SSL - setting up for a beginner

[calvinorr]

Based on feedback from customers, I really need to implement SSL on my site. However I do not know enough about this technology to understand how to implement it properly in Prestashop.

I am running on a Linux server and my host offers SSL - although this is the only info available

"On our Linux SSL server, the full path is as follows:

/home/default/DOMAIN.ssl-01.com/user/htdocs"

From searching the forum I see there are some problems with SSL - so wondered what question do I need to ask my host first.

Assuming my host can provide me with the appropriate SSL package - is it as easy as turning on the SSL switch in the Back Office-Preferences - or is there more (much more) to it.

[Paul C]

From what you've said then I suspect that there's more to it indeed

It would appear that your host offers shared ssl? If that is the case then some configurations are a nightmare to implement and that's true regardless of the shopping cart you're using!

"Proper" SSL would involve getting a dedicated certificate, and would require your site to have a unique IP address. In this case the only difference between the urls between "normal" mode and "secure" mode is the protocol. i.e. http://www.example.com for "normal" and https://www.example.com for secure.

Paul

[MarcusC]

Does Prestashop validate the requested protocol? If not SSL won't be that secure as it should be.

[EnigmaPsi]

Well, I don't know if you have solved your problem, but in case you dind't, here's what you need to do:

1. Request a unique IP from your hosting provider. That is, a dedicated IP. SSL on Apache does not work with shared IPs.

2. You need to generate a private Key (if the host runs CPanel- very common nowadays) this is very simple - just fill your information there (see SSL manager). Otherwise, search on google on how to generate it. You should avoid public online tools that do this. Take care to generate the key with your exact domain name (that will be used on your e-store). Kepp this key private - do not ever share it to anyone.

3. You need to generate (based on your key) a certificate signing request (CSR). This is easily done from CPanel interface, but there are other ways to generate it if this is not available. Just check Linux openssl docs.

4. Buy a SSL certificate. There are very cheap providers nowadays - the cheapest ones are about 19$ or so per year. Take care that, if you buy from cheap providers, you need to do more work - you need to install what is called a certificate chain together with your own cert (providers give you information about this on their website once you bought a cert). Try to buy your cert from a Root Certificate Authority, even if they are a little bit more expensive.

The SSL certificate is generated based on the CSR generated above (see pt. 3).

5. Install the SSL cert. In CPanel, this is easily done, from SSL manager. Otherwise, the host might install it for you (they usually do this, in order for users not to mess up their servers). Manual instalation means editing your Apache vhost configuration file.

Keep the key, as you will need it in order for the cert to work.

A final note about certs: cheap certs are only useful to secure your connection (through SSL/TLS) and certify that the cert matches for your domain. More expensive certs ($500 or so) certify that the domain really belongs to your company - you need to mail documents to the provider to certify this, and they will check if you really have a legal entity that bought the domain.

Hope this is usefull.

[hydra]

From what you've said then I suspect that there's more to it indeed

It would appear that your host offers shared ssl? If that is the case then some configurations are a nightmare to implement and that's true regardless of the shopping cart you're using!

"Proper" SSL would involve getting a dedicated certificate, and would require your site to have a unique IP address. In this case the only difference between the urls between "normal" mode and "secure" mode is the protocol. i.e. http://www.example.com for "normal" and https://www.example.com for secure.

Paul

Most shopping carts have no problem at all with shared ssl. The ONLY shopping cart i know off that has these problems is Prestashop. I am running 9 shops with Zen-Cart and Magento and they are all on shared SSL.
I can imagine that the developers of Prestashop have better things to do right now than to fix this, but i surely hope that it gets fixed quickly.

[zac]

1. Request a unique IP from your hosting provider. That is, a dedicated IP. SSL on Apache does not work with shared IPs.

Does this consider the whole server or only the certificate. My shop is on a shared server, so I have no unique server IP. But my SSL certificate has of course an unigue IP. Is this working?

[sting5]

Does anyone know if this issue was fixed on newer versions of Prestashop? I can't just buy most expensive package (virtual private server that is), just to run the shop with SSL. It makes no sense!

 

Sadly, it wasn't. Virtual private server is required (or unique IP) for SSL to work properly. No workaround on this one.

Edited October 5, 2013 by sting5 (see edit history)