SSL problems

Permalink
I have installed an SSL certificate on a legacy 5.6 site and am unable to get the site configured properly to work with it. I've combed through the forums and have tried forcing SSL via htaccess as follows (replacing mysite, of course):

RewriteCond %{HTTP_HOST} mysite\.org [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.org/$1 [R,L]


and also have tried adding a define('BASE_URL' in the site.php config file and neither approach has helped. I've also installed the Force SSL add-on to test a particular page (per a recommendation from John the Fish on a different forum post) and that also did not work. Prior to doing any of this, I cleared the cache and turned caching off. So that the site is not down completely, I've had to revert all these actions to the prior settings and it is working in the non-SSL version currently. The AutoSSL certificate appears to be installed correctly and has passed all tests.

What else do I need to do to get SSL to work?

Thanks.

sherri333
 
hutman replied on at Permalink Reply
hutman
Can you explain what you mean by it "doesn't work"? Any of these methods should work on 5.6 but it could be an issue with your theme that causes the site to contain insecure content.
sherri333 replied on at Permalink Reply
sherri333
By "doesn't work", I mean that that upon changing the settings in the htacess file to force the ssl, the site is immediately inaccessible, displaying a browser error about it being insecure. As soon as I restore the previous htacess file, the site displays fine, although only as an http (non-SSL) site.

What might be wrong with my theme to cause this?

Everything I have read so far has pointed to htaccess and the site config file settings for what needs to be done to get the site to use SSL. From personal experience with Concrete5, I have seen all kinds of issues arise due to how Concrete5 caching is set up, so not sure if its also related to that.
ConcreteOwl replied on at Permalink Reply
ConcreteOwl
"displaying a browser error about it being insecure."
This happens when you have a secure site with insecure links (http instead of https)
What is the url of your site so we can take a look..
sherri333 replied on at Permalink Reply
sherri333
Actually, a more accurate description of the problem is that the site is displaying redirect errors as soon as I add the force https code to the htaccess file. The code was recommended by the hosting company but I have also tried the same or similar code as recommended byhttp://www.whynopadlock.com/

Currently, in order to keep the site up and running, I have removed the htaccess https code. I don't feel comfortable posting the site URL on this forum but if you are able to assist via private message, that would be appreciated.

Here is the code I added to the htaccess file (that does not work):
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
jasteele12 replied on at Permalink Reply
jasteele12
Try this, it's not hostname specific, removes the www. and has your hosting specific cPanel and PKI URIs skipped (although why those would not be SSL secured seems strange).

The final RewriteRule might be slightly different depending on your host.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
      # skip these URIs (hosting specific non-SSL)
   RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
   RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
      # -- force SSL and remove wwww
    RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [R=302,L,NE]
        # -- concrete5 urls start --
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME}/index.html !-f
    RewriteCond %{REQUEST_FILENAME}/index.php !-f

The SSL and www. removal has worked for many of my clients on very different hosting providers...