HTTPS for Everybody

Why would you need to browse the internet securely and privately at all times ? The Guardian answers that question best in their article “The Guardian has moved to HTTPSūüĒí” https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https

By using HTTPS, internet service providers (ISPs) are not able to track the pages our readers are accessing. It means we protect the privacy of our readers when accessing content that may disclose political opinions, faith, sexual orientation or any information that may be used against them. It matches our core values. We believe that protecting our visitors is good internet citizenship.

Now, I have been trying to implement HTTPS for a long time but my hosting provider did not provide that service for my plan nor was there an initiative like Let’s Encrypt.

Let’s Encrypt provides for free, digital certificates to enable HTTPS (SSL/TLS) on websites. There have been and there are other free certificates providers but they are not as widely recognized as valid by major internet browsers (more below). Let’s Encrypt has people on its board from Mozilla, Google and EFF giving it credibility and acceptance by Firefox and Chrome browsers.

The official documentation and recommendations for getting started with Let’s Encrypt is cryptic and confusing for nonnerds. Let me break the process down for you in simple(r) steps:

1. Do you have SSL/TLS facility for your domain ?

You will need login to your cPanel or wherever you manage your domain and files. Look for an area called¬†Security and you should find options like “SSH Access” & “SSL/TLS” which allow you to install certificates for your domain.

If you don’t find these options, then chances are that your hosting package does not include HTTPS and you may need to upgrade or move elsewhere.

If you do find options for installing SSL Certificates on your domain, then read on.

2. Generate your SSL Certificate

At this point, you may notice your hosting provider can also generate SSL certificates and install them for you. This is an easier process, and most likely automated so you don’t have to worry about renewing your certificates and keeping them up-to-date.

But, chances are that the SSL certificate generated will be self-signed by your hosting provider – which can throw a “Certificate Not Trusted” error at your visitors and scare them away.

Your Browser is programmed to accept certificates form few Signing Authorities on the internet such as Comodo, Symantec, GoDaddy and GlobalSign. These companies charge clients money for Digitally Signed SSL certificates and keep them valid.

Let’s Encrypt changes the game by proving¬†Digitally Signed SSL certificates for free and that are accepted by all major Internet browsers.

To generate your Let’s Encrypt signed certificate, head over to a third-party website:¬†https://zerossl.com/

2a. Click on “Online Tools” or “Certificates and Tools”

at https://zerossl.com/

2b. Click on “Start” under “FREE SSL Certificate Wizard”

On this page you can

  • Fill out your e-mail address and your domain/website address.
  • If this is your first time, leave the boxes for¬†Lets Encrypt Key¬†and¬†CSR¬†(Certificate Signing Request) blank.
  • Leave checked, the option to HTTP Verification
  • Then accept the TOS and SA and then…

2c Click Next

This will generate your CSR. Copy it and save it in a place you can refer back to in the future.

2d Click Next

This will generate you Let’s Encrypt Account Key.¬†Copy it and save it also in a place you can refer back to in the future.

Click Next

2e Verification

You will need to verify yourself as the owner of your domain/website. Follow the instructions on that page and then

Click Next

2f Certificate

Download your Certificate and your Domain-Key (which is different from your account key)

3. Install your new Certificate

In your cPanel, go to SSL/TLS and¬† head over to the section called “Manage SSL for your site”

  • Paste your new Certificate in the Appropriate Box
  • Pase the Domain Key in the box that says Private Key
  • Leave the CA Bundle Box empty
  • Install Certificate

4. Force WordPress to use HTTPS

For Complete Instructions, see: https://www.codexworld.com/adding-ssl-and-https-in-wordpress/

In your wp-config.php file add the following:

//Force SSL Login
define('FORCE_SSL_ADMIN', true);

//Force SSL on Content
define('FORCE_SSL_CONTENT', true);

In your .htaccess file, add the following snippet:

# Force HTTPS Sitewide
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

 5. Updating/Renewing your certificate

The certificate issued at ZeroSSL is valid for 3 months. You need to remember to renew your certificate else your browser will throw a¬†“Certificate Not Trusted” error at your visitors and scare them away again.

You can renew and extend your certificate’s validity anytime at¬†https://zerossl.com/

You will need your Let’s Encrypt Account Key and Your Domain CSR which you had saved in a safe place earlier.

  • Click on “Online Tools” or “Certificates and Tools”
  • Click on “Start” under “FREE SSL Certificate Wizard”
  • Paste your Let’s Encrypt Account Key and your Domain CSR in the appropriate boxes. (you don’t have to fill out your e-mail or domain
  • Accept the TOS and SA and Click Next

Your new certificate will be generated immediately¬†but¬†it is also bunched with with the “CA Bundle”. My cPanel wants both the Certificate and the CA Bundle in separate text boxes. So make sure you are carefully reading all instructions.

  • In your cPanel head over SSL/TLS and find “Manage SSL for your site”

You can update your existing certificate by pasting in the appropriate boxes.

Filed under: Web Dev