SSL working; My IP not covered only Domain Name

[Guest]

I have a private SSL I was installed by my host on my behalf. It is working fine and my site works fine with ssl, but I fail the PCI certification. I have a couple weeks and my merchant bank is automatically singing me up for a scan from there third party vendor. I dislike thinking of paying two companies to scan my site.

 

If I go to mydomain.com the url changes to http://www.mydomin.com

If I go to the site catalog like mydomain.com/catalog it changes to the http://www.mydomain.com/catalog

the login.php, logout.php, checkout_shipping.php etc... links to https://mydomain.com/catalog...etc...

 

If I manually enter the IP address of my site in the url like xx.xxx.xx.xx it goes to http://ipaddresss works on every page too.

My problem seems to be the https://IP address is not covered by my ssl certificate.

 

1st question: Is it trouble to edit the cert like I have seen people on here doing. For a Private ssl. purpose being to allow a the IP adress unresolved by a dns to work on the same certificate.

 

2nd question: Is there another way we should control dns resolution maybe a .htaccess filter to weed out any ip addresses. what are some thoughts?

 

thanks for any help.

I'm stuck here for hours and days

I will post my resolutions when they are clear.

[Jack_mcs]

I have a private SSL I was installed by my host on my behalf. It is working fine and my site works fine with ssl, but I fail the PCI certification. I have a couple weeks and my merchant bank is automatically singing me up for a scan from there third party vendor. I dislike thinking of paying two companies to scan my site.

If your bank will allow it, look into godaddy's new scanning service. It costs a fraction of other scanning services.

 

If I go to mydomain.com the url changes to http://www.mydomin.com

If I go to the site catalog like mydomain.com/catalog it changes to the http://www.mydomain.com/catalog

the login.php, logout.php, checkout_shipping.php etc... links to https://mydomain.com/catalog...etc...

I don't understand why you mention this since it seems to be working correctly.

If I manually enter the IP address of my site in the url like xx.xxx.xx.xx it goes to http://ipaddresss works on every page too.

My problem seems to be the https://IP address is not covered by my ssl certificate.

Correct. Ssl's only work for the domain they are purchased for and never for IP's, at least that I am aware of.

1st question: Is it trouble to edit the cert like I have seen people on here doing. For a Private ssl. purpose being to allow a the IP adress unresolved by a dns to work on the same certificate.

 

2nd question: Is there another way we should control dns resolution maybe a .htaccess filter to weed out any ip addresses. what are some thoughts?

I don't understand your last to questions. DNS doesn't, shouldn't, play a part in getting an ssl to work. You purchase the ssl, install it, setup your confiugre files and you are done.

[Guest]

If your bank will allow it, look into godaddy's new scanning service. It costs a fraction of other scanning services.I don't understand why you mention this since it seems to be working correctly.Correct. Ssl's only work for the domain they are purchased for and never for IP's, at least that I am aware of.

I don't understand your last to questions. DNS doesn't, shouldn't, play a part in getting an ssl to work. You purchase the ssl, install it, setup your confiugre files and you are done.

Thanks for your thoughts as I'm really stuck here.

 

GoDaddy hosting PCI SCAN sounds good probably less problems that way. When I was shopping around I took a list and sent off RFQ's about twenty and went from there.

Now I'm running one Vendor and they are scanning the IP address and saying I don't have a SSL on my site. I can see that as the problem, but I don't have a line on a solution.

[Guest]

Chad,

 

 

Godaddy is really good at installing the SSL for you if needed. Ensure your configure.php files state your correct domain name and URL and that you have this line correct:

 

define('ENABLE_SSL', true);

 

That is all that is required to enable the SSL for osCommerce.

 

 

 

Chris

[Guest]

Thanks for your thoughts as I'm really stuck here.

 

GoDaddy hosting PCI SCAN sounds good probably less problems that way. When I was shopping around I took a list and sent off RFQ's about twenty and went from there.

Now I'm running one Vendor and they are scanning the IP address and saying I don't have a SSL on my site. I can see that as the problem, but I don't have a line on a solution.

My HOST Say's

 

An SSL certificate on our system is installed directly to the domain name itself. The IP address points directly to the site but any https link using the ssl will need to go through the domain name. Although I don't see why not having the SSL on the IP address matters unless you are trying to use the IP in part of the site. It almost sounds like they are trying to require you to redirect traffic going to the IP address to the domain name which can be done through a .htaccess redirect.

 

Ahhh... yes makes sense!! trying to do this thing... .htaccess redirect

[Guest]

Chad,

 

 

Godaddy is really good at installing the SSL for you if needed. Ensure your configure.php files state your correct domain name and URL and that you have this line correct:

 

define('ENABLE_SSL', true);

 

That is all that is required to enable the SSL for osCommerce.

 

 

 

Chris

 

Chris,

thanks for the reassurance, I learn things as I go here. I think the next step is to get it from the source, what they want me to do.

 

That part is working like I expect it goes secure when browsing the site during login, checkout, and if I go to a product page that is displayed http://.... I think that is correct behavior. My Scanning Vendor is scrutinizing this. If I am on the login page or any other page for that matter, then (for what ever reason) I substitute just the IP ADDRESS for the DOMAIN NAME leaving the rest of the path. It will refresh that page with out the same SSL and It seems like they want me to go beyond that and make every page force ssl.

 

Sorry, everyone it seems not to be a problem setting up the store. I have done how to secure your site. recommendations in the Sticky thread so I figured I'd give it a go.

[MrPhil]

You mention that you're trying to get PCI certified. Are you planning to use a payment gateway and merchant account to allow payment by credit card? Is that the most cost-effective way to do that, as opposed to using a Third Party payment system such as PayPal? If you don't handle credit card numbers on your own site, you don't have to be PCI certified.

 

You still should have SSL, but that's easy. Your SSL certificate is issued for a specific domain name (e.g., www.mydomain.com, or mydomain.com). Make sure your configure.php files exactly match this domain name for HTTPS_* entries. Don't even try to use IP addresses. And check your .htaccess for any URL redirection or rewriting (such as forcing http://www.mydomain.com to http://mydomain.com or vice-versa -- make sure it's not changing https: to http: as a side effect).

[Guest]

You mention that you're trying to get PCI certified. Are you planning to use a payment gateway and merchant account to allow payment by credit card? Is that the most cost-effective way to do that, as opposed to using a Third Party payment system such as PayPal? If you don't handle credit card numbers on your own site, you don't have to be PCI certified.

 

You still should have SSL, but that's easy. Your SSL certificate is issued for a specific domain name (e.g., www.mydomain.com, or mydomain.com). Make sure your configure.php files exactly match this domain name for HTTPS_* entries. Don't even try to use IP addresses. And check your .htaccess for any URL redirection or rewriting (such as forcing http://www.mydomain.com to http://mydomain.com or vice-versa -- make sure it's not changing https: to http: as a side effect).

Thanks for your reply, Phil

 

I use paypal on my ebay and they are good, lots of perks to that. I guess they have a awesome cart module to. I thought that they could do part of my transactions, I figured that it would turn off some buyers though if they had to sign up with paypal to buy something from me. Honestly I will have so many products that you can buy elsewhere that it's very important to have as smooth a checkout is possible. Will take time I know.

 

I have to make sure that I include a persistant customer DB for support and sales info. Where the customer will see warranty info and updates. I crawl for now. Gonna dig into Apache parameters for education so I can do specifically what I need. Move Permanent on IP addess of any page to a standard error page. Move permenant for non ssl access to secure pages, in the case someone deletes the s from https://www.mystore.com

 

Then like you said need to redirect the pages http://mystore.com* (any page) to http://www.mystore.com*

also for https:// pages.

 

I've tried alot of suggestions for .htaccess re-write so far they have only half worked. I should be testing in my test server, but results may very. I get 500 page not found error on the live server if I add a <directory> tag doesn't matter whats in there and I guess the host has follow symlinks disabled. As for Rewrites they work in there but, What I tried doesn't fix the problem and I need to write a script the does this. Good thing I took notes on using Reg Exp that week in college.

[MrPhil]

I figured that it would turn off some buyers though if they had to sign up with paypal to buy something from me.

Take a look at PayPal IPN. Supposedly a customer can buy using a credit card without signing up with PayPal. Just be sure to mention any place that shows a PayPal logo or name that No PayPal account required!

 

Then like you said need to redirect the pages http://mystore.com* (any page) to http://www.mystore.com*

also for https:// pages.

Just to repeat my point, it's that many examples of redirecting mystore.com to www.mystore.com (or vice-versa) are hardcoded to use http:, which can cause problems if the URL came in on https:. Just be careful that you don't mess up your SSL pages that way.

[Guest]

Take a look at PayPal IPN. Supposedly a customer can buy using a credit card without signing up with PayPal. Just be sure to mention any place that shows a PayPal logo or name that No PayPal account required!

 

I have heard of this too. It's been 4months since I looked at payment options. Will be using basic Paypal Payment too.

For certain I know that there is a difference for me would be about 50 - 100 bucks a month. I will revisit that when I look into merchant benifits like legal services, charge back protection, many other services that banks are adding left and right lately. June is good month to do that kinda research for me.

Just to repeat my point, it's that many examples of redirecting mystore.com to www.mystore.com (or vice-versa) are hardcoded to use http:, which can cause problems if the URL came in on https:. Just be careful that you don't mess up your SSL pages that way.

 

I know it will work out with just htaccess. Learning apache directives now. So I don't mess with the default store functions. I think that's what you are getting at, "Not" to mess with the hard coded links. I have had confusion in this. I'm doing this crash course style now. :thumbsup:

[Guest]

:rolleyes:

OK I learned something and have it strait now!

Mostly my problem was.

.htaccess reads the top directory first.(I had most of the rewrite conditions in the catalog/.htaccess

.htaccess reads the rewrite conditions top to bottom which in my case made loops and superseded the output I expected.

 

That's about all there was to it the stuff works it's just a matter of where to put it. I didn't have to write any unique scripts after all. :)