How can I enable HTTP Secure (HTTPS) for a Drupal 7 site I am working on?

Category: Drupal 7

jeremy_steel
Asked:
2013-07-23 6:26 am EST

Hits: 7,561
I am working on a Drupal 7 site that has some basic e-commerce functionality. I want to enable the entire site to be HTTPS. The plan is Business Class Hosting Launch. I have read how to obtain a shared SSL certificate. However Drupal instructions mention "configuring the server" and apparently the hosting company does this.

Can you advise me what I need to?

Thanks in advance... :)

You must login before you can ask a follow up question.

You must login before you can submit an answer.

OTHER ANSWERS

0

Arn
Staff
15,484 Points
2013-07-23 1:22 pm EST
Hello Jeremy_steel,

Thanks for the question! Yes, you can use a shared SSL certificate. The Shared SSL certificate is preset, so there is no configuration done on the server side. Please review our article on Shared SSLs in order to determine the URL that you would use for your site. Note that a shared SSL is NOT the same URL as the URL that you have setup for your site initially. So, you may need to also set a base URL setting in the settings.php file of your Drupal installation. I found the following instructions with someone who had also asked the same thing in forums online:


  1. Determine your shared SSL (as per the article above)

  2. Once you know your Shared SSL URL, you will need to determine your Drupal installation directory as it applies to the shared SSL. For example: If your ssl path is https://bizXXX.inmotionhosting.com/~username, and you installed your Drupal site in a folder called 'Drupal', then your path would be https://bizXXX.inmotionhosting.com/~username/Drupal. If you installed your site to the default directory (public_html), then you would not need to change the shared SSL path - it would remain https://bizXXX.inmotionhosting.com/~username.

  3. Edit the settings.php file in your sites/default folder

  4. Follow the directions to allow Drupal to use SSL (Drupal HTTPS information

  5. Add the following line (there should be an example of it in the file already): $base_url="https://bizXXX.inmotionhosting.com/~username/...)


NOTE: Make sure to use the correct shared SSL path - the URL I used in the steps above is simply an example and not the actual path.

That should be all you need to make it work. It's highly recommended that you simply purchase an SSL since the actual secure path is not the same as your URL, so it may look suspect for some users. SSLs are not as expensive as they once were and are well worth their cost, especially if you are conducting any type of ecommerce.

I hope this helps to answer your question! If you require any further assistance, please let us know.

Regards,
Arnel C.

You must login before you can post a comment about this answer.

Hi Arnel,

thanks for you help. I have worked through the instructions you provided.

1. I worked out the URL for the shared SSL from InMotion Hosting guide (going from "http://bizXXX.inmotionhosting.com/~my_user_name" to "https://secureXXX.inmotionhosting.com/~my_user_name".

2. I installed my site to the default directory (public_html) and so the SSL shared directory is "https://bizXXX.inmotionhosting.com/~my_user_name".

I then configured Drupal 7 to run clean URLs. What happened was the shared SSL url only works for the homepage. All other pages return an Error 404 message. The regular "non-SSL" pages still work with the clean urls.

I checked documentation on one of the links you listed (https://drupal.org/https-information) and it says that

"If you enabled HTTPS and it only works on the homepage and your sub links are broken, it's because the VirtualHost:443 bucket needs AllowOverride All enabled so URL's can be rewritten while in HTTPS mode."

I want to support both HTTP and HTTPS on my site and so I am thinking this latest problem is server configuration. Can you just confirm server configuration. If the server is configured to support mixed-mode HTTPS and HTTP sessions then it means the problem is at my end. By the way I am using Ubercart SSL module for the mixed-mode HTTPS and HTTP sessions.

Again thanks for your help.
jeremy_steel
25 Points
2013-07-24 10:29 am EST
Hello jeremy_steel,

Most, but not all settings for AllowOverride are available. We are happy to help, but we would need more information to provide a specific answer.

What is the full error/issue you are experiencing?

Do you have a link to the page where we can view this error?

Also, in this guide on the official Drupal site, in the section titled Drupal Configuration it gives several options for mixed mode. Which method are you using?

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
johnpaulb-imhs1
7,266 Points
Staff
2013-07-24 12:16 pm EST
Hi Jean-Paul,

thanks for your reply.

I guess the full error/issue is twofold:

1. The broken links when using https I mentioned previously.

2. When I configure Ubercart SSL (entering both "Secure Domain Name" and "Non-Secure Domain Name"), I receive the following alert:

"Ubercart SSL (uc_ssl): The uc_ssl_check() function is returning FALSE because it was unable to contact the SSL (https) version of your website that you defined in the settings. This can be caused by 3 things. 1. Your website is not setup properly for SSL, 2. The OpenSSL extension is not enabled on in your PHP installation, 3. allow_url_fopen is not enabled in php.ini. If #2 fails, uc_ssl will try to use file_get_contents() which requires allow_url_fopen to be set to TRUE in php.ini. Hopefully these hints will help you fix this issue so that you can use uc_ssl. You can try to debug this by going to https://secure139.inmotionhosting.com/~username//?uc_ssl_check=1
CRITICAL ERROR! The domain you entered for the secured domain came back as non-secure or it does not point back to this installation of drupal. Your secure domain name MUST be setup and MUST be pointing at this install of drupal."


For Drupal configuration I am using option 2 on the page you mention. It says:

"For even better security, leave $conf['https'] at the default value (FALSE) and send all authenticated traffic through HTTPS and use HTTP for anonymous sessions. Once again contributed modules like 443 Session or Secure Login can help you here. Drupal 7 automatically enables the session.cookie_secure PHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser."

However instead of the modules "443 Session1 or "Secure Login" I am using "Ubercart SSL".

It would be great for you guys to take a look at the actual site. I am using Ubercart and I am testing with Paypal sandbox. The e-commerce is working fine. However it is still being tested and so I don't want to make it public right now. Can I give you guys confidential access to the site?

Again thanks for all the help.
jeremy_steel
25 Points
2013-07-24 3:03 pm EST
My apologies for the mistake with your name John-Paul :(
It has been a long long day trying to solve this problem...

jeremy_steel
25 Points
2013-07-24 3:10 pm EST
Hello jeremy_steel,

If your site is not live on our servers yet, the shared SSL will not function successfully. Also, I would recommend trying one of the modules they list in the article "443 Session1 or "Secure Login" to see if you get a different affect.

We would be happy to take a look, you can email your site information to docs@inmotionhosting.com

With the Subject: jeremy_steel

Then, post a comment letting us know it has been sent here on this forum post.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
johnpaulb-imhs1
7,266 Points
Staff
2013-07-24 3:29 pm EST
Hi John-Paul,

the site is live on your servers. I sent an email with details.

Thanks

Jeremy
jeremy_steel
25 Points
2013-07-24 3:46 pm EST
Hello jeremy_steel,

I checked the file mentioned in the Drupal Guide (sites/default/settings.php) on enabling HTTPS, and it was not updated:

The article states "If you want to support mixed-mode HTTPS and HTTP sessions open up sites/default/settings.php and add $conf['https'] = TRUE;"

According to the tutorial you have to add this line to the file:
$conf['https'] = TRUE;

But since you are following option 2 of the guide, it says to set it to "False":
"For even better security, leave $conf['https'] at the default value (FALSE) and send all authenticated traffic through HTTPS and use HTTP for anonymous sessions. Once again contributed modules like 443 Session or Secure Login can help you here. Drupal 7 automatically enables the session.cookie_secure PHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser. "

So you should edit the file:
sites/default/settings.php

Then add the line of code:
$conf['https'] = FALSE;

Also make sure you are entering the correct secure address for your Shared SSL in the sites/default/settings.php.

I recommend following these steps, then letting us know if it works successfully, or you get a different error.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
johnpaulb-imhs1
7,266 Points
Staff
2013-07-24 5:03 pm EST
Hi John-Paul,

previously I had modified settings.php as suggested but it made no difference, so I left it unchanged. I tried again today and still no solution. I also tried changing the RewriteBase settings in the .htaccess file and $base_url in settngs.php but neither solved the problem.

I can outline what I did yesterday:

I began by sourcing the two recommended modules Secure Pages and 443 Session.


Secure Pages
After I installed Secure Pages module I tried to configure it but the "Enable Secure Pages" option is grayed out and says: "To start using secure pages this setting must be enabled. This setting will only be able to changed when the web server has been configured for SSL." As far as I know the web server is configured for SSL and so I do not know what is going on here.

443 Session
I then sourced the 443 Session module but it hasn't been released for Drupal 7. It also says that for the type of site I am doing (mixed HTTP and HTTPS) it isn't recommended. It says:

"Since 443 Session module uses separate session cookies for HTTP/HTTPS this means that when a user navigates from an HTTP page to an HTTPS page any session data will appear to be lost. This makes this module unsuitable for running an e-commerce site where most pages are HTTP except for the checkout which is HTTPS. In this case the user's cart contents would appear to be lost when they go to checkout. For this scenario please see the Mixed Session module."

I then sourced the Mixed Sessions module.

Mixed Sessions Module
There is no Drupal 7 version. It does reference Uber SSL though.

I then sourced Uber SSL

Uber SSL

I installed Uber SSL but then encountered the problems I described previously. In the Uber SSL page it says:

"- Clean URLs must be enabled
- SSL Certificate must be installed and working for your website
- Ubercart is NOT required for this module btw, it can be used for pretty much anything u want. But its most common use is with ubercart so thats where it gets its name from."

It also says:

"If you have an SSL Certificate and you want to secure your ubercart pages with that Cert then this is the module for you. Download this module, install, config it, and you'll be running with your cert in no time. This module does NOT help you get your certificate running!! If your website does NOT work with https by manually typing it in, then you need to get that working FIRST and then you can configure this module. You can install it before hand but you will not be able to configure it as it does test to see if SSL is actually working or not."

So I enabled clean URLs but have the problem I mentioned with Uber SSL unable to contact the SSL (https) version of my website.

For now the main problem seems to be Inmotions TEMP URL and clean URLs used in Drupal 7. I ran some tests this morning comparing the TEMP URL with the permanent URL (disabling Uber SSL). Here are the results:

TEMP URL
Disable clean URLs in Drupal 7 and the site works for both http and https
e.g.:
http://bizXXX.inmotionhosting.com/~username/?q=about_us
https://secureXXX.inmotionhosting.com/~username/?q=about_us

Enable clean URLs in Drupal 7 and the site shows only the homepage for both http and https. Other pages produce Error 404.
e.g.:
"http://bizXXX.inmotionhosting.com/~username/" shows but "http://bizXXX.inmotionhosting.com/~username/about_us" produces Error 404.
"https://secureXXX.inmotionhosting.com/~username/" shows but "https://secureXXX.inmotionhosting.com/~username/about_us" produces Error 404.


PERMANENT URL
Disable clean URLs in Drupal 7 and the site works for http (https not available using permanent URL with shared SSL)
e.g.:
http://mysite.com/?q=about_us

Enable clean URLs in Drupal 7 and the site works for http (https not available using permanent URL with shared SSL)
e.g.:
http://mysite.com/about_us

So there seems an issue with Drupal 7 clean URLs and Inmotions TEMP URL (which I have to use for the shared SSL).

I found another Drupal 7 user had this same problem (https://drupal.org/node/1734722) and solved it via server configuration (I mentioned this previously - changing "AllowOverride None" to "AllowOverride All" for https). Is it possible this is our solution since I have tried everything else?

Again big thanks to all you guys for trying to help me solve this one.
jeremy_steel
25 Points
2013-07-25 3:18 am EST
Like this Question?

Related Articles

It looks like there are no related articles.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!