Find solution
Where should I install SSL - whole domain or on a subdomain?

Resolving a Tricky SSL Issue.

  • I have a very odd problem and am not sure where to turn since I have run into silence on various tech forums. Here's my issue. I have a site Magento site that is a combination of Wordpress header and footer and Magento creamy center. When checking out you the customer see's that the site is unsecure. Not good. The pure Wordpress site is at the root domain so www.site.com, Magento is at shop.site.com. The SSL is set for the shop.site.com subdomain. Since I am pulling Wordpress header and footers for Magento (it generates the primary site navigation and pulls all the various social media data) I am running into the dreaded unsecure content errors which is very blatant in Chrome with it's crossed out red HTTPS. I am trying to figure out a solution to this before the client kills me. I was thinking of just getting a certificate for the Wordpress (www.site.com) side of things. We'd take a slight speed hit, but I'm not sure what else to do besides completely rebuilding the Magento header and footer to kind of mimic the Wordpress one. I'd really like to not go this route as it's a lot of work and it sucks from a user experience standpoint. My only experience with SSL is buying a certificate and having it work, so the nitty gritty details escape me. I'm also a designer not a developer so while I get my hands dirty and can mess with the php of Magento etc, I am no expert. Any help greatly appreciated. Thanks!

  • Answer:

    I have a coder do the nitty-gritty for me, but I do e-comm in real life. I think the shopper is really ill-served if they can't see https:// links and everything green that's supposed to be green. I for one would bail out on the cart if I didn't see those things at minimum. I know you said you don't want to re-template/mimic the WP templates on Magento. But that's what we do with all our sites where there is a CMS and a cart. I think it's a one-time problem - if necessary you pay someone to call in a lifeline and help with the CSS, then you have a WP install and a Magento install that are both neat and clean. DM me if you want a referral to a coder with Magento experience.

misterpatrick at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

One of my clients apparently serves up secure data on a non-secure site. This site doesn't get the mixed content warning. The secure data remains secure. The drawback would be that the URL would be HTTP, not HTTPS. From your description, it would probably require a third web site to accomplish this, but the coding would be relatively simple and could probably be done in static HTML.

stubby phillips

Not sure how that would work. Any more details on what they are doing?

misterpatrick

Are the www.site.com and shop.site.com resources (html pages, images, etc.) stored on the same physical server?

dgeiser13

Can you mirror the files from wp-content in www.example.com into shop.example.com (basically, just keep those in sync). You take a hit in terms of the user having to redownload those resources, but you eliminate the SSL issue.

artlung

Yes, they are both on the same static IP address. The problem with mirroring is that the files are dynamically generated on the Wordpress side (navigation, social media updates etc), so having the client keep things in sync would be hard. Someone smart might be able to do a cron script or something, but I'm not that person.

misterpatrick

Couldn't it maybe be done with a symlink? Or even some sort of server side include? (PHP included)?

bitdamaged

Thanks. I think I may have to do it that way. I'm fine doing the coding that way, but hate to do it. Urgh. I will probably drop you a line as I am always looking for good Magento people.

misterpatrick

If I understand your question correctly, you're getting a mixed content warning on an HTTPS site because it displays (imports or uses a widget model to display) HTTP content. Most clients hate this because it interferes with UX and doesn't give the user a warm-fuzzy. From what I've observed, though, an HTTP page can display HTTPS content without the mixed content warning. So you create a third website and it imports the HTTP content for the header and footer and the HTTPS content from Magneto. Point your URL to this new site and Bob's your uncle. The only problem is (as pointed out by randomkeystrike), the URL in your address bar will start with HTTP, not HTTPS. The users won't have any indication that the content is secure. Of course it will be, but they won't have the S to make them all cozy. Our client (a Fortune 5) actually doesn't mind this. AND they have some pretty damn sensitive information on the site. Your client might or might not mind.

stubby phillips

Small world. One of my engineers just stopped by. He's been working on a mixed content warning on one of our sites for a couple days now and has come up with a solution that might work for you. He created a page containing the HTTP content and hosted that in an IFRAME on the HTTPS site. It seems to work in staging, but it's still going through testing before we go into production. There are some web analytics concerns that need to be worked out. Anyway, this is HTTP content served up on an HTTPS site, so that will alleviate the problem randomkeystroke described above. I'll check back in a couple days after QA gets through with this and let you know if it worked.

stubby phillips

Load more

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.