From: https://www.ssllabs.com/

SSL Server Test
This free online service performs a deep analysis of the configuration of any SSL 
web server on the public Internet. Please note that the information you submit here 
is used only to provide you the service. We don't use the domain names or the test 
results, and we never will.

Also: https://geekflare.com/ssl-test-certificate/

From: https://www.ssls.com/

    Single-domain SSL
    Multi-domain SSL
    Wildcard SSL

    Comodo SSL Certificates

    Domain validation
    Organization validation
    Extended (EV) validation

From: godaddy.com

SSL Class 1 purchased from Godaddy they setup
had to verify website through creation of TXT file

Change of  htaccess file to alter all http to https

http://en.wikipedia.org/wiki/StartCom

Free Class 1 (personal) SSL Certificates.

Trustedness In contrast to CAcert.org, which also offers free Class 1 SSL certificates, the StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[2][3] and Opera since 27 July 2010.[4] Since Google Chrome, Apple Safari and the Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates.

https://cert.startcom.org/

Get Your Certificate:

From: http://support.godaddy.com/help/article/4875/installing-an-ssl-certificate-in-microsoft-iis-5-amp-6

Installing an SSL Certificate in Microsoft IIS 5 & 6

You must install the intermediate and primary certificates to your Microsoft® IIS 6 Web server to complete installation.

Had to modify htaccess Per Godaddy instruction and Drupal help sites

Plus had to search for http references and change to https found two css references to fonts using http changed and formatting problems disappeared

This repaired the display problems on website with http changed to https (Drupal site)

<IfModule mod_rewrite.c>
  RewriteEngine on
  # Set "protossl" to "s" if we were accessed via https://.  This is used later
  # if you enable "www." stripping or enforcement, in order to ensure that
  # you don't bounce between http and https.
  # RewriteRule ^ - [E=protossl]
  # RewriteCond %{HTTPS} on
  # RewriteRule ^ - [E=protossl:s]
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

  L=  last
  R=  type of rewrite
  NE= By default, special characters, such as & and ?, for example, will be converted to 
      their hexcode equivalent. Using the [NE] flag prevents that from happening.   

up vote5down voteaccepted	If you have enabled SSL it may happen that some browsers may block the resources that are not using the https:// in their url.
	While Chrome and firefox manage to work fine in some cases. But IE does give a strange behaviour.
	I would suggest you to please cross check if any external scripts or images or styles that you are using in you website uses the http:// in their urls. If any please change them to use https://
	It may not be the exact cause of your problem but since i faced this problem in one of my sites, I am suggesting this option.
	shareimprove this answer
	answered Dec 30 '13 at 8:09
	Sudheesh Damodaran
	23114
	1
	Thank you! That was precisely the problem. I was pulling in some fonts from fonts.googleapis.com. Changing that to "https" fixed the problem. Thanks again! – mrbranden Dec 30 '13 at 12:01

From <https://drupal.stackexchange.com/questions/98474/site-looks-different-under-ssl> 

Finally, after a lot of tests
selinav commented 2 months ago
Finally, after a lot of tests, the code below works.
As Bairnfather says, it is necessary to comment the third first lines
<IfModule mod_rewrite.c>
  RewriteEngine on
# Set "protossl" to "s" if we were accessed via https://.  This is used later
  # if you enable "www." stripping or enforcement, in order to ensure that
  # you don't bounce between http and https.
  # RewriteRule ^ - [E=protossl]
  # RewriteCond %{HTTPS} on
  # RewriteRule ^ - [E=protossl:s]
  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  
  RewriteCond %{HTTP_HOST} ^mydomain.com$
  RewriteRule ^(.*)   https://www.mydomain.com/$1  [QSA,L,R=301]
  
# Make sure Authorization HTTP header is available to PHP
  # even when running as CGI or FastCGI.
  RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  # Block access to "hidden" directories whose names begin with a period. This
  # includes directories used by version control systems such as Subversion or
  # Git to store control files. Files whose names begin with a period, as well
  # as the control files used by CVS, are protected by the FilesMatch directive
  # above.
  #
  # NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
  # not possible to block access to entire directories from .htaccess, because
  # <DirectoryMatch> is not allowed here.
  #
  # If you do not have mod_rewrite installed, you should remove these
  # directories from your webroot or otherwise protect them from being
  # downloaded.
  RewriteRule "(^|/)\." - [F]
#redirection du .fr vers le .com
	RewriteCond %{HTTP_HOST} ^mydomain.fr$
	RewriteRule ^(.*) https://mydomain.com/$1 [QSA,L,R=301]
	
	#redirection du blog vers le .com
	RewriteCond %{HTTP_HOST} ^blog.mydomain.com$
	RewriteRule ^(.*) https://mydomain.com/$1 [QSA,L,R=301]
RewriteCond %{HTTP_HOST} ^www.mydomain.fr$
	RewriteRule ^(.*) https://www.mydomain.com/$1 [QSA,L,R=301]
	RewriteCond %{HTTP_HOST} ^mydomain.fr$
	RewriteRule ^(.*) https://www.mydomain.com/$1 [QSA,L,R=301]
Thanks a lot

From <https://www.drupal.org/https-information> 

HSTS & Redirection within .htaccess
Bairnsfather commented 2 months ago
Here's what I did that seems to work for D7 & D8 (specifically as of 7.54 & 8.3.1 on Apache 2.4.5 with php 5.6.30) using the stock .htaccess file with only the modifications mentioned below. In simple terms, the Strict-Transport-Security line will not initially redirect traffic from http to https. (That line is not seen on http requests and older browsers don't understand it.) Thus the interest in redirection with a RewriteRule; however, that leaves open the possibility of a MITM attack. But the hope is with DNSSEC and a modern browser that understands HSTS, in less than a second your browser will remember (for max-age seconds) to only request https resources, even if your site or another site has an http link/resource on it. In other words once your modern web browser loads a page via https from your site, the browser learns it should be strict and only make https requests, even if it encounters a resource or link specifying http.
First, make sure you have your server available via https and your certificate includes all subdomains you use. Max-age is in seconds, customize it for your needs, and be sure to read (at least) https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security (RFC link below.)
Below the lines:
# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
paste in
  # Take advantage of HSTS if it's available & the request was over https. 
  Header always set Strict-Transport-Security "max-age=3456000; includeSubDomains" env=HTTPS
# Force all traffic to be https & strip 'www.' prefix. 
  RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
  RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
Then put a # in front of the three lines below to comment them out; it no longer applies since we just forced all traffic to https. The following lines are already in the .htaccess file and just below what you pasted in.
#  RewriteRule ^ - [E=protossl]
#  RewriteCond %{HTTPS} on
#  RewriteRule ^ - [E=protossl:s]
Also note the HSTS module https://www.drupal.org/project/hsts has versions for D7 & D8. Which is good if you run multisite and not all domains have a certificate.
Tip - go here to get free certs: https://LetsEncrypt.org
RFC 6797: https://tools.ietf.org/html/rfc6797
You can test things by opening your terminal application and curl -I your domain in various ways to inspect the header.

From <https://www.drupal.org/https-information> 

Order allow,deny syntax
You can see the Order directive used in two ways.
Order allow,deny and Order deny,allow
Order allow,deny tells your web server that the Allow rules are processed before the Deny rules. If the client does not match the Allow rule or it does match the Deny rule, then the client will be denied access.
Order deny, allow means that the deny rules are processed before the allow rules. If the client does not match the deny rule or it does match the allow rule, then it will be granted access.

From <http://www.maxi-pedia.com/order+allow+deny> 





AllowOverride Directive
Description:	Types of directives that are allowed in .htaccess files
Syntax:	AllowOverride All|None|directive-type [directive-type] ...
Default:	AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8 and earlier)
Context:	directory
Status:	Core
Module:	core
When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier configuration directives.
Only available in <Directory> sections
AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.
When this directive is set to None and AllowOverrideList is set to None, .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.
When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
The directive-type can be one of the following groupings of directives.

From <http://httpd.apache.org/docs/current/mod/core.html#allowoverride> 

On Drupal 7, if you want to support mixed-mode HTTPS and HTTP sessions, open up sites/default/settings.php and add $conf['https'] = TRUE;. 

From <https://www.drupal.org/https-information> 



For best possible security, set up your site to only use HTTPS, and respond to all HTTP requests with a redirect to your HTTPS site. Drupal 7's $conf['https'] can be left at its default value (FALSE) on pure-HTTPS sites. Even then, HTTPS is vulnerable to man-in-the-middle attacks if the connection starts out as a HTTP connection before being redirected to HTTPS. Use the HSTS module or Security Kit module, or set the Strict-Transport-Security header in your webserver, and add your domain to the browser HSTS preload list, to help prevent users from accessing the site without HTTPS.
You may want to redirect all traffic from http://example.com and http://www.example.com to https://example.com. You can do this by adding the code below to your server configuration file, i.e., the VirtualHost definitions:
<VirtualHost *:80>
    ServerName www.example.com
    Redirect "/" "https://www.example.com/"
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>
The use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com*
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
There are existing comments in .htaccess that explain how to redirect http://example.com to http://www.example.com (and vice versa), but this code here redirects both of those to https://example.com.

From <https://www.drupal.org/https-information>