I have CS5 and I don't know how to implement the SSL certificate

Thank you Ben.  I'm not sure I understand a lot of it so far but I will endeavour to figure it out over the weekend.

Mine was a paid certificate organized by my site host. I checked with them, they have uploaded the certificate and they told me I have a Windows server. Does that make any difference to the ,htaccess file that I must write please?

In that case you cannot use .htaccess, for Windows you will need a file called web.config.

Having said that, your Parallels Panel will probably negate having to use web.config. In the panel, go to IIS Settings

and tick the Require SSL box

As far as I can see and judging by the info that you have supplied, this is all you have to do.

At the risk of sounding even dumber where do I find this colourful panel that you have included in your two replies please?

When you log into your hosting account, you should be confronted with said panel. Who is your web host?

I ended up ringing my host company.  The fellow I spoke to said there is no setting (per se ) for IIS/with a box to check for SSL.

He has done something his end which now results in my website showing up as https://www....... but the information thingee at the side of it says the "site is not fully secure'. The man I spoke to said I now need to go through the whole website and put an 's" at the end of every single http which is a very daunting task because there are so many links.

I had hoped there was an easier way to do this. What do you think please?  My host is a company called Westnet.

jeanmorrison  wrote I ended up ringing my host company.  The fellow I spoke to said there is no setting (per se ) for IIS/with a box to check for SSL. He has done something his end which now results in my website showing up as https://www....... but the information thingee at the side of it says the "site is not fully secure'. The man I spoke to said I now need to go through the whole website and put an 's" at the end of every single http which is a very daunting task because there are so many links. I had hoped there was an easier way to do this. What do you think please?  My host is a company called Westnet.

I've just gone through the same process for one of my clients sites and yes its a pain in the backside changing the links. You can do a sitewide find and replace. Find http:// replace with https://

It was much quicker and easier than I thought. The certificate was already set up by the hosting company, which of course helped.

I would back-up your site-folder before you carry out any updates just incase anything goes wrong, then you have a 'clean' folder to work from again.

Once you have changed your links from http:// to https:// then upload your updated files to your server.

Create a file in the same directory as your home page (root directory) called web.config. In that file, place the following contents

<configuration> <system.webServer> <rewrite>   <rules>   <rule name="HTTP to HTTPS redirect" stopProcessing="true">   <match url="(.*)" />   <conditions>   <add input="{HTTPS}" pattern="off" ignoreCase="true" />   </conditions>   <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />   </rule>   </rules> </rewrite> </system.webServer> </configuration>

This will save you having to rename all of your links.

Thanks to both of you. So, I copy the code, substitute my (new) url into line 10 and save it, maybe in notepad, as web.config and then upload it. Hopefully I can manage that.

it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.

jeanmorrison  wrote Thanks to both of you. So, I copy the code, substitute my (new) url into line 10 and save it, maybe in notepad, as web.config and then upload it. Hopefully I can manage that. it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.

Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show.

osgood_  wrote Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show.

What happens when you Google the site, before Google has caught up with the change, and it sends you to HTTP instead of HTTPS? Do you call that proper?

Edit: Adding the redirect using web.config, will give you time to change the code as @osgood_ suggested. Even if you miss a few links, web.config will catch those. I'd hate to think that this is not classified as proper coding as suggested by the ill-informed.

BenPleysier  wrote osgood_   wrote Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show. What happens when you Google the site, before Google has caught up with the change, and it sends you to HTTP instead of HTTPS? Do you call that proper? Edit: Adding the redirect using web.config, will give you time to change the code as @osgood_ suggested. Even if you miss a few links, web.config will catch those. I'd hate to think that this is not classified as proper coding as suggested by the ill-informed.

Was you NOT suggesting to leave the http:// links in the pages as they were, nothing about Google caching the pages which would also need to be addressed. Rather than go about it half-assed as you always seem to do, do it properly.

jeanmorrison  wrote it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.

Perth by any chance?

I see your post said you copied the file provided by BenPleysier - Your pages still aren't secure and they won't be because its a redirect. You still need to fix the mixed content issue. A redirect will not fix this. 

You need to change your links, images and css file yourself to https.

Your site still shows this

<link rel="stylesheet" type="text/css" href="style.css" />

instead of this

<link rel="stylesheet" type="text/css" href=" https://www.heritageceilings.com.au/style.css" />

If you have CS5 you should have the find and replace feature. If you don't know how to use it, see this link. Please make a backup of your site first.

Once you've changed your links, scan using Screaming Frog for broken links and insecure content.

If you don't want to change the urls over, then don't change your site to SSL. Its one or the other, not both.

1 - Change urls / images and css to use absolute links - eg. http://www.mysite.com/page/ instead of <a href="../../page/">

2 - Find and replace http://www.mysite.com/ and replace with https://www.mysite.com/

3 - Add http to https rewrites in .htaccess file (basically what Ben was trying to tell you to do but different)- make sure to include either www or non-www rewrite.

4 - scan site to check for broken links / insecure content

5 - request sites that link to you also change to https. Most will have no problem.

Have a look at the code at bunchokids.org. I have done none of what you are saying.

Yes and your site is indexed in google using both https and no https. Image attached.

Google site:bunchokids.org

Correct and it will stay that way until Google has finished doing the updates. The site was changed about a week ago to accommodate the secure socket layer (SSL)

Edit: All the more reason for using the redirect.

Actually you can have external links in your website as http:// (to other wesbites as you can't do anything about them.) So if you do a replace and find you would most likely need to watch that youre not changing links to ones which dont exist). Its all your internal links that need to be https://

Could you please explain the "why" for your first list item?

I have routinely observed the opposite of that advice given to those moving from http to https in a multitude of forums and articles. And from my own development of secure sites, I have never seen a security-based reason for converting from document relative to absolute paths for image and page links within the same site.

I'm curious to see if there is some other valid reasoning I've been missing for doing that.

OP could use a protocol relative url. I am referring to his file path as <a href="filename.php"> Regardless of which method OP uses, OP's links still need to be updated.

kaus1979  wrote ... 1 - Change urls / images and css to use absolute links - eg. http://www.mysite.com/page/ instead of <a href="../../page/"> 2 - Find and replace http://www.mysite.com/ and replace with https://www.mysite.com/ 3 - Add http to https rewrites in .htaccess file (basically what Ben was trying to tell you to do but different)- make sure to include either www or non-www rewrite. 4 - scan site to check for broken links / insecure content 5 - request sites that link to you also change to https. Most will have no problem.

I'm sorry, I guess I missed the non-numbered items in your list. I'm looking the "why" of #1 on your list of 5 specifically.

What is the reasoning behind changing document relative paths to absolute paths within your secure site?

I've always used absolute to prevent duplicate content issues.

Absolute specifies the exact url you want indexed. A relative url does not. With a relative url you have multiple versions of your website available. Rewrite rules help but for https, I would rather ensure that the correct protocol is served to avoid any possibility of canonicalization issues.

WP sites will also add a canonical tag in the header. This is another solution as it specifically states what the correct url is.

Here's a good link on the topic

Should I Use Relative or Absolute URLs? - Whiteboard Friday - Moz

Darn, now there is a lot of stuff going on here today so I won't be able to start tackling this issue till tomorrow.

Ben I'm in the same time zone as Perth but i live two hours south of Perth.

kaus1979 I don't have an .htaccess file. I think this may be because I have a Windows server. Would this be right?

I had another look at your site and it is nicely redirected to HTTPS, so in that area there is no need to worry about that, i.e. .htaccess (unix) or web.config (windows)

The problem is contained in this notice

The reason why the site is not fully secure is because the site uses absolute paths that point to HTTP as in

<p class="page-top-links"><a href="http://www.heritageceilings.com.au/index.php" title="Pressed tin budget priced walls, ceilings and splashbacks">Home</a></p>

There are two ways to overcome the issue, namely

1. change http to https
2. change the absolute path to a relative path, i.e. remove the part in red

The difference between absolute paths and relative paths is entirely a choice of the web developer. The advantage that a relative path has is that you would not have had to change anything in your document for the site to be fully secure. Some argue that absolute paths are better for SEO, but nothing is further from the truth.

As osgood_ has stated, you can do a search and replace on the whole site to make the changes.

osgood_ I see that you made mention of the fact that I suggested keeping http instead of changing to https. It was quite late at night after a hard day's toil and I did not understand what you were saying. I have always used relative paths so I did not think that there were those that used absolute paths. I did not have to change anything in my documents to get the full security working. To keep a document portable it is always best to use relative paths.