[Fri, 28 Apr 2017] – We’ve enabled free, Let’s Encrypt-based SSL certificates in the Control Panel.
Introduced in 2016, Let’s Encrypt represents a free open certificate authority (CA), which provides website owners with digital certificates for enabling HTTPS (SSL/TLS).
It was launched by the Internet Security Research Group (ISRG), a public-benefit organization sponsored by the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and Cisco Systems, with the aim of making HTTPS encryption both affordable and user-friendly.
Their main goal is to create a more secure, privacy-driven web.
Let’s Encrypt certificates are:
- free to use: each domain name owner can obtain a trusted certificate at absolutely no cost;
- automatic: the certificate setup and renewal procedures are fully automated; no human intervention is needed;
- simple to use: there are neither payments to make, nor validation emails to respond to;
- secure: Let’s Encrypt serves as a platform for implementing the latest security practices;
- fully transparent: all issued certificates are publicly available for anyone to view;
- open: the issuance and renewal protocol is published as an open standard that can be adopted;
- ‘self-regulated’: Let’s Encrypt is a joint community effort, beyond the control of any organization;
What are the differences between regular and Let’s Encrypt SSLs?
Let’s Encrypt offers you a free and automated way of obtaining SSL certificates for your sites, so you may ask yourself: “Why would I ever go with a regular SSL certificate?”.
Just like regular SSL certificates, Let’s Encrypt certificates offer basic SSL encryption, i.e. they give site visitors assurance that they are exchanging information with the domain that is visible in the address bar and that their personal data (login details, credit card information, etc.) cannot be eavesdropped.
Also, Let’s Encrypt certificates are trusted by all major browsers.
If a site is using a Let’s Encrypt SSL, you will see “https://” at the beginning of the URL in your browser’s address bar, along with a green padlock.
So, what Let’s Encrypt certificates offer is secure communication most site visitors will feel comfortable with.
However, as a business entity you may also need a certain security guarantee against online abuses and this is where commercial SSLs kick in.
Read further below to learn more about the differences between a Let’s Encrypt certificate and a regular SSL:
- Warranty: Let’s Encrypt certificates do not include a warranty against misuse or mis-issuance, whereas regular SSLs do. While this may not be a problem for smaller websites, for larger organizations most probably will.
- Wildcard Certificates: Let’s Encrypt does not offer wildcard or multi-domain certificates, whereas traditional CAs usually do.
- Validity Period: Let’s Encrypt certificates are only valid for 90 days and must be renewed before they expire. Most regular SSL certificates are valid for at least one year. HTTPS site owners can also choose a longer validity period (3, 5, etc. years). On our platform, Let’s Encrypt certificates are renewed automatically, so you won’t have to worry about that.
- Support: Let’s Encrypt does not offer assistance with creating or installing SSL certificates. Only community help is available.This can be an issue for organizations that need to quickly equip their business sites with an SSL. However, this could be easily curbed with a quick re-generation and re-installation of the problematic Let’s Encrypt SSL.
A Let’s Encrypt certificate or a commercial SSL – the final verdict
Both Let’s Encrypt and commercial SSLs will do the encryption job that is expected of them in order to protect your sites against interception and eavesdropping.
So, your choice will solely be determined by the type of site you manage, which in fact defines your security requirements.
If you own a non-commercial site, a blog or a photo gallery, or just need a quickly configurable, simple and free SSL certificate that you can obtain with minimum effort, then Let’s Encrypt is the way to go.
If you run an e-store or an enterprise site, then you will need to invest in a paid, warranty-equipped SSL certificate issued by an established CA.
Due to Google’s recently voiced intent to give HTTPS sites higher search rankings and the subsequent rise of authorized SSL resellers, the prices for commercial SSLs have been going down steadily.
Today, every e-commerce website owner can obtain an affordable commercial SSL certificate from a reputable authority.
We’ve already lowered the prices for both regular and wildcard certificates and are doing our best to make sure you get the best security insurance on the web.
How do I enable a Let’s Encrypt SSL certificate for my site?
You can request a Let’s Encrypt certificate for your sites with a click from the Hosted Domains section of the Control Panel.
In there, click on the Edit Host icon in the Actions column:
Then click on the SSL Certificates drop-down menu:
The ‘Request Let’s Encrypt SSL’ option is located at the bottom of the list of SSL options.
Once you’ve selected the Let’s Encrypt option, just click on the Edit Host button and allow a few seconds for the certificate to be generated.
NOTE: Make sure you’ve selected a shared SSL IP address (or a dedicated IP, if available) from the IP Address drop-down menu.
That’s it! The Let’s Encrypt certificate has been installed on the selected domain name.
Now your domain will feature a Let’s Encrypt icon in the SSL table:
That’s it! You will now see a green padlock in front of your domain in your browser’s address bar.
All browsers will now recognize your site as being secure.
NOTE: Since the Let’s Encrypt certificate generation process involves domain/DNS validation, a domain needs to have valid NS records in order for the validation to go through.
For this reason, if the ‘Do Not Manage DNS’ option is enabled for a given domain, the Let’s Encrypt feature will not be visible.
How to ensure proper Let’s Encrypt certificate installation
Now that your site loads over HTTPS, you need to make sure that it is working properly and that http://www.my-site-name.net is pointing to https://www.my-site-name.net.
Here is how to check whether HTTPS has been properly set up on your site: use an online service like SSL Labs, which can thoroughly examine the configuration of any SSL web server on the web; visit some of your site’s pages and see if they all display a green padlock to the left of the URL;
Now that your site loads over HTTPS, you need to redirect all HTTP URLs to their HTTPS counterparts. You can do that by adding a few lines of code in your .htaccess file.
This way, you will inform the search engines to now consider only the HTTPS URLs.
To test whether or not the HTTP->HTTPS redirection has successfully gone through, you can do the following: enter your-domain.com in the Google search bar;
Check if all of the indexed links have been properly redirected and are now using the HTTPS protocol;
Keep in mind that it will take some time until the Googlebot picks up the redirection.
Plus, you will need to submit an updated sitemap for your site.
Since the Search Console treats the HTTP and HTTPS versions as completely separate sites, you will need to add a new HTTPS property first and then re-submit your sitemap.
If you get mixed HTTP/HTTPS content warnings, you can fix them using tools like the SSL Insecure Content Fixer.