Contact form success page forces HTTP, returning security warning in Chrome

Newbie

Posts

Joined

Thu Oct 09, 2014 3:35 pm

Post by Strike2223344 » Sun Dec 13, 2020 8:10 am

Running Opencart 2.3.0.2, if I submit the contact form, the message is received. However, the success page is HTTP://. This triggers a security warning in Chrome:

Clicking "Send anyway" takes you to the success page over HTTPS.

In Firefox it just displays the HTTP page with the red padlock symbol. No warning is displayed.

Sitewide HTTPS redirects are enabled through Cloudflare. It's not possible to access any other pages without SSL by manually typing in a HTTP address. .htaccess redirects are also enabled with:

Code: Select all

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_HOST} !^domain\.com$ [NC]
RewriteRule ^(.*)$ https://domain.com/$1 [R=301,L]

I have also tried disabling this in case it was interfering with Cloudflare.

This seems to be the best fix for version 1.x but I don't have that exact line of code in my contact.php file: viewtopic.php?f=161&t=137756&p=547598

Newbie

Posts

Joined

Thu Oct 09, 2014 3:35 pm

Re: Contact form success page forces HTTP, returning security warning in Chrome

Expert Member

Posts

Joined

Sat Jan 14, 2012 1:02 am

Location

United Kingdom

Post by ADD Creative » Sun Dec 13, 2020 10:55 pm

Do all URLs in your config.php and admin/config.php start with 'https'?

www.add-creative.co.uk

Expert Member

Posts

Joined

Sat Jan 14, 2012 1:02 am

Location - United Kingdom

Re: Contact form success page forces HTTP, returning security warning in Chrome

paulfeakins

Guru Member

Online

Posts

9185

Joined

Mon Aug 22, 2011 11:01 pm

Location

London Gatwick, United Kingdom

Post by paulfeakins » Mon Dec 14, 2020 6:02 pm

Just make your whole site HTTPS.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk

paulfeakins

Guru Member

Online

Posts

9185

Joined

Mon Aug 22, 2011 11:01 pm

Location - London Gatwick, United Kingdom

Re: Contact form success page forces HTTP, returning security warning in Chrome

Newbie

Posts

Joined

Thu Oct 09, 2014 3:35 pm

Post by Strike2223344 » Mon Dec 14, 2020 6:48 pm

paulfeakins wrote: ↑
Mon Dec 14, 2020 6:02 pm
Just make your whole site HTTPS.

"Use SSL" is enabled in settings.

I have changed these files:

config.php:

Code: Select all

// HTTP
define('HTTP_SERVER', 'https://domain.com/');

// HTTPS
define('HTTPS_SERVER', 'https://domain.com/');

admin/config.php:

Code: Select all

define('HTTP_SERVER', 'http://domain.com/admin/');
define('HTTP_CATALOG', 'http://domain.com/');

// HTTPS
define('HTTPS_SERVER', 'https://domain.com/admin/);
define('HTTPS_CATALOG', 'https://domain.com/');

Now I get this error:

This is the same error as I was getting before, with this issue: viewtopic.php?f=190&t=221352&p=807236#p807236

This time though, the email is coming through. I have double checked that the change to contact.php is still in place.

And this time, Apache returns this error:

Code: Select all

[Mon Dec 14 05:44:20.977882 2020] [:error] [pid 13317] [client 172.68.141.167:21492] PHP Fatal error:  Uncaught Exception: Error: Connection timed out (110) in /var/www/domain.com/public_html/system/library/mail.php:339\nStack trace:\n#0 /var/www/domain.com/public_html/catalog/controller/information/contact.php(51): Mail->send()\n#1 /var/www/domain.com/public_html/system/storage/modification/system/engine/action.php(51): ControllerInformationContact->index()\n#2 /var/www/domain.com/public_html/catalog/controller/startup/router.php(49): Action->execute(Object(Registry))\n#3 /var/www/domain.com/public_html/system/storage/modification/system/engine/action.php(51): ControllerStartupRouter->index()\n#4 /var/www/domain.com/public_html/system/engine/front.php(67): Action->execute(Object(Registry))\n#5 /var/www/domain.com/public_html/system/engine/front.php(57): Front->execute(Object(Action))\n#6 /var/www/domain.com/public_html/system/framework.php(205): Front->dispatch(Object(Action), Object(Action))\n#7 /var/www/domain.com/public_html/s in /var/www/domain.com/public_html/system/library/mail.php on line 339, referer: https://domain.com/index.php?route=information/contact

The "success" page (that returns the 500 error) is still served over HTTP, not HTTPS, despite the settings/config.php file changes/htaccess rewrite.

Newbie

Posts

Joined

Thu Oct 09, 2014 3:35 pm

Re: Contact form success page forces HTTP, returning security warning in Chrome

Expert Member

Posts

Joined

Sat Jan 14, 2012 1:02 am

Location

United Kingdom

Post by ADD Creative » Mon Dec 14, 2020 8:46 pm

Your HTTP_SERVER and HTTP_CATALOG in admin/config.php are wrong, but I don't think that is the cause.

The 500 error you have now is different to the one before. The error before was 'MAIL FROM not accepted from server!'. You now have 'Error: Connection timed out (110)'. This means the SMTP reply to the data you are sending was not received in time. This could be down to server PHP settings or just a hosting issue.

Back to your original error error. The error you are seeing was not that the success page was not HTTPS, but the contact form was being submitted to HTTP and not HTTPS. The contact form was changed since 2.1 to submit over HTTPS. https://github.com/opencart/opencart/co ... 951b729f8a

This suggest the issue is due to a modification to your files, an extension, your theme or something server side.

www.add-creative.co.uk

Expert Member

Posts

Joined

Sat Jan 14, 2012 1:02 am

Location - United Kingdom

Re: Contact form success page forces HTTP, returning security warning in Chrome

Active Member

Posts

Joined

Fri Sep 21, 2018 12:01 am

Post by fegdeed » Thu Dec 17, 2020 8:01 am

Add the code below at the top in the beginning of your .htacess file and save it.

Code: Select all

#Redirection code starts
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#Redirection code Ends
RewriteEngine on

Get a secure, fast, and reliable web hosting service from https://turnuphosting.com.

Active Member

Posts

Joined

Fri Sep 21, 2018 12:01 am

Re: Contact form success page forces HTTP, returning security warning in Chrome

Active Member

Posts

Joined

Fri Mar 27, 2015 11:13 pm

Location

Denver, Colorado, USA

Post by EvolveWebHosting » Mon Dec 21, 2020 2:06 am

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?

The above code is for SSL validation from Comodo, years ago. That's not needed to make the website secure.

Opencart Hosting Plans, Domain Registration, Microsoft and Google Email and More
Visit our website for great deals and most importantly, fast and friendly support - www.evolvewebhost.com

Active Member

Posts

Joined

Fri Mar 27, 2015 11:13 pm

Location - Denver, Colorado, USA

Re: Contact form success page forces HTTP, returning security warning in Chrome

Active Member

Posts

Joined

Fri Sep 21, 2018 12:01 am

Post by fegdeed » Sat Jan 02, 2021 9:30 pm

EvolveWebHosting wrote: ↑
Mon Dec 21, 2020 2:06 am
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?

The above code is for SSL validation from Comodo, years ago. That's not needed to make the website secure.

Yes you are right about the validation aspect, but it also has

Code: Select all

    RewriteEngine On 
    RewriteCond %{HTTPS} off 
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

in it which redirects all http request to https, or did I miss something?

Get a secure, fast, and reliable web hosting service from https://turnuphosting.com.

Active Member

Posts

Joined

Fri Sep 21, 2018 12:01 am

Re: Contact form success page forces HTTP, returning security warning in Chrome

Active Member

Posts

Joined

Fri Mar 27, 2015 11:13 pm

Location

Denver, Colorado, USA

Post by EvolveWebHosting » Sat Jan 02, 2021 11:31 pm

I know your post also had the redirect code. That's why I only highlighted the PKI Validation code that is not needed.

Opencart Hosting Plans, Domain Registration, Microsoft and Google Email and More
Visit our website for great deals and most importantly, fast and friendly support - www.evolvewebhost.com

Active Member

Posts