Let’s Encrypt! Activating SSL on any website for free
I first heard about Let’s Encrypt on a podcast a couple of years ago. It was finally released several months ago now, and I hadn’t got round to activating it yet (partly because I thought it would be hassle).
It was actually really easy. Just a couple of shell commands was all it took. If you’re lucky, your hosting provider supports it and it’s even easier: just a matter of clicking a checkbox.
I use WordPress for this website, so I’ll outline how I did it. Full instructions are available via the official website and I’d advise you to check that because this article might be a bit out of date by the time you read it. This article will give you a short overview of what SSL is for, my experience configuring it, and give one or two tips on using it with WordPress.
There are a number of reasons for using SSL (I think it’s called TLS these days, but everyone seems to say SSL). If users can register on your site (even just to comment), then their data will be more secure when they are communicating with your website because it will be encrypted. This includes personal information, passwords for logging in and more.
Even if people can’t log in to your website, you probably log in to the backend often to update content. If everything is unencrypted, someone could intercept your password or a session cookie and hack into your site. I’ve never had this problem personally, but if you’re ever at a conference or in a café with unsecured wifi, then you’d be well advised not to log into your unsecured website.
Finally, even people who are just reading your site without logging in will have their communications protected. This doesn’t mean that people can’t snoop on them to find out what site they are visiting, but at least the content is encypted.
So this is how it’s done …
Step 1: activate Let’s Encrypt on your server
I’m with HostEurope, and they don’t directly support Let’s Encrypt. So if you’re on a managed solution without SSH access, then you’re out of luck. If you don’t know whether you’ve got SSH access, you might lack the technical skills to do this but depending on how important your website is, you might want to try anyway. If you’ve got Plesk installed, which I haven’t, you have to be careful about manipulating your server setup via the Shell so check that out before doing this.
If you are able to get into your server via SSH, then the next step is to download the Certbot client, which does all the hard work for you. Start off by entering some information about your system, then it will give you the commands you need. I just copied and pasted the basic commands without reading in detail (yes, a bit dangerous but I’m a trusting kind of guy) and it worked without any problems.
After installing (using wget, as outlined on their site), I ran the bot and let it configure my apache. The only slightly confusing thing is the first screen you get: I thought it was asking me to select one site to configure, so I highlighted that site. In fact, you have to deselect the ones you don’t want using the space bar.
Apart from that, it’s plain sailing. In one of the later screens, I chose to go full-on SSL by automatically redirecting http content to https.
Step 2: setup a cron job
This is important to do: a cron job makes sure the certificate is automatically renewed. Let’s Encrypt purposely issues certificates with a very short shelf-life because the system of revoking certificates is somewhat cumbersome. If they all lapse regularly, this helps to avoid the problem. Anyway, this was the most difficult part for me: I don’t often have to setup a cron job, and it took me a few minutes to come to terms with vi editor, which crontab uses. Anyway… it’s all out there, it’s not that difficult if you’re determined, and it’s almost pointless doing all this if you don’t get it set up.
Step 3: configure WordPress
The next step was to configure WordPress (although at first glance it seemed to work ok).
First, go into the settings and change the URL of your site. It will chuck you out after this, because the cookie is only valid for the http version of the site:
Then log in again and install the “Better search and replace” plugin. You can use this to change http to https internal URLs, e.g. images and internal links. So in my case, I replaced “http://johnheaven.eu” with “https://johnheaven.eu” (and don’t forget to do the same for “http://www. …” if necessary).