Resolving a Tricky SSL Issue.
August 31, 2011 9:23 AM Subscribe
I have a very odd problem and am not sure where to turn since I have run into silence on various tech forums. Here's my issue. I have a site Magento site that is a combination of Wordpress header and footer and Magento creamy center. When checking out you the customer see's that the site is unsecure. Not good.
The pure Wordpress site is at the root domain so www.site.com, Magento is at shop.site.com. The SSL is set for the shop.site.com subdomain. Since I am pulling Wordpress header and footers for Magento (it generates the primary site navigation and pulls all the various social media data) I am running into the dreaded unsecure content errors which is very blatant in Chrome with it's crossed out red HTTPS.
I am trying to figure out a solution to this before the client kills me. I was thinking of just getting a certificate for the Wordpress (www.site.com) side of things. We'd take a slight speed hit, but I'm not sure what else to do besides completely rebuilding the Magento header and footer to kind of mimic the Wordpress one. I'd really like to not go this route as it's a lot of work and it sucks from a user experience standpoint. My only experience with SSL is buying a certificate and having it work, so the nitty gritty details escape me. I'm also a designer not a developer so while I get my hands dirty and can mess with the php of Magento etc, I am no expert.
Any help greatly appreciated. Thanks!
The pure Wordpress site is at the root domain so www.site.com, Magento is at shop.site.com. The SSL is set for the shop.site.com subdomain. Since I am pulling Wordpress header and footers for Magento (it generates the primary site navigation and pulls all the various social media data) I am running into the dreaded unsecure content errors which is very blatant in Chrome with it's crossed out red HTTPS.
I am trying to figure out a solution to this before the client kills me. I was thinking of just getting a certificate for the Wordpress (www.site.com) side of things. We'd take a slight speed hit, but I'm not sure what else to do besides completely rebuilding the Magento header and footer to kind of mimic the Wordpress one. I'd really like to not go this route as it's a lot of work and it sucks from a user experience standpoint. My only experience with SSL is buying a certificate and having it work, so the nitty gritty details escape me. I'm also a designer not a developer so while I get my hands dirty and can mess with the php of Magento etc, I am no expert.
Any help greatly appreciated. Thanks!
Response by poster: Not sure how that would work. Any more details on what they are doing?
posted by misterpatrick at 9:53 AM on August 31, 2011
posted by misterpatrick at 9:53 AM on August 31, 2011
Are the www.site.com and shop.site.com resources (html pages, images, etc.) stored on the same physical server?
posted by dgeiser13 at 10:05 AM on August 31, 2011
posted by dgeiser13 at 10:05 AM on August 31, 2011
Can you mirror the files from wp-content in www.example.com into shop.example.com (basically, just keep those in sync). You take a hit in terms of the user having to redownload those resources, but you eliminate the SSL issue.
posted by artlung at 10:18 AM on August 31, 2011
posted by artlung at 10:18 AM on August 31, 2011
Response by poster: Yes, they are both on the same static IP address.
The problem with mirroring is that the files are dynamically generated on the Wordpress side (navigation, social media updates etc), so having the client keep things in sync would be hard. Someone smart might be able to do a cron script or something, but I'm not that person.
posted by misterpatrick at 11:03 AM on August 31, 2011
The problem with mirroring is that the files are dynamically generated on the Wordpress side (navigation, social media updates etc), so having the client keep things in sync would be hard. Someone smart might be able to do a cron script or something, but I'm not that person.
posted by misterpatrick at 11:03 AM on August 31, 2011
Couldn't it maybe be done with a symlink? Or even some sort of server side include? (PHP included)?
posted by bitdamaged at 11:27 AM on August 31, 2011
posted by bitdamaged at 11:27 AM on August 31, 2011
Best answer: I have a coder do the nitty-gritty for me, but I do e-comm in real life. I think the shopper is really ill-served if they can't see https:// links and everything green that's supposed to be green. I for one would bail out on the cart if I didn't see those things at minimum.
I know you said you don't want to re-template/mimic the WP templates on Magento. But that's what we do with all our sites where there is a CMS and a cart. I think it's a one-time problem - if necessary you pay someone to call in a lifeline and help with the CSS, then you have a WP install and a Magento install that are both neat and clean.
DM me if you want a referral to a coder with Magento experience.
posted by randomkeystrike at 11:41 AM on August 31, 2011 [1 favorite]
I know you said you don't want to re-template/mimic the WP templates on Magento. But that's what we do with all our sites where there is a CMS and a cart. I think it's a one-time problem - if necessary you pay someone to call in a lifeline and help with the CSS, then you have a WP install and a Magento install that are both neat and clean.
DM me if you want a referral to a coder with Magento experience.
posted by randomkeystrike at 11:41 AM on August 31, 2011 [1 favorite]
Response by poster: Thanks. I think I may have to do it that way. I'm fine doing the coding that way, but hate to do it. Urgh. I will probably drop you a line as I am always looking for good Magento people.
posted by misterpatrick at 11:50 AM on August 31, 2011
posted by misterpatrick at 11:50 AM on August 31, 2011
If I understand your question correctly, you're getting a mixed content warning on an HTTPS site because it displays (imports or uses a widget model to display) HTTP content. Most clients hate this because it interferes with UX and doesn't give the user a warm-fuzzy.
From what I've observed, though, an HTTP page can display HTTPS content without the mixed content warning. So you create a third website and it imports the HTTP content for the header and footer and the HTTPS content from Magneto. Point your URL to this new site and Bob's your uncle.
The only problem is (as pointed out by randomkeystrike), the URL in your address bar will start with HTTP, not HTTPS. The users won't have any indication that the content is secure. Of course it will be, but they won't have the S to make them all cozy.
Our client (a Fortune 5) actually doesn't mind this. AND they have some pretty damn sensitive information on the site. Your client might or might not mind.
posted by stubby phillips at 11:52 AM on August 31, 2011
From what I've observed, though, an HTTP page can display HTTPS content without the mixed content warning. So you create a third website and it imports the HTTP content for the header and footer and the HTTPS content from Magneto. Point your URL to this new site and Bob's your uncle.
The only problem is (as pointed out by randomkeystrike), the URL in your address bar will start with HTTP, not HTTPS. The users won't have any indication that the content is secure. Of course it will be, but they won't have the S to make them all cozy.
Our client (a Fortune 5) actually doesn't mind this. AND they have some pretty damn sensitive information on the site. Your client might or might not mind.
posted by stubby phillips at 11:52 AM on August 31, 2011
Small world. One of my engineers just stopped by. He's been working on a mixed content warning on one of our sites for a couple days now and has come up with a solution that might work for you.
He created a page containing the HTTP content and hosted that in an IFRAME on the HTTPS site. It seems to work in staging, but it's still going through testing before we go into production. There are some web analytics concerns that need to be worked out.
Anyway, this is HTTP content served up on an HTTPS site, so that will alleviate the problem randomkeystroke described above.
I'll check back in a couple days after QA gets through with this and let you know if it worked.
posted by stubby phillips at 2:13 PM on August 31, 2011
He created a page containing the HTTP content and hosted that in an IFRAME on the HTTPS site. It seems to work in staging, but it's still going through testing before we go into production. There are some web analytics concerns that need to be worked out.
Anyway, this is HTTP content served up on an HTTPS site, so that will alleviate the problem randomkeystroke described above.
I'll check back in a couple days after QA gets through with this and let you know if it worked.
posted by stubby phillips at 2:13 PM on August 31, 2011
Response by poster: Well, I remade everything in Magento but I am still getting unsecure errors. I have know idea what is actually causing the unsecure warnings. If anyone can take a look let me know and I can send you the link to look at. Thanks!
posted by misterpatrick at 10:26 PM on August 31, 2011
posted by misterpatrick at 10:26 PM on August 31, 2011
If you're running Apache, use mod_proxy. Create a ProxyPass and ProxyPassReverse rule to map something like /www to http://localhost/. That way, if you have something hosted as http://www.somesite.com/images/main_banner.png, you can access it on the shop pages as https://shop.somesite.com/www/images/main_banner.png.
posted by jraenar at 11:00 PM on August 31, 2011
posted by jraenar at 11:00 PM on August 31, 2011
Response by poster: Does anyone know offhand what actually causes the unsecure warnings? Is it links to unsecure scripts, or also images etc? I haven't been able to find a specific list and that would help me troubleshoot why things aren't working.
posted by misterpatrick at 11:22 AM on September 1, 2011
posted by misterpatrick at 11:22 AM on September 1, 2011
« Older Please help me figure out the name/author of a... | What to do with a fairly substantial business sale... Newer »
This thread is closed to new comments.
The drawback would be that the URL would be HTTP, not HTTPS.
From your description, it would probably require a third web site to accomplish this, but the coding would be relatively simple and could probably be done in static HTML.
posted by stubby phillips at 9:43 AM on August 31, 2011