When I started this site, I decided to move it to SSL. I ran into an article: How to Get a Free SSL Certificate (and Why Google is Forcing You To)
It appeared that getting and installing an SSL certificate is really easy from Let’s Encrypt. Not exactly. Many things can go wrong. This is how you can overcome the hurdles.
The first thing you run into is that not every host supports Let’s Encrypt. If you are using a free host, chances are that you will need to upgrade to Premium to use this feature.
If you have a Premium hosting account and it advertises “one-click free SSL”, there is a possibility that this is a self-signed certificate, which will cause a “Your connection is not secure” message in many browsers.
My next idea was to use CertBot, the software used by Let’s Encrypt. However “Certbot currently requires Python 2.6, 2.7, or 3.3+. By default, it requires root access …” So this wasn’t something I was going to experiment with.
The article also says, “If your host doesn’t support Let’s Encrypt, you may still be able to get your free SSL certificate by using a website called SSL For Free.” So I tried this, but none of the methods to verify ownership of my domain was working.
The article also mentions, “Cloudflare – Cloudflare offers a shared SSL certificate on their free plan. If you’re already using Cloudflare, this is a great way to get your site up and running with HTTPS.
”Cloudflare offers a “flexible” certificate, which means the connection is encrypted from Cloudflare to the user, but it’s not encrypted between your site and Cloudflare. And even though you can copy the certificate, it is not going to work when you upload to your own server. You need to upgrade to Premium Cloudflare.
Then I found a site called getaCert, a free certificate site.
The procedure is, you go to your cPanel>SSL and you need to provide certain data about your website and organization, and with this data you need to create a Certificate Signing Request (CSR). Then you copy the CSR, paste it to the Certificate Authority’s site, which in turn gives you the necessary certificate files.
I created a cert, uploaded it… and I got —
“Your connection is not secure“The owner of ____ has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.”
After some research I found the following sites that check the cert of your website:
SSL Labs said the certificate is “Not trusted”.
“In order for trust to be established, we must have the root certificate of the signing Certificate Authority in our trust store. SSL Labs does not maintain its own trust store; instead we use the store maintained by Mozilla.
“If we mark a web site as not trusted, that means that the average web user’s browser will not trust it either. For certain special groups of users, such web sites can still be secure. For example, if you can securely verify that a self-signed web site is operated by a person you trust, then you can trust that self-signed web site too. Or, if you work for an organisation that manages its own trust, and you have their own root certificate already embedded in your browser. Such special cases do not work for the general public, however, and this is what we indicate on our report card.”
Basically an SSL certificate by itself is not enough. You also need a “CA bundle” which tells your browser that the certificate was signed by a trusted Certificate Authority, i. e. the certificate signer’s certificate can be traced back to a trusted root certificate.
And “getaCert is not a Certificate Authority (CA) or certified through WebTrust. Should be used for testing only or for non public based sites or services.” This line is somewhere hidden on their site. Thank you very much.
Commodo SSL Free Trial
Then I ran into this – Commodo SSL has a free trial of 90 days. You have to verify ownership of my domain by receiving a verification code through either through the email saved in the domain’s Whois record, or if you have privacy enabled, you can use [email protected] email.
I did the verification, got the certificate file and the CA bundle, uploaded it. This actually worked. I saw the green lock finally! The only catch is that a Domain Validation SSL certificate costs $65 with Commodo, which is really expensive if you want to renew it after 90 days. But at least now I had 90 days to figure out the final solution…
Then the next step was to switch the site over to SSL. I learned a few things in the process: You don’t have to immediately change your blog settings to https and thereby risk that you could get locked out of your account. You can just open a new window and type https://yourdomain.com, and your site comes up with the green lock if everything is correct.
Now you need to do the whole “redirect to https” thing. I pasted the redirect code into my .htaccess file, at which point my site died, it was “redirecting incorrectly” per the browser message. Then I took out the part I added and… even though I swear that the .htaccess file went back to what it was, I got a white screen saying that the server was configured incorrectly.
First I had now idea what this was about. The forum that came up in Google search said to check the server error logs. Finally I managed to find it in my cPanel under METRICS>Errors. All the error entries complained about incorrect entry in .htaccess. Unfortunately I didn’t save the original version of .htaccess, which you should always do before you mess with it, but at least I knew the problem wasn’t something else. Eventually I got an earlier backup version that I had from a different server and I uploaded it, and everything went back to normal.
I decided I was not going to experiment with it any longer, I searched for an SSL plugin, even though I didn’t really want to add any more plugins and slow down my site.
Really Simple SSL handled the whole process extremely well. You just install it, run the plugin and it will make all the necessary changes, including changing your links over to https.
The funny part is that afterwards I tried SSL for Free again and this time it worked totally fine, I got all my cert files…
Saga Not Over Yet
I was really happy about my achievement until the next day… The horrible misconfigured site message appeared again in my browser.
I found the following article from Mozilla. If you look at the above screenshot, you may notice that it says “Wrong Site”, even though my certificate was the right site… When I clicked on “View”, it showed me the certificate, which said the Organization was “Web hosting”.
Based on this I figured the problem was that encryption between my host and Cloudflare was enabled and Cloudflare was injecting its own security certificate. When I turned it off, after a short time the green lock went back in place.
As I said at the beginning, setting up SSL is a lot more complicated than it is generally presented…
Hopefully the above gives you some help if you try to switch you site over. Don’t put it off, the earlier you do it, the less trouble. You don’t want to be solving problems like this when you have 100 visitors a day… Also, Google Webmaster tools considers the SSL version of your site a completely different site. If you had the non-SSL version listed previously, all that data will be blanked out when you add the SSL site.
Another thing you need to be aware of is that the free SSL expires every 90 days, therefore you need to renew it every 3 months. It is easier if you get an SSL certificate for $9.99, which will be valid for a whole year.
If you find this article useful, please share. Also, add any other info you have on the subject as a comment.
The Saga Continues
I changed my host to Scala hosting, and they actually have an automatic domain validated Let’s Encrypt SSL that renews automatically every 90 day.
However, further trouble came when I switched my CDN to a company named Web Support Revolution and the following strange thing happened:
My site was displaying correctly, but I was getting a redirect loop trying to get into my WordPress admin panel.
I googled it and the solution was the following: Add the following line to wp-config.php:
$_SERVER[‘HTTPS’] = ‘on’;