Free SSL with Let’s Encrypt

by | Oct 18, 2016 | Security | 0 comments

Setting up Let’s Encrypt

I get my hosting and the hosting for my clients from the best in the business.  They offer about everything others offer and they respond to support tickets within 10 minutes.  Anyway, contact me if you’d like to get set up with hosting from these amazing people.  Let’s Encrypt SSL certificates have been available for awhile now and my hosting company has just added this feature to the hosting control panel.  It shows up as an icon for SSL among all the other icons for things like Account Profile, Mail Manager, MySQL Databases and Software Installer.

Let’s Encrypt is a certificate authority that provides free SSL certificates, accepted by most browsers. While they provide security and authenticity when accessing your site over SSL, they do not provide end-user warranties or the additional features of commercial certificates.  These added features are generally not necessary so Let’s Encrypt can probably serve all of your SSL needs.

Clicking on the SSL icon brings up a simple page with a couple of sections.  The first section offers general information about the use of SSL on a shared server.  It doesn’t have much to do with the Let’s Encrypt installation.  The second section is the Let’s Encrypt Certificates Manager. Click the continue button to see a list that includes your domain and subdomains.  For the purposes of experimentation,  I added the Let’s Encrypt certificate to my domain: globalcreations.com / www.globalcreations.com.

The installation process is a simple as can be.  Just select the domain or sub domains you want to protect and click enable and wait awhile.  When the system announces that your certificate is enabled it’s done.

Checking Your Installation

Now when you go to the https version of your website,  you will see the security padlock – maybe.  If you are looking at the https version (e.g. https://globalcreations.com/) and the padlock isn’t there,  there is probably a problem with mixed content.  That is, content that is not from a secure source is being loaded onto your page.

The Chrome browser is handy for checking this.  Just click the icon to the left of your URL, where the padlock is supposed to be.  From there you can open a panel that, when you refresh the page, will list the elements that are not secure.  Then, it’s just a matter of correcting your html so that it fetches the elements (like graphics) in a secure manner.  For more on this, relative to WordPress, see Divi, WooCommerce and SSL.

Sometimes these mixed content problems are hard to chase down. I have one website that was updated years ago. At that time I added a lot of 303 redirects to the .htaccess file, since my old pages were replaced with new pages. After much head scratching, I discovered that one of those redirects messed up an shtml include, thus forcing my page to display a image from an insecure location. Since those redirects were no longer necessary, I deleted them and suddenly my pages were secure.

Forcing SSL

Once all is well when you go to the https version of your site, you need to force all users to go there. If your host is like mine, they offer a one-click option to force all pages to https. The option is found in the SSL section of the site’s control panel with the Let’s Encrypt setup.

If you don’t have that option,  you may need to add the following code to your .htaccess file (if you are on a Linux/Apache server) at the root of your domain or subdomain – just DO NOT repeat the “RewriteEngine On” in your htaccess file AND be sure the other two lines immediately follow it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

WordPress

If you are using WordPress,  you will also need to go to Settings > General and change both links so they start with https.

Conclusion

That’s all there is to it with my hosting service.  If you are using another company,  you may find a similar icon on your hosting panel and installation should be similar.

In the past it has been recommended that only pages that need to be secure,  like those that collect credit card information or transmit passwords, would be secured with SSL.  The argument is that securing all your pages adds strain on the server and slows the delivery of your pages.  This is true, but to a comparatively minor amount.  It is likely that you won’t notice any impact at all, particularly if you are already using a lot of graphics or video on your pages.  With WordPress,  you can speed up your page delivery considerably using a caching plugin like WP Super Cache whether you are using SSL or not.

For more about Let’s Encrypt, see the organization’s website.