Setting up SSL in DNN 4.5.4+

New in DNN 4.5.4 is the ability to set specific tabs to require secure sockets layer ( SSL ). This is useful if you want to make sure that the information that is transferred between your users and your DotNetNuke portal is encrypted. Typical situations of when you would want to encrypt the information trasferred is when you are sending passwords or collecting credit card information.

The first thing to realize is that DotNetNuke does not provide the actual securing mechanism.  DotNetNuke only helps to switch your end user's browser to the SSL channel which will have to be setup in IIS.  If you are on a shared host then you may need to get your ISP/Hosting provider involved to setup your hosting certificate. If you are looking for widely recognized and inexpensive SSL certificates you can get them from my reseller account at Snapsis Domain Names.

If you have further questions about installing your SSL certificate I'll be glad to help if I can, just post your questions as replies to this tutorial.

To setup SSL enforcement in DotNetNuke, first login as administrator and navigate to Admin > Site Settings  - Advanced Setings - SSL Settings.

In order to force any tab in your portal to switch to a secure channel (https://) you will first need to have SSL Enabled checked in the Admin > Site Settings for the portal.

SSL Enforced is an additional flag that will help switch the pages that you do not have marked as needing SSL back to using a non-secure channel (http://).

Note: These two settings cause a redirect to happen from the server.  This is not the most efficient way to handle switching to and from SSL in your portal, but is convienient if you want to just mark a checkbox and be done.  If you find that your secure pages are slow to show then you may want to optimize the switching to SSL by hard-coding your SSL links to use https:// and by using the method that I use on this site to switch SSL on and/off using a client-side script.

SSL URL is optionally used for specifying a shared URL that may not be in the same domain as your own.  I strongly recommend against using this.  If you are using SSL then you should be doing it to inspire trust in your end users. If you resort to sharing an SSL certificate with other sites that are on different domains than your own then it doesn't accomplish that very well. An SSL certificate's main purpose is to identify that your site (i.e. your domain name) in the virtual world is really who it says it is in the real world.

Standard URL is used to specify a url that will be used when moving back to your site after the SSL Url is used. This would be used in conjuction with the SSL URL to get users back to your own domain.

After enabling SSL for the portal, you can now specify that specific tabs in your portal should use SSL.

Navigate to the Page Settings - Other Settings for the page you want to use SSL and check the Secure checkbox.

That's it.  Now anytime that someone navigates to a page that has this set, the server will turn around and tell the browser that it should navigate to the same page but to use a secure channel (https:// instead of http://).

A couple more things to consider:

1. If you are going to use this method to force SSL on your pages then I recommend that you never do this on your home page.  Save your home page as a friendly welcome area to visitors you have never met. Don't make them wait on secure channel switching, or present them with a login right away.
2. When you set a page to use SSL you need to make sure that the page is not referencing any content that is not using https:// urls or you will get what is called a "mixed-mode" message that will really confuse your end users as to what it is that may not be secure.

For anyone who did not find this thread from the DotNetNuke.com forums, there is also discussion on this tutorial there:

http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/118/threadid/154421/scope/posts/Default.aspx

Hi John,

first of all - very good tutorial - many thx! But I have some questions because my site doesn't do what I would like:

I bought a certificate from your suggested store - worked perfect
I installed it on my server -> worked perfect
I upgraded my site from dnn 4.5.3 -> 4.5.4 -> worked perfect

When I set SSL-enabled + SSL-enforce on true and set the page settings of one page also to secure (as above described), any time, I get dialog box:
"This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" ->

I see on the website-header that this site now starts with https://www..... but I can't see the certificate in my browser

Do I have to check on the IIS on my server the SSL-check-box 128-bit security and to enforce SSL? - I think no- because when I set this my site is only reachable when the user start working with https://www... -> my starting point should be: http://www...

Hope you can help me with this situation of seeing the certificate and not to get the dialog-box !

THX !!!!

Cheers,
Robert John
Austria

Hi Robert,

Thanks!

The mixed-mode message warning is something that comes from having content on your page that references images, js, or some other external item on a non-secure channel.  The good news is that if you get the warning then you do have SSL setup on your server correctly.  On that message is two options. You can see the actual certificate if you choose [u]not[/u] to display the non-secure items.

Steps to remove that warning could go like this:

1. Remove any unnecessary advertising or other dynamic items from the page that you are wanting to use SSL on.
2. Open the raw html source (View > Source in IE) and search for "http://" - if you find this on any reference then it is probably causing the warning message to be displayed.
3. This is the hard one.  Try and identify why the items from #2 are using a absolute path reference to a non-secure (http://) link and try to make the links relative paths instead of absolute.  In other words, if something is hard-coded as src="http://www.snapsis.com/images/spacer.gif" make it src="/images/spacer.gif" instead.

If you can't find the reason for the message, and would like me to take a look just let me know.

There is more about mixed-mode messages and a response to this tutorial by Joe Brinkman (CTO of the DotNetNuke Corporation) in the following thread:

http://www.dotnetnuke.com/Community/Forums/tabid/795/mid/2108/forumid/118/threadid/152419/scope/posts/Default.aspx

I'd be happy to hear anyone else's thoughts on the debate that Joe and I are having in that thread.

Hi John,

MANY thanks for your help and your quick response!!

You have absolute right!

First, I tought that this couldn't be, because it is just text! But, when I saw the source code as you mentioned, then I saw that I'm using Google-Analytics on every site of my portal - that means, everytime a user hits the page there is a short roundtrip to Google-Analytics - you can set this on the page-settings (Page-Header-Tag) - in my case this is:

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-xxxxxx-1";
urchinTracker();
</script>

and there it is the http://... :-)

With that knowledge I know, that I have to take off the Google-Analytics stuff from any login-page :-) - or maybe you know a better solution ....

THX again, John !

Cheers,
Robert John
Austria

Hi John,

I have posted my question in the dotnetnuke-forum, but unfortunately without any response - I guess that you are my last hope !!!  - you helped me out to do the correct SSL-installation - that was perfect!

Now I have another problem without any solution :

I have a problem with SSL on 2 different web-sites:

I have 2 domains on my web-server: one is the productive-domain (eg. www.productive.com) the other is the teststage-domain where I will test all updates, new modules, etc. before it is going live (eg. www.testdomain.com) - I bought both certificates from Snapsis.

I use DNN 4.5.5 with SSL-support and 2 different certificates (one for productive.com and one for testdomain.com)

Normaly after testing all new updates on testdomain.com I usualy copy the DNN-folder of this website and the database to productive.com -> then I change the web.config (only the 2 database-connection-strings) and in the database in the table dbo.PortalAlias the HTTPAlias from www.testdomain.com to www.productive.com -> and vice versa !

This senario has worked for more than 1 year perfect - but now with SSL-support I got following error, when I click on a page with SSL-support:
"The security certificate presented by this website was issued for a different website's address"

I tried to reinstall the certificate - the IIS says that everything is OK - unfortunately not.

Is there any entrance in other database table (new in version 4.5.4) I have to change? From my personal point of view I think it should only be an entrance within the IIS.database ?!

ANY hint are VERY WELCOME !!

THX a lot, John !!!

Cheers,
Robert

I enabled SSL in the stock DNN way - easy enough - and also checked "Security Enforced" to ensure that pages not set as secure would not be delivered via SSL.

Here's what happened: The URL stayed like this: https

for pages that were not marked secure, and I got an error saying the page could not be displayed. When I altered the URL in the address bar to remove the s and reloaded, then the page loads fine.

This is DNN 4.5.5

It's working right, sort of ... except it should direct back to http for pages not marked as secure, not leave it as https and throw an error!

Hi Robert,

SSL certificates are usually tied to a specific host & domain name.  Unless you get a special one that will work on more than one host then it will give that warning in the browser when the site is accessed on another host name.  I'm not sure how you had it working before, maybe you somehow set your browser to ignore the error.

If the warning is only in development you should be able to live with it, but if you want it to go away then you will neeed a seperate certificate that is created for the host & domain name you are using.

Hi John,

thx for your answer - but that is exact the problem - I have 2 different certificates: one certificate for the testdomain and another one for the productive domain. I didn't have this problem without SSL - so personaly I guess that there is something in dnn or in the database which proofes the redirect of the page. Any hints?

THX again!

Cheers,
Robert

Sorry Robert, I should have read your original post better.

Did you enable the SSL support on the Admin > Site Settings page? If so, maybe you don't need to if you already had it working before.

Maybe you are using the SSL Url setting? If so, I would not set that for your environment.  That is only for sharing a url for SSL.

When you get the message about the certificate being issued for the wrong site, does the Url in the browser match what you expected it to be?

The only way to get this message is if you are at a Url and the IIS site that has the certificate installed is allowing you to use it without having the same domain name as what is on the certificate.

Hi John,

thx for your perfect help!! Meanwhile I'm really despaired - nothing works!

I only enabled "SSL-Enabled" and "SSL-Enforced" on the Admin > Site Settings. Then on the page itself I enabled "Secure" on Page-Settings.

I havn't changed anything in the IIS - only SSL-port 444 for the testdomain and SSL-port 443 for the productive domain.

I tested it again, there are the same results on the postback.

BUT:
When I changed in the dnn-table dbo.Tabs the entry "IsSecure" from the Tab-above ("SSLLogin") from True -> False everythings works - of course without https:// -> I'm REALLY despaired of that - it costs me meanwhile 1 week .

AGAIN -  THX, John for your help!!

Cheers,
Robert

Robert John - Austria/Europe

That's correct, they have the same IP-address - but different SSL-ports - that should be OK, or not?!

You can access the testdomain because (as I described above) I changed the tabel within dnn (IsSecure) from True->False.

Does it mean, that a SSL-certificate is bound on IP-adress? Only one SSL-certificate can be used on one IP-adress?

Sorry for my questions ...

Generally: do you have an idea of how you could realize such a scenario with SSL. I would have the possibilty to test anything before it should go live (webstore, payment, updates, ...) - and NOT on your development machine (there usualy runs anything perfect :-)) - BUT on Productive-Environment - that was my idea to buy another domain, an aditional SSL-certificate and copy ony the dnn-folder and the database - as I have done the last 12 month ...

THX !

Cheers,
Robert

Yes, you can run them on the same IP address as long as the SSL port is different.

The only thing you'll have to do is specify the port in the Url for the non default one. By default the SSL port is 443 and the browser knows to use that port if you have https:// on the url. But if you put SSL on another port then you need to specify it on the Url like this: https://www.testdomain.com:999 (change 999 to whatever port you have assigned).

DotNetNuke will not be able to handle switching to SSL if it is not on the default port.

I think you have the right idea.  Also keep in mind that if you use a different port on the Url then your PortalAlias in DNN will need to reflect that.

If you had it working before, you should just uncheck the Enable SSL and Enforce SSL  in DNN.

Hi John,

I don't know the right word's from your posting (I'm german speaking) - but I guess it's: YOU MADE MY DAY

I have just tested your suggestion - it worked perfect !

btw: I just edited my posts above that nobody don't see my productive and test-domain - may I kindly ask you to change also the name from your previous post (https://www......com:999) to any other xxxxx-domain - I'm a little fearful of some hacking-attacks  - THX, John !

AGAIN - THX !!! - Perfect help !!

Cheers,

Robert John (Austria / Europe)

That's great, I'm gald I could help.  The domain name in my post above has been chnaged.

By the way. I notice your name is Robert John.  My middle name is Robert so I am John Robert.