SSL certificates have become a more highly visible topic lately due to Google’s policy announced last September to begin marking pages without SSL certificates as “not secure” in the Chrome browser, the most popular browser in use today. This policy is to take effect in January 2017.
Luckily, a certificate authority called Let’s Encrypt came on the scene last year with the express purpose of promoting encrypted internet connections by providing SSL certificates for free.
However, obtaining a certificate from Let’s Encrypt and getting it installed on a web server isn’t always an easy task for the average user. The level of difficulty varies from hosting service to hosting service. Here is a list of hosting providers who offer Let’s Encrypt support. Many hosting services would rather sell subscribers an SSL they issue at prices ranging from $39 to $150 dollars per year, and therefore it is in their interest to make using Let’s Encrypt difficult or impossible.
My hosting service, GoDaddy, is not on the list of services that support Let’s Encrypt. However, it is possible to install a Let’s Encrypt SSL certificate on a GoDaddy shared hosting account with a little work. First, you need to have a Linux account, of which there are two types: Classic and cPanel. You can only do this with a cPanel account. GoDaddy seems to want to encourage the migration to cPanel, so they actually offer a free cPanel account for one year to current holders of a classic account. This is the entry level account that only supports one domain. If you have a Classic account, GoDaddy provides good instructions for converting to cPanel.
Once you are set up on cPanel, you can install the SSL certificate. Unfortunately, GoDaddy’s instructions for doing this are rather obtuse and, in some cases, outdated or contradictory. After some trial and error, I hit upon a fairly simple method of accomplishing this. The nice thing about this method is that you don’t need to do anything at the command line level on the GoDaddy server, which can be very daunting for anyone not experienced with Linux.
Go to ZeroSSL, a browser based interface for getting a Let’s Encrypt SSL. Click on “Online Tools”, then start the “FREE SSL Certificate Wizard”. Follow the instructions, and you will end up with the following files: a) a domain key, b) a domain CSR (certificate signing request), c) an account key, and d) the domain certificate. As part of the process, you will be asked to create two files with encrypted file names and encrypted content to put in sub-directories of the root directory of your hosting account. The path will look like this: /public_html/.well-known/acme-challenge/ These are the files that are used to prove that you have ownership of the website. The easiest way to do this is with an FTP client like Filezilla. You may have diffuculty creating these sub-directories with the built in cPanel File Manager. Edit: When requesting the certificate at ZeroSSL, be sure to specify both yourdomain.com as well as www.yourdomain.com as a subdomain.
Edit: Since this was first written, the process at ZeroSSL has been significantly improved. See this post.
Now go to the cPanel for your domain on GoDaddy, scroll down to the Security section, and click on SSL/TLS. Under “Install and Manage SSL for your site (HTTPS)”, click on “Manage SSL sites”. There you will see a fairly simple form where you provide the following information: a) the domain, b) the certificate, c) the private key, and d) the certificate authority bundle. Items b, c, and d are all things you received from ZeroSSL. A couple of important points: Included as parts of the certificate are the beginning and ending markers, e.g. “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. If you don’t include these, you will get an error saying the certificate is not valid. Also, the certificate you get from ZeroSSL has two parts, the actual certificate and the Certificate Authority Bundle (CABUNDLE). These are each marked with beginning and ending tags. They will need to be put into two separate boxes on the form. Once you have filled in the form, and you have an indication that the content is correct, click on “Install Certificate”, and you are finished.
You should now have a secure site. You may need to check your site to make sure that internal links reference https instead of http for everything to work right. If you are running WordPress, as I am, you can install a plug in like Easy HTTPS (SSL) Redirection that will take care of these chores for you. All you need to do is change the URL to https in the General settings.