Https - noddy's guide required


(Ken) #1

Has anybody got a step-by-step idiots guide in converting a Rapidweaver site to HTTPS - getting more sites refused access by Firefox.


True Download not working
(Jason Bostick) #2

Funny, that is the exact blog post today from realmac:

Depending on your host, you may have an easy ‘switch’ in your control panel that will use Lets Encrypt or some other free SSL option. On an In Motion site recently, I literally just toggled a button and that was it.


(Stuart Marshall) #3

And of course there is one the most recent discussion threads on the forum: Effective July 2018, Google’s Chrome browser will mark non-HTTPS sites as ‘not secure’

am sure that as someone who has “fully mastered” the BWD stacks you will have no issues getting to grips with this. :wink:


(Ken) #4

@jabostick Watched the video and am now sitting with an “Ice Pack” on my brow.


(Jason Bostick) #5

Ha, I hadn’t watched the video yet myself, just saw the title.

I have added cloudflare a couple of times in the past and remember it actually doing a good job of taking you through it step-by-step. Again, if you check with your host, there might be a quick and easy option in your control panel.

After the ice pack is finished, give it a go, I bet it won’t be as daunting as you imagine it.


(Jochen Abitz) #6

I wrote about it one year ago, maybe this is still helpful for someone: https://rapidpages.de/blog/post/rapidweaver-ssl-integration


(Ken) #7

I’ve just sent a request to Godday to see if than can give me a free ssl and install it for me.


(Bruce Kieffer) #8

No kidding, a guide would be very helpful. I just added SSL to one of my RW sites. I had to figure it out myself. I will tell you what I did and I hope that helps others. Please keep in mind I’m a novice and I muddled my way through this. I’m sure any info you can add would be helpful:

  1. I ordered a free SSL from my host (Bluehost), and I waited until it was installed (email confirmation).
  2. I changed the beginning of my Web Address in the RW project file Settings/General from http:// to https:// and published the change.
  3. Wait an hour or two to be sure changes propagate. This may not be necessary.
  4. Go to https://www.whynopadlock.com/. Enter your web address. Review the test results. In my case, it said, “Your webserver is not forcing the use of SSL.” Click “more info” at the end of that message. A screen pops up with code to add to a .htaccess file.
  5. Search the web for info to create a .htaccess file. If you try and create one on a Mac you can’t title it with the dot at the beginning. That makes the file invisible. The web info and some creative thinking will get you past this hurdle.
  6. Open an FTP app and log into your site. Add the .htaccess file to the site files. In my case, my site is a subdomain, so I added the .htaccess file into that folder.
  7. Clear your browser cache and test your URL to see if it shows a padlock and secure.
  8. Go to https://www.whynopadlock.com/ again. Enter your web address. Review the test results to see if any other errors appear.

It would be nice if RW could do all of this with a simple checkbox like “Make My Site Secure,” and then RW made you confirm you had an active SSL certificate.


(Doug Bennett) #9

Unfortunately, that probably can’t be done due to the vast variations in web hosting companies and plans. For instance, only Apache web servers have a .htaccess file. Nginx(engine x), and windows severs use a different approach. Not all hosting plans with Apache allow the use of a .htaccess file, as even Apache recommends it be disabled for performance.
The mixed content that whynopadlock finds would have to be addressed manually, you can’t just assume that a resource reference using HTTP has a certificate, and change it automatically to https.


(Ken) #10

@bruce I think I’m definitely going to need an idiots guide to sort this. My host - Godaddy would not even give me a free ssl. All they offered was their all singing and dancing solution at £125/2 yrs.


(Doug Bennett) #11

That tends to be Godaddy’s answer to a lot of things, upgrade and pay for it. You could go with Cloudflare. See the post above Ben has a video going over how to.


(Joseph Chou) #12

@bruce Thanks much for your post.

I also use Bluehost and was successfully able to add SSL following your suggestions. It was much easier than I thought it would be.

whynopadlock is still giving me a mixed content failure message, but I think it’s because the theme I’m using is loading jsquery via http:// and not https://. Otherwise, all looks good.


(Bruce Kieffer) #13

@jchou
Glad it helped. I too see a few whynopadlock mixed content failure messages, and I also think they are theme related. I wrote to the developer to find out if he knew. Even so, they are not errors that I am going to be concerned about. All of my sites are SSL now!


(Joseph Chou) #14

I also initially thought it could be ignored, but then I realized that when some web browsers see NON-https:// content, they refuse to load that content at all.

Because my http:// content was loading jsquery, all the javascript code that depended on it was not running. End result was that when accessed with https://, window size responsiveness failed.

I also contacted the theme developers to ask them to fix it, but in the end, I decided to dig into the theme contents, found the text file source of the mixed content warning, changed http:// to https://, and then re-installed the theme into RW. That got rid of the mixed content error, and the page is responsive again!

(I’m actually rather amazed that my little hack actually worked, without causing a disaster.)

The only remaining warning is the one you posted elsewhere about: “You currently have TLSv1 enabled.”, which someone responded that we can’t do anything about, I guess.


(Michael M.) #15

Wrote sth about HTTPS and the Mixed Content Problem in German:
RapidWeaver, HTTPS und Mixed Content

Might be helpful, because sometimes it is a bit tricky to find a solution especially for mixed content


(Gary) #17

Yesterday I added SSL to 2 sites I have with the host Clook. I paid for a 36 month basic cert with Comodo at the cost of only £10. IMHO that is £10 web spent not to have to mess about trying to renew a free cert every 90 days per site. There is nothing worse than an expired SSL cert to throw up scary warnings to web visitors.

The authentication with Comodo is done by email and takes a few minutes. A quick email to Clooks “off the planet good” support and the SSL is all done for me and working. Having a good host is vital to an easy ongoing life with SSL.

Meanwhile, for the rest of the day I was mostly tracking down http URLs hidden in stack settings. Yesterday I learnt that even if you have a URL in a drop down stack setting, but are not using that URL, that same URL still gets published and breaks the SSL. RapidWeavers search did not find them either.

Note that Clooks documentation is out of date and it says you need a fixed IP to install 3rd party SSL certs. This is not the case.


(Dave Farrants) #18

Just for info, one.com offer free one click SSL with Comodo.


(Gregory Barchard) #19

This is godaddys business model. They lure users with cheap hosting then have expensive upsells like this. They used to charge users to use imap with their email. I’m not sure if this is still true.

Anyways, ssl is free at Chillidog. It renews automatically every 90 days. Nothing to install or remember. You can view your ssl status any time via the control panel. Oh and I don’t charge for imap :slight_smile:

Greg


(Doug Bennett) #20

There’s two types of mixed content, “passive” and “active”.
passive content has no ability to change what’s on the page, things like an image or video.
active content is anything that can changes what displays on the page. Things like JavaScript, CSS and web fonts.

Active Mixed Content Must be Fixed or it Will Break Your Page

If it’s built into the theme, a plugin or a stack, the developer must make the fix. But it has to be done, or your page will not load correctly period. All current releases of all major browsers will block mixed active content.

(Doug Bennett) #21

Bruce,
See my post above about mixed content; you probably need to get it fixed.

If the developer is not responsive in a timely matter, you could go the CloudFlare route. CloudFlare will fix your mixed content for you and has many other benefits. Bens video covers how to set it up with RapidWeaver sites, and it’s free and easy.

Having set up certificates on your sites is not a waste of time. You can and really should still have SSL setup even when using CloudFlare. Without the certificate on your site you only get what’s called flexible SSL, and although to the end users it appears to be secure it’s not from the CloudFlare server to your server.

CloudFlare says:

This option is not recommended if you have any sensitive information on your website.

More information from CloudFlare: