How to Setup SSL absolutely free using Let’s Encrypt
Have you been on the lookout for free and trusted SSL certificates and wondering how to install them? Well, slake all your queries with Let’s Encrypt- a free and legitimate CA that makes certificate installation as easy as 1,2,3.
What is SSL?
For those who are not familiar, SSL or Secure Sockets Layer is a cryptographic protocol that encrypts the data and connection between the server and the client. It is a standard security protocol for establishing a link between the server and browser. You can setup SSL by installing an SSL certificate and switching your site to HTTPS.
HTTPS, or HyperText Transfer Protocol Secure, is the protocol over which data is sent between the website you are connected to and the browser. It is more like a secure mechanism that HTTP uses over SSL connections to communicate.
You can say that HTTPS = HTTP + SSL
Firstly, an SSL connection is established. Then, all the HTTP data is wrapped into small SSL packets, sent, and received. Both are combined together to prevent man-in-the-middle attacks and eavesdropping by third party outsiders.
Why is it necessary to setup SSL?
What’s this sudden hype to setup SSL and migrate to HTTPS all about if my site is been working with HTTP completely fine? You might be wondering! Well, for the uninitiated, it’s been three years since Google officially announced that switching your website from HTTP to HTTPS will be considered as a ranking factor and give your site a minor ranking boost. Since then, we saw more and more websites taking the plunge. Firefox Mozilla too, in its latest update (Version 52.0.2), gives a warning error if login credentials or other sensitive details are entered from an HTTP-based site which has not migrated to HTTPS yet.
However, the whole process of switching from HTTP to HTTPS has many obstacles, with the costly SSL certificates and complex installation process being the most prominent ones. In this article, we will tackle all such issues one by one and introduce a provision called Let’s Encrypt that will help you setup SSL certificates free of cost. It is a non-profit and open Certificate Authority service by ISRG that provides Domain Validated Certificates for zero charges.
SSL Certifications: What for?
To be able to setup SSL secure connections, a server requires a digital certificate called as SSL certificate. An SSL certificate is a small data file that binds a cryptographic key to your organisation’s or personal details digitally. SSL certificates have a pair of keys: public and private. This key pair works together to create an established connection.
Basically, SSL Certificate = Domain name/Server Name + Organization’s Details
Only a Certification Authority (CA) can issue a digital certification. A browser trusts an SSL Certificate and establishes a session between the client and the server only if the said certificate contains the domain name of the website and is issued by a trusted CA.
There are three different SSL certificates you can get: Domain Validation Certificate (DV), Organisation Validation Certificate (OV), and Extended Validation Certificate (EV). Let’s take a look at their basic traits through this table.
|Issuing Time||Immediately||Within 24 hours||4-5 days|
|Pricing||Cheapest (Free in most cases)||15$ – 700$||700$ and above|
|Types of Businesses||Small or Medium||Medium-scaled||Larg|
|Types of Sites||non-eCommerce/Internal||eCommerce||eCommerce|
|Issuing Criteria For a Purchaser||Control over a Domain name||Control over Domain name + Organisation’s Existence as a Legal Entity||Organization’s Existence as a Legal Entity + Verification Checks by a Human|
From the table, it is pretty clear that DV is actually preferable for small and medium-sized businesses. If you own a small business, it makes no sense to pay such high costs for an Extended Validation certificate. Additionally, it makes no difference which validation certificate you use in rankings factor as well as secure transmission of data, as of now.
Debunking all odds: What’s stopping people and what to do about it?
One question that arises in mind after all this discussion is that if HTTPS is such a better choice, why aren’t more and more people transforming their sites then? We asked our webmasters’ team and almost everybody gave the same reply. “SSL certifications are of immensely high costs”. The big guys in town- GoDaddy, VeriSign, Comodo, etc charge a lot for the paid certifications. Most website owners simply cannot afford to buy such high-priced security measures which may even exceed their profit ranges. While DV certificates are comparatively cheaper than their counterparts, the verification process needed to setup SSL and HTTPS is still a little bit complex for people with a non-IT background. So isn’t there some alternative for standard website owners out there that provides simple solutions to help them carve their way in the SSL world? Allow me to introduce one such popular solution through which you can get hassle-free SSL certificates and that too for free – Let’s Encrypt.
Let’s Encrypt is a free, trustworthy and automated Certification Authority (CA) operated by the Internet Security Research Group. Some of the key sponsors for Let’s Encrypt include the Mozilla Foundation, the Electronic Frontier Foundation (EFF), Akamai, and Cisco Systems. Currently, Let’s Encrypt offers full support for IPv6, ACME DNS Challenge, IDS, and ECDSA signing.Since domain-validated certificates are automated, only those can be issued. Certificates issued by Let’s Encrypt are valid for a total of 3 months, although you can automatically renew them every 60 days or so. In some cases, your hosting provider will do the job for you. As of May 2016, LetsEncrypt has come up with its beta version sponsored by some new additions to the team. Together, they have made Let’s Encrypt to be the third largest Certificate Authority in the world. It has gained the trust of a lot of users worldwide. Currently, it has 1.93 million unexpired certificates, making Let’s Encrypt one of the largest Certificate Authorities in the world.Some of the key features that have made this success possible are:
- Free: You just need to own a domain name to setup SSL and get an SSL certificate at absolute zero cost and no renewal charges.
- Secure: Let’s Encrypt issued digital certificates are legitimate and accepted by every one of the web browsers. Besides, it helps site owners secure their servers properly.
- Automatic: Let’s Encrypt interacts with web servers to get a certificate, configure it securely and renew it, all by itself- making the whole process automatic.
- Transparent: Each certificate revoked or issued is available for public records and inspection purposes.
Now that we have described benefits of everything, let’s take a look at how you can get a free SSL certificate and make your site HTTPS-enabled.
How to Install a free SSL certificate
Case 1: If you have a Dedicated server
- Through The Web, Host Manager (WHM):
Web Host Manager is used to manage web-hosting accounts on a web server. If your hosting provider has installed provisions in case of WHM, you can get the benefits of Let’s Encrypt official plugin for WHM. This plugin is accessible for WHM version 58 and above. Start by running the below command in server terminal (usually putty):
Next, when you visit AutoSSL interface by going over to Home >> SSL/TLS >> Manage AutoSSL, here, you can select Let’s Encrypt from the list of providers.
- Without Web Host Manager: People with Shell access mostly use the Certbot ACME client.
In such cases, where WHM is not handy, you can install a Let’s Encrypt issued certificate manually using Certbot. Head over to their official site, select your web host server and OS and follow the steps displayed.
Case 2: In case of a Shared Server Hosting
- Through cPanel (Without Shell Access)
cPANEL is a Linux-based web hosting panel that provides you with GUI and automated tools to make the process of web hosting easy. If you manage your website through CPanel, Plesk or any other control panel, some hosting providers such as FastComet, DomainRacer, BlueHost, provide a direct option for Let’s Encrypt in their interfaces. It makes the whole process of adding an SSL certificate for your domains easy.
- Through Certbot ACME Client (With Shell Access):
Let’s Encrypt recommends people with shell access to use the Certbot ACME client. Certbot offers free certificate issuance and installation automatically. Moreover, it keeps a check on the expiration dates of your certificates and renews them automatically. For people who do not want auto-configuration, it has separate expert modes also. For people who do not want auto-configuration, it has separate expert modes also. People who do not want to proceed with Certbot can check the official website of Let’s Encrypt for more client options for more client options.
Advantages of switching to HTTPS
1. SEC_RITY is incomplete without “U”
Once you have made the switch to HTTPS, any packets(s) of data sent afterwards is protected using the TLS protocol. This means you are guaranteed the three basic levels of network protection:
- Encryption: All your exchanged data is encrypted. This means that even if eavesdroppers somehow manage to “listen” to your data, it will be worthless since they don’t have a decryption key.
- Data Integrity: Information encrypted cannot be seen by others while it is still in transit, thus avoiding eavesdropping and man-in-the-middle attacks. Also, data cannot be corrupted or tampered by a third party without being detected.
- Authenticity: HTTPS authenticates your site by making sure it is the one the server and/or users are supposed to be communicating with.
Besides, the green bar/lock at the beginning of the browser’s address window helps users build the trust of the users, making it worth the effort in the long run.
2. SEO: Always be in good books of GOOGLE
- More referrer data: Whenever traffic passes to an HTTPS-enabled site, it does not strip away your referral data. This is unlike HTTP where the referral information is not preserved and transferred as “Direct”. This becomes an issue in analytics report as you cannot tell where this traffic comes from.
- The boost in rankings: Need I say more? Unlike other ranking signals (Original content and link building), it does not merit heavy increases. Though Google may consider it as a slight ranking boost as of now, but if you decide to setup SSL, it can have a notable impact in the future.
- Revenue Conversions: When HTTPS and SSL are in place, the green lock in the URL bar gets active. This helps users perceive a sense of privacy and trust. Additionally, it can be a revenue driver by supporting more and more conversions.
Points to consider before taking the leap
- Speed issues: Since HTTPS, in itself, is a ranking factor, one might think that HTTPS sites are faster to load. Although this idea appears to be good, but in reality, if you setup SSL, it can imply a minor drop in site speed. This mainly happens due to the extra communication “handshakes” needed between the servers.
- Compatibility issues: The world may be moving towards SSL revolution, still everything is not HTTPS ready yet. Once in a while, an older web application will pop up that has trouble adopting the HTTPS URLs.
Most of these issues, however, are due to the improper implementation of SSL migration or steps of switching from HTTP to HTTPS. Sometimes, both. Stay tuned as we will cover these common pitfalls and how you can avoid them in our next article.
In closing, sites that use HTTPS, account for nearly one-third of Page one results in Google as of June last year. With the advent of free and easy methods to setup SSL like Let’s Encrypt, these numbers are just beginning to increase. It has made it unbelievably easy for both developers and site owners to provide an automated, validated SSL certificate and switch over to HTTPS for free. Alright, this was all about getting SSL/HTTPs and securing your website. If you are by far convinced to make the switch, you should try experimenting with the website design as well. For this, check out TemplateToaster, a web design software that provides you with themes to modify your website or build a new one and set up SSL on it.
Best Drag and Drop interface to Design stunning WordPress Themes
Have any questions or comments about setting up SSL on your WordPress website? Share with us in the comments section below!