So you want a free security certificate for your website?
In April 2016 a new website security certificate authority called Let’s Encrypt was launched, offering free SSL/TLS for all. No longer limited to just online shops, https and its associated green web browser padlock are appearing across the internet to encrypt the flow of data between all types of websites and their visitors.
No longer limited to just online shops, https and its associated green web browser padlock are appearing across the internet to encrypt the flow of data between all types of websites and their visitors.
Let’s Encrypt is provided by the non-profit Internet Security Research Group (ISRG) in association with partners and sponsors including Electronic Frontier Foundation, the Mozilla Foundation, Cisco and the Linux Foundation.
The technology is developed and maintained via a collaborative, consensus-driven process which aims to lower the complexity of maintaining https on a website. It is intended for widespread adoption.
If you just want https for a website or blog, Let’s Encrypt should be fine for that. If it’s for an eCommerce site, I’d recommend not using Let’s Encrypt. More about that in a few minutes.
What It Does
My rough sketch below demonstrates what SSL/TLS does.
Technically, Let’s Encrypt uses TLS (Transport Layer Security) as a successor to the less secure SSL (Secure Sockets Layer). Therefore, the use of the phrase SSL is something of a misnomer.
Therefore, the use of the phrase SSL is something of a misnomer.
It was previously assumed that TLS v1.0 was marginally more secure than SSL v3.0, yet the POODLE vulnerability reported by the Mozilla Security Blog revealed SSL v3.0 to be completely insecure.
Here’s how Let’s Encrypt works in a bit more detail.
Browser Security Warnings
In September 2016 Google announced that their Chrome browser would begin displaying security icons to the left of the website address informing the website visitor about encryption of lack of.
The concern among webmasters operating http sites is that visitors would immediately assume something is wrong with the site in question, even if sensitive personal information is not processed.
A Google help page details what to do to check if a site is secure. Their plans to label http sites as non-secure has prompted most websites to begin implementing SSL or TLS regardless of the nature of the website. It’s a good idea to do so, since visitor confidence is likely to be higher, although, it should be noted, even a criminal organisation or scam site can still install encryption and display a green padlock.
It’s a good idea to do so, since visitor confidence is likely to be higher, although, it should be noted, even a criminal organisation or scam site can still install encryption and display a green padlock.
SEO ranking algorithms are thought to now be influenced by SSL/TLS although this may only be marginal.
Domain Validated or Extended Validation?
Let’s Encrypt only offer domain-validated certificates, which is another way of saying you just need to be able to prove you own the domain.
By contrast, a certificate authority like Comodo (and I have a couple of clients using these at around $15 a year) are commercial providers using Extended Validation as well as Domain Validated.
You’ll often see the acronyms EV and DV on message boards or social media in this context.
Extended Validation SSL Certificates are a new type of SSL Certificate which is intended to give users more confidence in who you are (the legal entity who has applied for the security certificate) and that you do indeed control/own your website.
Installing Through a Partner Host
The easiest way is to use a web host that partnered with Let’s Encrypt. Using a partner host means the option to switch on https is built into your hosting provider making the process of creating validating, signing, installing, and renewing certificates relatively easy.
I already use Dreamhost, which is not only an excellent shared host and great value for money but is a LE partner too.
Security certificates, both SSL and TLS, normally expire every 90 days. A host partnered with LE will auto renew the certificate for at the end of each 90 day period.
Do you already host your site elsewhere and want to know if yours is compatible?
See this list of Let’s Encrypt Partner hosts confirmed, planned or pending.
Installing Let’s Encrypt on a GoDaddy Shared Hosting Server?
It’s possible to install Let’s Encrypt on GoDaddy, but the certificate will not auto renew every 90 days the way certificates installed on a Let’s Encrypt partner host do.
I’ve installed my LE certificate for Small Biz Geek and will be activating is shortly by changing and redirecting all the internal links and submitting a new canonical version for the search engines.
Installing Through Certbot
You can use Let’s Encrypt with most webhosts provided you know how to install it via an SSH client like PuTTY using CertBot. The certificates only last 90 days and so need to be renewed either manually or using Certbot again, which can automate the renewal for you.
Here’s an extract from the Certbot introduction page:
Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identify of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
If you’re using a Linux server you would run a cronjob to automate renewal of your certificate. The command only needs to run at least once every 3 months. The commands needed for times and dates can be created at Crontab Generator.
If you’re using a Windows server you’d use the @ command.
Using Cloudflare
If you’re running Cloudflare with their free Universal SSL certificate, that is the certificate that will be displayed under the “more information” padlock in the browser
If you’re using Cloudflare, the Let’s Encrypt free SSL certificate sits between your origin website server and Cloudflare.
You’ll need to enable the free universal SSL certificate that will sit between Cloudflare and the website visitor.
Here’s a rough sketch illustrating the concept:
Dreamhost is a partner host of Let’s Encrypt, which means it’s easy to order and install a free certificate. Dreamhost is also a partner of Cloudflare, which is compatible with Let’s Encrypt.
You’ll need to be using Cloudflare’s nameservers, not Dreamhost’s, if you want to enable Let’s Encrypt in combination with Cloudflare.
Here’s some people I found on YouTube talking about Let’s Encrypt.