Save money by installing a free SSL certificate on your domain.
Since October 2017, Google has decided that an SSL certificate is required for each website.
As of January 2018, Google will penalize websites that do not have a valid SSL certificate installed.
The first sanction will be a huge red warning page within Google’s Chrome browser, telling visitors that this site is not safe. This will force most visitors to leave this site without even visiting the site.
The second sanction will be that Google will penalize websites by reducing their appearance on Google’s search results pages aka. “PageRank”.
Well, it’s not new that Google decides something and punishes others for not doing what Google wants.
And of course Google uses a democratic principle: if you don’t like Google then do not use Google.
Long story short: every website needs an SSL certificate.
But what about those who think that $ 10 a year is still too much money for something that you personally do not need, for something that nobody can see or feel? Let’s face it, you have to pay 10 dollars for a digital text document with some text inside.
Thankfully, a new project named “Let’s Encrypt” was launched on April 12, 2016, which will allow you to get an SSL Certificate for free, with no hidden costs, no catches or “trial periods”.
Until this project started, there were “fake” free certificates offered by Comodo. The free Comodo certificate was nothing but a trial certificate. Everyone could receive a free SSL certificate for 90 days. After these 90 days, you will need to buy a certificate or just forget it, because every domain name could only get a 90-day certificate once in a lifetime. So, “Comodo Free SSL” has never been a real free SSL certificate.
Why did I never heard of “Let’s Encrypt” before?
Put it this way, there is a big business behind selling SSL certificates. Hosting companies earn hundreds of millions of dollars every year by selling a piece of text called “SSL Certificate”.
There is enough money to finance advertising campaigns and to finance its affiliates. Affiliates, people who tell you that you need to buy a certificate, and also people who tell you that a free certificate is not good for you.
Nobody would ever promote something that is freely available. And nobody would ever review a product that will not bring the reviewer any revenue.
This is above all the reason why you always have read only about “allegedly” free SSL certificates, which in reality is only a trial time product that you have to buy and potentially generate revenue for the people who are writing about this product.
As expected, the whole budget of Let’s Encrypt project is as small as a day’s sales of a company selling SSL certificates for money. They simply do not have the money to carry out huge advertising campaigns as big hosting companies do.
Let’s get to the practice section.
Notice: SSL certificate issued by Let’s Encrypt is a time limited certificate and only valid for 3 months.
But apart of this, you can reissue this certificate over and over again after it expires.
The best part of the story is that you can set up a cron job that automatically renews expired certificate without you being involved in the process. Simply put, this is a “set-up and forget” solution, others than a paid certificate that you have to pay and reinstall after it expires.
First of all we have to get a certificate file.
To get a certificate from Let’s Encrypt please follow these steps.
1) Go to website: https://www.sslforfree.com/ enter your domain name in the URL form and click on “Create Free SSL Certificate”.
2) You must confirm that you really own the domain for which you are requesting a certificate.
- Automatic FTP Verification – by specifying your FTP credentials, software logs in to your FTP server and takes all necessary steps.
- Manual Verification – upload a unique file to your domain root folder.
Download two files to your hard disk by clicking “Download File #1” and “Download File #2”.
You must create a folder named “.well-known” in your root directory.
Inside the folder “.well-known” you have to create the folder “acme-challenge”.
Upload both files downloaded from ssforfore.com into the “acme-challenge” folder.
Go back to sslforfree.com and hit “Download SSL Certificate”.
- Manual Verification DNS – by adding a TXT record to your domain name.
Go to your domain registrar.
Go to the “Change / Update DNS Records” section or something similar (That depends on your domain registrar).
Add two new txt records. They should look like this.
You have three options:
After you have completed your verification, you will get the certificate files downloaded.
How to install Let’s Encrypt SSL on cPanel?
Please note that many large hosting companies such as NameCheap do not offer you help on how to install free SSL, as this hurts their business. In this case, you will need to manually install the certificate.
If your cPanel has “Let’s encrypt” enabled, follow these steps.
1) Go to the “Security” section and click on the “Lets encrypt SSL”.
2) Look for the “Issue a new certificate” section . You will see your domain names listed below.
Click on the “+ Issue” link and then on the “Issue” button to automatically install a free SSL for you.
If your cPanel does not have “Let’s encrypt SSL” enabled, follow these steps.
1) Go to the “Security” section and click on the “SSL / TLS” icon.
2) Click on the “Generate, view, upload or delete SSL certificates” link.
3) Paste your certificate in “Upload new certificate” form and click on “Upload certificate”.
Or simply select the * .crt file from your hard drive and click “Upload Certificate”.
If all goes well, you will see an entry like this.
How do I install Let’s encrypt SSL on a Dedicated Server or VPS or some kind of hosting where I have SSH (Secure Shell) access to the server?
If you work with “sudo” (typical for Debian server), you better use sudo commands:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache -d mydomainname.com -d www.mydomainname.com
Replace “mydomainname.com” with your actual domain name.
As a last step, please set up a cronjob to renew your certificates before they expire.
Create a new cron job that runs the “certbot renew” command once a day.
If you are using the YUM installer that is common on CentOS, use the following commands:
yum install epel-release
yum install httpd mod_ssl python-certbot-apache
systemctl start httpd
certbot --apache -d mydomainname.com -d www.mydomainname.com
Replace “mydomainname.com” with your actual domain name.
If you use the world’s best free web server control panel called “Webmin”, you can easily issue certificates through the graphical user interface.
With Webmin / Virtualmin, you can easily request and renew certificates.
As well as enabling automatic renewals for Let’s encrypt certificates directly from the control panel of your server.
Does it make sense to install Free SSL by Let’s encrypt if you are a CloudFlare user and have a CloudFlare SSL certificate already enabled?
Yes, it makes sense.
Without a valid certificate on your server or with a self-issued certificate, you can not enable “FULL (Strict)” encryption in your CloudFlare interface.
Why “Full SSL” is better than “Flexible SSL”?
Flexible SSL works only from the visitor browser to CloudFlare Server. However, the connection between CloudFlare and your web server is still unprotected and is running in normal HTTP mode.
For example, if you set up a redirect within .htaccess to redirect http to https, you will encounter an error because your server treats the connection as an HTTP connection and does not redirect anything, but CloudFlare sends all traffic from HTTPS to HTTP.
This leads to an infinite loop redirection.
So, what have we come to?
Cloudflare SSL encryption works much better if you have a valid certificate installed on your server.
What about Incapsula users? Can I use a free SSL together with free Incapsula CDN?
No, this is not possible. To use Incapsula with SSL encryption, you must sign up to their paid plan.