AbanteCart Community

Shopping Cart Operations => Security => Topic started by: Thumper on June 08, 2016, 08:19:55 PM

Title: SSL Certificate showing mixed usage content
Post by: Thumper on June 08, 2016, 08:19:55 PM
I really like AbanteCart and have it up and running with no issues....except this one. I am not running AbanteCart out of the root of the domain, but rather in a subdomain "shop.mydomain.com". I have the SSL certificate on that subdomain and AbanteCart compes up however I am showing that it is not secure as it has mixed usage. Note: I do have all the correct settings in the "Systems|Settings|Store Details" and I do have "Use SSL" set to ON.

While I'm fairly sure that the credit card information (using the Stripe extension) would be encrypted, I'm afraid that users of my shop may be concerned (and not purchase) if they don't see the complete padlock...but instead see the padlock with a warning triangle.

What mixed usage/content might there be in AbanteCart? I am using it virtually straight out of the box with only my verbiage and five product images.
Title: Re: SSL Certificate showing mixed usage content
Post by: llegrand on June 08, 2016, 11:33:50 PM
Be sure that you have the url for BOTH  the Store URL  AND Secure Store URL  with HTTPS://

And this is a handy little tool to help you identify what's causing the padlock not to show correctly on a page.

https://www.whynopadlock.com/index.html (https://www.whynopadlock.com/index.html)

Post back if you're still having an issue.

Lee
Title: Re: SSL Certificate showing mixed usage content
Post by: Basara on June 09, 2016, 05:11:04 AM
Hi.

Also if you have some HTML blocks with HTTP urls added or 3rd party extension installed maybe it load some content via HTTP so 'mixed content' warning appear
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 09, 2016, 09:34:54 AM
@ llegrand - Yes, I do have the Store URL and the Secure Store URL set appropriately and correctly. Thanks for the link for the handy tool. That did give me a lot of insight.

@ Basara - I did a basic installation of AbanteCart into mydomain.com/shop because I have other important business related pages under the root domain. The only changes made were text changes in "About Us", the "Main Page" welcome information and the product information. To be able to set a Subject Alternative Name in my GoDaddy UCC SSL certificate I had to set a domain name, thus the shop.mydomain.com name.

When I ran the "whynopadlock" utility, it gave me 57 insecure items, all of them in basic installed files (graphic files like png and jpg and many css files), which I have not altered in any way. (see below - NOTE: I couldn't post external links so I had to change everything to non-links. Add the http and https + mydomain,com in front of the shop folder.)

Total number of items: 94
Number of insecure items: 57

Insecure URL: /shop/storefront/view/default/stylesheet/bootstrap.min.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/stylesheet/flexslider.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/stylesheet/onebyone.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/stylesheet/font-awesome.min.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/stylesheet/fonts.google.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/stylesheet/style.css
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery-1.11.0.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery-migrate-1.2.1.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/resources/image/18/79/e.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/resources/image/18/76/2.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/image/banner_image_1.png
Found in: shop.mydomain.com

Insecure URL: /shop/image/thumbnails/18/7a/IICM_jpg-100260-250x250.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/image/thumbnails/18/7a/LEOTrakPremium_jpg-100259-250x250.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/image/thumbnails/18/7a/LEOTrakAdvanced_jpg-100258-250x250.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/image/thumbnails/18/7a/LEOTrakBasic_jpg-100257-250x250.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/image/thumbnails/18/7a/Details_JPG-100256-250x250.jpg
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/image/stars_5.png
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/bootstrap.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/common.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/respond.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.flexslider.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/easyzoom.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.validate.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.carouFredSel.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.mousewheel.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.touchSwipe.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.ba-throttle-debounce.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/jquery.onebyone.min.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/javascript/custom.js
Found in: shop.mydomain.com

Insecure URL: /shop/extensions/banner_manager/storefront/view/default/javascript/banner_manager.js
Found in: shop.mydomain.com

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.eot
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.eot?
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.woff2
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.woff
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.ttf
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/fonts/glyphicons-halflings-regular.svg
Found in: /shop/storefront/view/default/stylesheet/bootstrap.min.css

Insecure URL: /shop/storefront/view/default/image/bg_direction_nav.png
Found in: /shop/storefront/view/default/stylesheet/flexslider.css

Insecure URL: /shop/storefront/view/default/image/carousalarrow.png
Found in: /shop/storefront/view/default/stylesheet/flexslider.css

Insecure URL: /shop/storefront/view/default/image/slderleftimg.png
Found in: /shop/storefront/view/default/stylesheet/flexslider.css

Insecure URL: /shop/storefront/view/default/image/banner_shadow.png
Found in: /shop/storefront/view/default/stylesheet/onebyone.css

Insecure URL: /shop/storefront/view/default/image/circles.png
Found in: /shop/storefront/view/default/stylesheet/onebyone.css

Insecure URL: /shop/storefront/view/default/image/back.png
Found in: /shop/storefront/view/default/stylesheet/onebyone.css

Insecure URL: /shop/storefront/view/default/image/forward.png
Found in: /shop/storefront/view/default/stylesheet/onebyone.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.eot?v=4.4.0
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.eot?
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.woff2?v=4.4.0
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.woff?v=4.4.0
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.ttf?v=4.4.0
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/fonts/fontawesome-webfont.svg?v=4.4.0
Found in: /shop/storefront/view/default/stylesheet/font-awesome.min.css

Insecure URL: /shop/storefront/view/default/image/sprite.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/offer.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/sale.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/new.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/rate.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/arrowcategory.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/footericon.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Insecure URL: /shop/storefront/view/default/image/gotop.png
Found in: /shop/storefront/view/default/stylesheet/style.css

Shouldn't these items be secure items in your basic installation? For what it's worth, and I don't want to switch back, but my ZenCart installation under mydomain/store folder is fully secure with my main domain's SSL certificate which is supposed to cover all folders under the domain. It appears to do that with ZenCart...why not in AbanteCart even with my UCC SSL certificate?
Title: Re: SSL Certificate showing mixed usage content
Post by: eCommerce Core on June 09, 2016, 09:51:34 AM
What is your URL?
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 09, 2016, 12:15:41 PM
shop.datasoftware.net, with the files being present in datasoftware.net/shop
Title: Re: SSL Certificate showing mixed usage content
Post by: abolabo on June 10, 2016, 04:17:25 AM
is SSL enabled in AbanteCart settings?
i see <base href="http://shop.datasoftware.net/"> on your page
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 10, 2016, 06:04:58 PM
Yes...as stated several times above, I do indeed have SSL enabled (see attached screen shot).
Where is <base href="I can't post external links-Frustrating!"> showing (which file) and where in AbanteCart would I change this?
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 10, 2016, 06:54:36 PM
@abolabo - I found on the page where it show the <base href... but shouldn't that be set properly by the AbanteCart Admin settings? As shown in my last post, I do have SSL enabled and have the proper settings for the http and https fields.
Title: Re: SSL Certificate showing mixed usage content
Post by: abolabo on June 15, 2016, 07:57:32 AM
we did changes in core/init.php in dev version.

please try to replace your with this https://raw.githubusercontent.com/abantecart/abantecart-src/1.2.8/public_html/core/init.php


Title: Re: SSL Certificate showing mixed usage content
Post by: Dhiren on June 21, 2016, 01:29:23 PM
Is the "insecure endpoint" on another installation?
OR
Are you loading any images on this page?
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 21, 2016, 01:53:28 PM
Quote
Is the "insecure endpoint" on another installation?
No, it is not.

Quote
Are you loading any images on this page?
The only images being loaded are the product images, which show on the main page, as well as the company logo. Both of these, I would imagine, would be allowed for in AbanteCart.

I replaced the init.php with the uploaded version posted by Abolabo but that made things even worse. With the newer version of init.php the cart and payment pages wouldn't open properly. Once I switched back to my original init.php they opened normally.

Then things got even weirder. The page worked perfectly for approximately two hours the other day (security and everything else) but right after that the same security issue popped up again and additionally now the product images stopped showing on the main page (I did nothing different).

Actually, the point is moot now as I was spending way too much time on something that should work with no issues. Although I would like to stay with AbanteCart, I must remain with Zen Cart for now. I have no security issues with it and everything works as it should, although I like the AbanteCart interface much better (as well as the HTML receipts and notices).

Wish I could stay with AbanteCart but too many things broken in it with regard to standard items such as SSL certificates and product images.
Title: Re: SSL Certificate showing mixed usage content
Post by: abolabo on June 22, 2016, 05:41:12 AM
please ask your hosting provider techsupport regarding ssl-certificate for your ssl-domain.
It's a server-side issue, NOT Abantecart.
Secure connection troubles appears before php-code run.
If you cannot open some https-urls - it's a server-side trouble 100%
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 22, 2016, 10:30:08 AM
It has not been an SSL certificate issue. I have multiple certificates on multiple sites, for two other Zen Cart installs and several other secure web-based database applications I have written. All work perfectly both in root domains and in sub-domains. That also doesn't explain why none of my product images, which did work for several days, suddently stopped appearing, even though they were in the resource library.

I decided to give AbanteCart one more try and have installed it on a separate root domain I own (as opposed to a sub-folder/sub-domain of my main domain which I have always done) that is database software related to a specific genre. As before, it installed without any issues. The missing product images has not appeared again, but then again it didn't for a few days on my previous install) and everything is fine so far. I had been waiting for the SSL certificate to propagate and just prior to my writing this post, it had come up and the page is coming up as a secure page (so far).

I'm going to wait a few days while testing it to make sure everything stays as it is now, remembering that I had issues other than the SSL certificate with the last installation. If it does, I will go live with it.

Thanks to all for your help and suggestions.
Title: Re: SSL Certificate showing mixed usage content
Post by: Thumper on June 25, 2016, 03:56:09 PM
Fixed with the new installation. Thank you for the support. I am live with it.
Title: Re: SSL Certificate showing mixed usage content
Post by: Basara on June 27, 2016, 02:27:31 AM
Fixed with the new installation. Thank you for the support. I am live with it.

Thank you for reply