Skip to main content

SSL Activation SOP Workflow and Troubleshooting

Updated

Table of Contents

Overview

GrowthZone modules and GrowthZone CMS sites always have LetEncrypt SSL certificate generation enabled. No additional action is required to enable this functionality.

 

ChamberMaster/MemberZone Customers who wish to implement SSL on their SmartCMS website or ChamberMaster/MemberZone module pages will need our assistance to complete this process upon customer request. SmartCMS ChamberMaster module pages are not automatically secured without the intervention of the customer, however, as of October 2022 all chambermaster.com and memberzone.com subdomains have SSL activated by default but not forced.

 

Beginning on April 11, 2017, we are providing a Let’s Encrypt SSL Certificate that we will generate for all SCMS and traditional integrated subdomain customers.

 

This will be all that is necessary for SCMS customers. Subdomain integration customers will also require a certificate for their main, primary domain. They will be encouraged to work with their website host provider to activate the SSL certificate on their primary domain.

 

In all cases, activation of the SSL certificate for these platforms is free and the SSL certificate does not expire, renewing every 90 days automatically.

 

Note: Macros are available to facilitate the proper messaging and noted in the steps below.  Please note in each macro that CAPITALIZED words are meant for internal purposes and indicate locations where words must be inserted or deleted depending on the customer's situation.
 

Steps for Processing a request for SSL for ALL CM/MZ Customers

The customer will likely submit a ticket or call Level 1 support. The ticket will be escalated to Web Support. Communication to the customer and ownership of the ticket remains with Web Support.

 

Verify that the customer is on public module version 3 or above. If not, they need to upgrade.

 

Widgets need updated by us or communicated to customers that they need to do this if managing their own site. ​The widget code generated within the ISCP will need to be manually updated to have the https in the path. This can either be regenerated via the ISCP or preferably, to retain any customization to the widget, simply replace http:// with https:// in the source code of the existing widget placed on the website.

 

​Verify that SSL is enabled properly on the customer's primary domain so that enabling SSL on the modules does not result in broken resources. This can be done by visiting the customer's primary domain using the https:// protocol when typing the URL in a browser. Some customers may have SSL activated, but not forced, which in such cases Web Support can go ahead and proceed with SSL activation on the subdomain. If it not activated, notify the customer before proceeding.

 

Steps for Activating of SSL on CM/MZ databases

Run v9 Admin Query “CHAMBER – Turn On “LetsEncrypt” Certificates” from CM/MZ CUSTOMER DATABASE > Support Staff Only: Admin Console > MicroNet Database Updater Tool > SELECT A QUERY dropdown. Add the CCID to the PARAMETERS field and then select RUN THE BACKUP AND EXECUTE THE PRIMARY QUERY button. If adding new domains later, the tool will need to be ran again. 
 
 

This query will install certificates on all domains associated with that CCID. 

 

Run v9 Admin Query “Activate SSL Query 1 of 3" to update existing graphics.

 

Run v9 Admin Query “Activate SSL Query 2 of 3" to update marquee banner ads to "https".

 

For SmartCMS customers, before activating the next step to force SSL, visually locate any widget code on the site, using the http:// protocol the address window, and update any sources to use the https:// protocol. It is easier to identify prior to forcing SSL than it is after where any widget code that is not using the https protocol will be hidden from view. Review the browser console for any mixed content errors and update any sources to use https. This will likely include page header/footer, site header/footer, site layouts, base themes, and any content.

 

Run v9 Admin Query “Activate SSL Query 3 of 3" to force SSL on the domain. Ensure this new setting takes effect by logging into the customer's ISCP and selecting Clear Domain Cache on the General Settings tab.

 

ADDITIONAL ITEMS

 

If the customer has eCommerce, must enable SSL specifically (see eCommerce section below).

 

Add HTML5 Referrer policy meta tag to ensure HTTPS traffic can attribute the traffic to a specific referring source instead of "direct traffic". Add <meta name="referrer" content="origin" />​ script to ISCP > HTML > CUSTOM HEADER HTML.

 

Update the template file path(s) to https in the ISCP, as well as the Base Tag URL on the DOMAINS tab (for non-SmartCMS sites). If you have trouble logging in on SCMS sites, login to the SCMS site in edit mode via the <site>/integration/settings link.

 

eCommerce

If a customer has eCommerce listed in their ChamberMaster/MemberZone menu, the following needs to be updated.

Navigate to their website to review their live integration by selecting links to the standard module pages. Note the subdomain and copy the root of it. For SmartCMS sites, this will also be their primary domain.

Navigate to CM/MZ >  eCommerce > CONFIGURATION > SETTINGS > GENERAL > STORE SETTINGS and paste the URL of the subdomain, including the trailing slash, in the STORE URL field, e.g., http://greenvalley1009.chambermaster.com/ and select SAVE from the top right of the section.

Select the SECURITY SETTINGS tab and then the USE SSL checkbox and SAVE.

Copy this text to your clipboard: /store/Admin/Setting/AllSettings

While still in the eCommerce configuration section, after https://secure2.chambermaster.com in your browser, paste the above text in your browser and hit your ENTER key.

Select the "T" filter.

Enter the criteria below and either select your ENTER KEY or select FILTER.

Update it so that the following values are all set to "True".

​Troubleshooting

Occasionally after following these steps the certificate will still not be generating. Below are some things to check after confirming the previous steps have successfully run.

 

Is the domain pointed to the proper IP?

  • The domain needs to not only be pointed to the correct IP but also needs time to propagate. WhatsMyDns.net is a handy tool for checking out propagation.

 

Is the domain configured with a AAAA record?

  • Our current certificate generation will fail if an AAAA record is on that domain. This record needs to be removed for the certificate generation to succeed.

 

Is the domain properly configured?

  • https://letsdebug.net/ Enter the domain into this tool to check if it's got any problems that could be causing the certificate generation to fail. 

 

Is the certman process (the process that renews/creates certificates) running?

  • You can assume the process is running and healthy. It's monitored and alerts go to the Platform Engineering team if the process is not running as scheduled. Notifications are posted to the Platform Engineering Team's channel.