Using free Certificates from startcom.org (startssl.com) & DirectAdmin with https and ssl

[uddhava]

Although this post has nothing to do with Prestashop security, i hope it will address the many posts in this forum about certificate warnings when using https/ssl in Prestashop. I will put forth my experience with certificates from startssl.com in combination with DirectAdmin. I think a lot of providers are using DirectAdmin, Plesk or cPanel.
Please contribute your experience!

If you are running a shop/business, you like to be as secure as possible. And people also starting to demand it. And having a secure website could even improve sales.
Depending on the payment module that you have installed in Prestashop you might need/not need a secure website. The choice is yours of course, unless one of your payment modules requires a secure connection. For example when you use Paypal, or iDeal (dutch pay system) then you dont need a secure connection. They provide their own secure environment. But i read somewhere on the forum that you do need a secure site for Google checkout (anybody can confirm this?)

Free Certificates vs Paid ones
I found a very good post by Yousef that deals with this, so read along if you like here:
http://www.prestashop.com/forums/viewreply/202607/

Ok, so i decided to go with a free certificate from startssl.com. The free certificates are valid for 1 year and need to be extended after that. These are Class 1 certificates. That means that they are only confirmed for that particular domain. In other words it is not validated on your private name/business. If you need that, then your only choice is to pay for a private/business registred certificate. You can buy them also at startssl.com, or godaddy, comodo.. There are many choices.

But for now i stick with the free certificate. When you apply for a free certificate, and your account has been validated, then you can start to validate your domain. Remember that you can only register your certificate on 1 subdomain (incl www). If you want more then you need to buy a Class 2 crt. After the wizard finishes you should have the following keys and certificates :
* private key (encrypted)
* ssl certificate
* Root CA certificate (ca.pem)
* sub.class1.server.ca.pem

After you need to decrypt your private key. You can do this in the Control panel on the startssl.com website.
After that lets go back to DirectAdmin

DirectAdmin
Before you can even use SSL you need a few things. I posted these requirements in this post.


So when SSL has been setup for you, we open the ssl settings in the DA panel.
In the first window you have a choice to:
* Use Server certificate
* Create your own certificate / create a cert request
* Paste a pre-generated certificate and key

We will use option 3 - paste our pre generated cert and key. Paste your Private Key and SSL certificate under each other. Click "Save". The certificate will be checked and hopefully be installed correctly. If you get errors, you need to recheck your certificate and key. The key should start with this line:
-----BEGIN RSA PRIVATE KEY-----
And the certificate should start with : ----- BEGIN CERTIFICATE-----

Next is to install the Root CA certificate. Below the key window there is a link that reads :
"Click Here to paste a CA Root Certificate" Click there and paste your "sub.class1.server.ca" certificate. Do not use the Root CA certificate. That will not work, at least not for me/this server.

When thats done, it ready to test your secure website. But leave a couple of minutes for the server to install the certificates. Switch your Prestashop to SSL mode (BO > Preferences > Increase security SSL).
Now fire up another browser. Clean the cache/cookies, certificates, etc etc. And then try it out.
If evertything goes smoothly you should not get a certificate warning in your browser. If you do, then start over ;-)
Remember that only a few pages in your website are using ssl. My Account, Your cart and the login page. Be sure to access these ones before saying hooray!

good luck

Ref : Direct Admin SSL : http://www.site-helper.com/ssl.html

[uddhava]

When you browse your site in ssl then the browser should display a lock icon, or a blue/green bar in the URL address bar. This of course depends on the browser. In FF (3.6.12 on Mac) my site shows a Blue bar. On the startssl.com website it is mentioned that if you like to have a Green Bar, then you need to get a Class 2 certificate. Then you have a nice green bar in FF.

[myhero]

Hi there, Ive installed a certificate from startssl.com - installed the certificate & decrypted + installed the private key on my Apache server then activated ssl in the BO. But when I click on a 'secure' page i.e. Contact-Form it gives me the error below:

Please visit www.techhero.co.za and have a look see.

Tx

Secure Connection Failed






An error occurred during a connection to www.techhero.co.za.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)






The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

EDIT: Ive installed the CA root certificate in the browser too, but still no success

[uddhava]

Seems like the SSL certificate was not properly installed at your server or in DirectAdmin

[myhero]

Thanks will have a look

My server uses Cpanel

[fantasik]

Nice article, I just have a stupid question. I have a startcom profile and I bought a class2 but I can't find

* Root CA certificate (ca.pem)

* sub.class1.server.ca.pem

 

Where is that ? or how can I create ? I cannot see any information about this.