Get a free SSL/TLS certificate for your domain and enjoy the benefits of having a secure https connection whether it’s for an online shop or regular site.
In April 2016 a new website security certificate authority called Let’s Encrypt was launched, offering free SSL/TLS for all. No longer just for online shops, https has appeared across the internet to encrypt data flows in an attempt to fortify privacy and data protection between all types of websites and their visitors.
Normally, webhosts charge an annual fee for SSL/TLS, but the modern webhosts are partnering with free domain security certificate providers just like Let’s Encrypt.
A Safer, More Secure Internet
Let’s Encrypt is provided by the non-profit Internet Security Research Group (ISRG) in association with partners and sponsors including Electronic Frontier Foundation, the Mozilla Foundation, Cisco and the Linux Foundation.
The technology is developed and maintained via a collaborative, consensus-driven process which aims to lower the complexity of maintaining https on a website. It is intended for widespread adoption.
Here’s some people I found on YouTube talking about it.
Why Have It? Browser Security Warnings, SEO and More
In September 2016 Google announced that their Chrome browser would begin displaying security icons as part of the website address informing visitors about encryption… or lack of it.
The concern among webmasters operating http sites is that visitors would immediately assume something is wrong with their site because of the browser warning. Even if sensitive personal information is not being processed/transferred, this warning is still visible.
A Google help page explains what to do to check if a site is secure.
Most webmasters and website designers now implement SSL or TLS regardless of the nature of the website. It’s become routine. SEO ranking algorithms are thought to now be influenced by SSL/TLS although this may only be marginal given all the other factors at play.
What Let’s Encrypt Actually Does
Technically, Let’s Encrypt uses TLS (Transport Layer Security) as a successor to the less secure SSL (Secure Sockets Layer). Therefore, the use of the phrase SSL is something of a misnomer.
Anyway… my rough sketch below demonstrates what SSL/TLS does.
It was previously assumed that TLS v1.0 was marginally more secure than SSL v3.0, yet the POODLE vulnerability reported by the Mozilla Security Blog revealed SSL v3.0 to be completely insecure. If you want to know more, here’s how Let’s Encrypt works in more detail.
Installing Through a Partner Host
The easiest way is to use a web host that partnered with Let’s Encrypt. Using a partner host means the option to switch on https is built into your hosting provider making the process of creating validating, signing, installing, and renewing certificates relatively easy.
I already use Dreamhost, which is not only an excellent shared host and great value for money but is a LE partner too.
Security certificates, both SSL and TLS, normally expire every 90 days, but a host partnered with LE will auto renew the certificate for at the end of each 90 day period.
That means you don’t need to do anything other than correctly install the LE cert.
See this list of Let’s Encrypt Partner hosts confirmed, planned or pending.
Installing Let’s Encrypt on a GoDaddy Shared Hosting Server?
It’s possible to install Let’s Encrypt on GoDaddy, but the certificate will not auto renew every 90 days the way certificates installed on a Let’s Encrypt partner host do.
I installed my LE certificate for Small Biz Geek via GoDaddy in 2016 as a test. A 301 redirect was implemented to have http point to https. The canonical versions of each page URL were updated on every page for the benefit of search engines.
It worked but I had to keep renewing the certificate manually. Small Biz Geek is still hosted on GoDaddy (yes, I need to move elsewhere!) but the LE renewal process was annoying so I switched the site to use a Cloudflare SSL/TLS instead.
Installing LE Through Certbot
You can use Let’s Encrypt with most webhosts provided you know how to install it via an SSH client like PuTTY using CertBot. The certificates only last 90 days and so need to be renewed either manually or using Certbot again, which can automate the renewal for you, but I couldn’t be bothered with it.
Here’s an extract from the Certbot introduction page:
Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identify of web servers (e.g., is that really google.com?).
Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
If you’re using a Linux server you would run a cronjob to automate renewal of your certificate. The command only needs to run at least once every 3 months. The commands needed for times and dates can be created at Crontab Generator.
If you’re using a Windows server you’d use the @ command.
Summary: Take Away SSL/TLS Expense and Headaches
One of the reasons I warn people not to host their website on GoDaddy or similar hosts such as 123-Reg is that these hosts are expensive and charge for features that are free at other hosts.
If your site is hosted on GoDaddy, as mentioned already, it’s hard to install Let’s Encrypt, so it’s easier just to move to a superior host that offers better value for money, and solve several problems at once.
Dreamhost has been great because they’re partnered with LE, but I’m sure there are other hosts who are doing the same thing, so do your research when making decisions about who you want to become a customer of.