Forums

client's web host provides free shared ssl. Here's their instruction:
"You will just need to upload the files to the secure_html folder and call the file using the https://mydomain.hostname.net"
& elsewhere,
"Shared SSL is SSL using Web Host's certificate. A directory named "secure" is created in the root folder in your account. All files you wish to use under SSL must be placed in this directory. You will be able to access your files via a URL in the following example format:
https://secure??.hostname.com/YourUserName"

Are there instructions somewhere that show how to do this with Chronoforms or Joomla? I've searched the forum.

Thanks,

Scott

Hi Scott,
From what I understand, the secure_html / secure directory/ies are separate from the normal "webroot" (usually public_html or such). In that case, your only option as I can see it, would be to copy the webroot installation into the secure one.

/Fredrik

Thank you Fredrik.

I'm a little nervous about messing with the folders on the server.

The host created a folder in the root called "Secure". The client's site in the folder called "Public" along side "Secure." Do you mean that I copy/move Public into Secure? Or do I move some folder in public to secure?

Thanks,

Scott

Hi Scott,
From what I can gather, you should copy your joomla installation from Public into Secure. I'd suggest you also edit your configuration.php file in the secure folder and see if the 'live_site' setting has a value. If it does, you'll have to edit this to match the SSL-url (https://secureXX.hostname.com/YourUserName I believe?). If it's set to '', then you can leave it as is.

/Fredrik

Thank you for your patience, Fredrik.

As I think about this more I realize my client will not like her whole site to be in shared ssl as this will mess with the url and slow things down (as I understand it).

So what we need is to have the https come on only for the form submission - that is for the site to go from http://domain.com to https://domain.com during form submission then back to http.

I'd think there are a lot of folk who have shared ssl but only use it for forms. Seems like there should be a 'how to' for this some where but haven't found it.

Scott

Hi Scott,

As far as I recall ChronoForms does exactly this, if you call the form with https then it will stay with that url.

Bob

Hi Scott,
Shared SSL is, in my humble opinion, somewhat of a devil's bargain :/
Unfortunately, due to the nature of the http protocol and SSL, you need one IP-address for each hosted domain. IP-addresses are usually something you don't care 'bout as a webhost client, but for a hosting company, they're valuable resources. When used in a shared environment, unfortunately, the host domain needs to be "fixed" (such as https://loehr-nu.loopiasecure.com/) with a certificate matching *.loopiasecure.com, while I may have a "normal" url as http://www.loehr.nu/

In many cases, the secure site is simply mirrored to the normal one, but in your (client's) case, it appears to be in a separate folder. That means you'll need any and all resources that should be accessible through SSL in that second folder. Since we're talking ChronoForms, that means we'll need a full Joomla installation.

That leaves us with two options, a separate Joomla installation (different db-prefix), which means you'll have individual control over the normal and the secure site, but also twice the administration; and a site that shares the current installation db (same db-prefix), which means anything you do on the normal site will be reflected on the secure one.

Whichever you choose, you'll have to create manual links to the form on the secure site, as simply ticking the SSL option in Joomla would only translate the url from http://www.yoursite.com to https://www.yoursite.com - when you really need https://secureXX.somewhere.com/yoursite_com. Whether https://www.yoursite.com will work or not depends on your hosting company's setup, but your visitors will inevitably run into warnings 'bout forged certificates.

I know this is becoming a rather lengthy and technical post, so I'll try to wrap it up;
You'll need a joomla-installation with chronoforms in the secure folder in order to have an SSL-encrypted form, and you'll have to make sure that any link to the form needs to point to the https://secureXX.somewhere.com/yourusername url. You do not need to place all the site content on the secure site, but you do need a complete Joomla installation.

If I've made you even more confused by now (don't worry), just feel free to ask further.

/Fredrik

Thank you both. I'm getting clearer on this. I'll think about this and bring back other any questions.

I'm a novice programmer. This is a good education. Let me check, these are saying the same thing, right, or at least addressing the same issue?
Bob you wrote:
"...if you call the form with https then it will stay with that url."
& Fredrick:
"...you'll have to make sure that any link to the form needs to point to the https://secureXX.somewhere.com/yourusername url."

Scott

Hi Scott,

Follow Fredrik on this - definitely not my area of expertise.

Bob

Hi Scott,
I suppose yes and no. It's rather the combination of the two that should yield the desired behaviour. CF will use whatever protocol and hostname that was used to access the form when submitting the form, and as long as we "load" the form using the https://secureXX.yada.com/... CF will send the data there as well using https://

/Fredrik

Owner's son emailed he has private/personal ssl for his site for much less than I had expect (<$100 USD). I had looked at Verisign and thought 'no way can she afford this'. Lesson in checking basic assumptions.

So between us we will probably persuade her on this. If not I'll be back to do what you spelled out for me, asking questions as necessary.

I assume using purchased certificate is simpler. Will look at that but also need to understand differences in the ssl certificates being offered. Lots of learning; loving it. Pointers or (pointing to good information) on either of these areas appreciated.

Thank you Fredrik & Bob for your patient & persistent assistance.

Scott

Hi Scott,
SSL and certs and getting it all working can be quite a bit to take in if you're new to this kind of "stuff".

When choosing a cerificate supplier, or rather signer, first take a second to think of the (intended) visitor's "need for trust".
Certificates are all about trust, it's the internet's way of showing your ID-card and letting the visitor know it's really you. The certificate issuer (CA - Certificate Authority) would be the company that issued your ID-card. As such, the CA should be someone the visitor trusts.

What does all this mean then? Well, a College might issue their own Student-ID/Teacher-ID cards. They'll work just fine on-Campus, but if you try them at your local bank, the result would probably be... less promising.
The same applies to certificates - you could fairly easily create your own CA and sign your own certificates. As long as your friends know about your CA, they'd trust it. However, a random visitor would most likely NOT trust this certificate.
It all comes down to trust.. Everyone trusts VeriSign, so everyone trusts a certificate VeriSign has signed.. hence they can charge quite a lot for their service. If you need Bank-grade trust, VeriSign is the way to go. If you settle for having encrypted communications without Firefox and IE barking, there's usually options you'll find more priceworthy.

Next, I think I scratched the surface on this in an earlier post;
Due to the mechanics of SSL, there can be only one certificate per IP:port combination. The hostname written into the signed certificate must further match the hostname ("reverse resolved") of the server - kind of like the photo of your ID-card or passport must look like you to be valid. Now, since IPv4 addresses are becoming a limited resource these days, more and more webhotels resort to these shared SSL solutions, or charge extra for a personal IP (sometimes called root server). Webhotels/serverhotels that offer personal IP's or root servers often act as a subsidiary signer for certificates at a lower cost compared to corporations such as VeriSign.

Soo, pointers (hope you made it all the way down here):
First off, see what kind of services your current webhotel offers. Especially if they allow you to have your own IP address and use private certificates. If they can't let you have your own IP address, then you can't use your own certificate - regardless of whether you purchased it from VeriSign or anywhere else.

Secondly, check if they can help with certificate signing.

If you are a computer-geek like me, then you could download the OpenSSL software package (http://www.openssl.org/related/binaries.html). This is a software package that allows you to create your own certificates, CAs, along with simple server and client programs to test them with. There are a few good documents on certificates, CA's and keys there too.

/Fredrik

Thank you again for the clear and helpful explanation. This is a good tutorial on the subject and hopefully helpful to others.

One of the purposes of the site is to submit medical & psychological referrals. We need the ssl to provide and assure that the personal information submitted is kept confidential. The submitters will usually but not always have a relationship with the business.

Here is the information from our webhotel - I like that term - on personal ssl (they do allow us to buy & use certificates):

Personal SSL is SSL using your own certifcate. To implement SSL on your web site using your own certificate and domain (i.e. https://www.YourDomain.com), Brinkster will need to create a CSR in order for your certificate request to begin. Note that you will need to purchase the certificate from a company such as Verisign or Thawte and provide them with the CSR. Your certificate provider will generate a security certificate for your domain using the CSR. Brinkster can then install the certificate and you can use SSL security on your domain.

Personal SSL Certificates are only supported with the Developer , Adavanced, Pro and Rookie Packages. If you do not have a one of these and would like to use a Personal SSL Certificate, you will need to upgrade your account prior to the certificate installation.

Alternatively, you can use Brinkster's shared SSL feature. See this article for more information regarding Brinkster's shared SSL http://kb.brinkster.com/Kb.asp?kb=80504

To add the SSL feature using your own certificate, contact [email]Support@Brinkster.com[/email] with the following information:

1. Your Member Name
2. The following will be used to generate the certificate request file (CSR). The information that you provide from below must match the information associated with your domain in order for the certificate to be accurately created.

All fields are required:

Organization:
Organizational Unit:
Common Name: (URL you wish to use the certificate with, normally http://www.yourdomain.com)
Country/Region:
State/Province:
City/Locality:

I also found what I believe is a good resource on this subject. I hope it is ok to post the link. I have no affiliation with the site - stumbled across it while researching this on Wikipedia. Feel free to remove if it violates policies: http://www.sslshopper.com/index.html

On this site there is a comparison tool. One of the things I'm not clear on is this. We have one domain but two names that point to it. So someone may come to the form from either domainA or domainB in the address bar. Does this mean, for ssl certificate purposes, we have two domains?

The other questions are about the levels of ssl - green bar, company name on the certificate. I imagine when I understand this clearly I will present the owner with the options and cost.

Again, Thank you Fredrik.

Scott

Hi Scott,
Given the nature of what you described, I'd suggest you get your certificate signed by a accredited CA. I would also suggest you don't settle for a simple domain-validate certificate, but atleast a "Web SSL certificate" (or equivalent). Also make sure the CA is part of the standard list of well-accredited CA's (list of pre-trusted CA's that comes with pretty much any browser these days).

A simple check would be to enter the security settings or advanced settings of your browser, and look for a certificate list option. The exact tabs and options may wary between browsers, but that's where you usually find them. Next look at the list of Issues; These are all the CA's your web browser trusts.. if it does not trust the CA you've found at an affordable price, chances are your customer won't trust this CA either, and there will be alarms and warning lights flashing all over😉

On this site there is a comparison tool. One of the things I'm not clear on is this. We have one domain but two names that point to it. So someone may come to the form from either domainA or domainB in the address bar. Does this mean, for ssl certificate purposes, we have two domains?

Once the form is loaded, may there be two different URL's in the address bar, or just the single one? (or well, is it always the same domain in the URL once the form is shown).

The reason for this question in the wizard, is as I said previously: there can be only one certificate for each IP. However, one certificate may validate multiple domain/sites. Unfortunately, not all CA's will verify and sign multiple domain certificates. Same goes with wildcard certificates (*.example.com instead of http://www.example.com + secure.example.com + foobar.example.com).

The other questions are about the levels of ssl - green bar, company name on the certificate. I imagine when I understand this clearly I will present the owner with the options and cost.

Much simplified, the more bling, the higher status, and the more expensive certificate. Green Bar (or Extended Validation - EV) basically means the CA put some extra effort in verifying that you are really who you claim, your business i legit, and some other anti-phishing tests.
In the end, certificates are there to give your visitors some proof they're on the right site. The more effort you put into proving this (read better, more expensive certs), the more your visitors will trust the site.

Just checked that link you posted, I really liked their FAQ.

/Fredrik

Fredrik, thanks for your patience.

The owners sons have stepped in to do the research and buy the certificate. I've referred them to your posts. They did say that down the road they expect to do more things with the site which will require a higher level of ssl.

They're considering dropping one of the url's which is older and not so used.

Once they decided and purchased then I'll take it from there. That's when I'll be back to either ask questions or post success and what I did as well as what they decided and why.

It seems not only helpful for my learning but hopefully for others as well to have a series of posts like you've written to explain the process here where they're likely to look.

Scott