records could be found) query a root server for the COM TLD. The reason this matters is that www.domain.com has a different DNS record than domain.com. www.domain.com is a member of the superset domain.com, however, the two are not mutually exclusive (www.domain.com is absolutely a subset of domain.com, however, domain.com could also have ftp., mail., etc.)

You can read a bit more about how DNS works here: http://cr.yp.to/djbdns/intro-dns.html

There are also Wildcard certificates which cover *.domain.com, but sadly, * cannot equal null (plain domain.com does not fall under *.domain.com).

There ARE companies that offer certs that work with both 'www' and 'non-www' domains, you can find them with a quick google search:

http://www.google.com/search?rlz=1C1GGLS_enUS310US310&sourceid=chrome&ie=UTF-8&q=SSL+cert+www+non+www

Let us know if that doesn't make sense.

[AnimeCYC]

What they said makes perfect sense, when purchasing your certificate just make sure you purchase one that would allow for subject alternate names such as a SAN, EV, or WildCard. As for the DNS info they gave I guess you learn something new everyday thanks for asking your host.

[Hoodgrown]

Hey, I need to know as well.

[prestauser9]

Though it isn't listed on their site, when I bought a godaddy turbo ssl certificate, it allowed for both www and non-www, so this maybe helpful for those looking for a cheap ssl certificate.