Setting up SSL in CMS Made Simple

SSL (Secure Sockets Layer) is a cryptographic protocol that provide communications security over the internet. Let's Encrypt SSL provides free SSL certificates, when your host provides popular control panels like cPanel or Plesk the installation is very easy.

Issue a new certificate in your control panel for your domain. A new key and certificate will be added to the servers SSL/TLS manager.

How to use

Change (or add) in your CMS Made Simple™ config.php file the URL settings.

$config['root_url'] = 'https://www.website.com';
$config['admin_url'] = 'https://www.website.com/admin';

At this point your website will use a secure https connection. But you might have to do some checks...

1. CDN urls for i.e. jQuery or Font Awesome libraries need to use https:// instead of http://.
Even better don't use any http(s): at all, because this works in both cases:

Don't forget to check your CMSMS™ stylesheets for external URLs!

Tip: Use The AdminSearch module to search in all content and templates for src="http://

2. Hardcoded URLs at your site needs to be changed so they use https:// in internal links and image paths.

3. Redirect all incoming URLs to use https://

In the /docs folder from your CMS Made Simple install you will find a extended default .htaccess file, named htaccess.txt. If you don't use a .htaccess file in your website root already, copy this file there and rename it to .htaccess.

Prefered https://www.website.com

#
# The following is to enable pretty URLs, only applicable if url_rewriting is set to 'mod_rewrite' in the config.php
#
<IfModule rewrite_module>
RewriteEngine on
# If your CMSMS installation is in a subdirectory of your domain, you need to specify the relative path (from the root of the domain) here.
# In example: RewriteBase /[subdirectory name]
RewriteBase /

# +++++ ADD THIS - START +++++
# Link to http(s)://website... then redirect to https://www.website...
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

# Force URLs have https instead of http
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# +++++ ADD THIS - END +++++

# Rewrites URLs in the form of /parent/child/grandchild but only rewrites if the requested URL is not a file or directory.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
</IfModule>

Prefered https://website.com

#
# The following is to enable pretty URLs, only applicable if url_rewriting is set to 'mod_rewrite' in the config.php
#
<IfModule rewrite_module>
RewriteEngine on
# If your CMSMS installation is in a subdirectory of your domain, you need to specify the relative path (from the root of the domain) here.
# In example: RewriteBase /[subdirectory name]
RewriteBase /

# +++++ ADD THIS - START +++++
# Link to http(s)://www.website.com then redirect to https://website.com
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# Force URLs have https instead of http
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ++++++ ADD THIS - END +++++

# Rewrites URLs in the form of /parent/child/grandchild but only rewrites if the requested URL is not a file or directory.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
</IfModule>

To test it you probably need to clear the browser cache first.
I noticed it sometimes needs some time to let it all work... Doesn't it work at once for you, give it a few hours and try again later.

Working example

Show related articles:

Comment Form

ReviewManager

Click here to open the form

ReviewManager

4 Comments

12-09-2024

Maira

https://unitynews.ainewsglitch.techmarketers.xyz/

Great blog here! Also your web site loads up very fast!
What web host are you using? Can I get your affiliate link to your host?
I wish my web site loaded up as quickly as yours lol

08-09-2024

Shelley

https://watchnow.gomuviz.com/

Thanks for your personal marvelous posting! I actually enjoyed reading it, you happen to be a
great author.I will be sure to bookmark your blog and will often come back at some point.

I want to encourage one to continue your great posts, have a nice evening!

31-03-2024

Twyla

https://alientechnologyunveiled.blogspot.com

Do you have a spam problem on this site; I also am a blogger, and
I was wondering your situation; many of us have developed
some nice practices and we are looking to trade techniques with other folks, be sure to shoot
me an email if interested.

01-02-2019

Rolf

You don't need the CMSMS page option "Use HTTPS for this page".
It will also be removed in a future core release.
If you follow the above it works!
Mixed content will not occur because you have to update the URLs at the site.

When you don't redirect incoming http links, the method is simply not complete.

And you have to set a canonical URL anyway, it is good practice, check this tutorial:
https://cmscanbesimple.org/blog/base-cms-made-simple-page-template-with-automated-metatags

No hacks needed, no core change needed to let this work properly!

24-01-2019

Philippe

Redirect all front-end request to secure or unsecure resquest is not recommended.

if you need to include an unsecured external source in a specific page... then you will get mixed content !

moreover, in admin panel , when editing a content page : in "Options" tab :
option : "Use HTTPS for this page" (become useless) !

Redirect all admin request to secure resquest is recommended.

But currently (cmsms 2.2.9) is still not corrected to achieve this automatically without mixed content error.
(easy to correct with hack, but i will send it only to the official dev team if they want save time.)

Moreover, if you setup your config file as it should be like this :

$config['root_url'] = 'http://www.website.com'; (not HTTPS)
$config['ssl_url'] = 'https://www.website.com';
$config['admin_dir'] = 'your_custom_admin_dir';
$config['admin_url'] = $config['ssl_url'].'/'.$config['admin_dir'];

and with htaccess, force only all admin request to be done as secure.

Then keep in mind, all front-end page are now accessible with 6 different url (3 http and 3 https)!

Result :

if you do not set canonical url : duplicate content by 6 ! (good luck)
or if you set canonical url : website not optimized
and statistics more complex

03-09-2018

Esmeralda

Rolf,
Such a clear and useful article!
Yet again, you've saved my day. Thanks!!!

03-01-2017

Nico

Hi there,

one question: does CMSMS also apply HTTPS to cookies/sessions by setting them to secure ?

Anyway, thanks for this post, very useful :)

Setting up SSL in CMS Made Simple

Article optimized for CMSMS 2.x

  Author: Rolf
  Last tested in: CMSMS 2.2.19
  Last updated: 10-02-2019
  Comments: 4
  http://cms.ms/OFLq

Ads help me to help you! Buy products from these advertisers!