In This Guide
In This Guidex
With an SSL certificate, your website can leverage the HTTPS protocol to securely transfer information between point A and B. This is crucial when transferring sensitive information, like credit card data on checkout pages and Personally Identifiable Information (PII) on login and contact forms.
In addition to security benefits, websites using SSL get better rankings on Google and improved performance through the use of HTTP/2. It’s also important to understand that SSL does not protect your website. This guide is designed to show beginners and intermediate users how to deploy a free SSL certificate from Let’s Encrypt on their self-hosted websites.
It is now easier than ever to use HTTPS on your website. Beginners should start by having a conversation with their hosting company about what options they offer.
There are a few easy ways to add SSL to your website:
Regardless of the type of certificate you choose, the encryption and level of security is the same.
Some visitors recognize the additional authenticity and trust offered Extended Validation (EV) and Organization Validated (OV) certificates due to their rigorous validation process.
There are three types of certificates to be familiar with:
Domain Validated (DV)
DV certificates only need the Certificate Authority to verify that the user requesting the certificate owns and administers the domain. Visitors will see a lock icon in their address bar, but no specific information about the owner.
Organization Validated (OV)
OV certificates require a Certificate Authority to confirm the business making the request is registered and legitimate. When visitors click the green lock icon in their browser, the business name is listed.
Extended Validation (EV)
EV certificates require even more documentation for the Certificate Authority to validate the organization. Visitors will see the name of the business inside the address bar (in addition to clicking the lock icon).
It’s important you assess your preference when it comes to commercial or free certificates.
Commercial (paid) SSL certificates
These are a decent option for many website owners. Paying a Certificate Authority (or your hosting company) will often give you the benefits of technical support. The encryption level is the same as with free SSL certificates. The key differentiator will come in the level of support you get with your certificate.
Free SSL certificates
These are being spearheaded by the Let’s Encrypt initiative – an open collaboration between a number of global organizations focused on making SSL certificates accessible to all website owners.
Many hosts offer specific instructions on how to deploy free SSL certificates. Check with your host’s support channels and articles for more information before following this guide.
You can also get the benefits of SSL certificates through cloud providers, such as Content Delivery Networks (CDNs) and Website Application Firewalls (WAFs) solutions like Sucuri, who offer it at no additional charge.
These services are a proxy between the visitor and your website. By changing your domain records to point to their servers, they can cache your content to make your website faster and filter out malicious traffic. This also means that the browser recognizes which server IPs are connected to your domain, allowing for the use of DV certificates.
These providers can also work with your own SSL certificate. If you are a Sucuri customer, you can contact our technical support team for information and assistance.
If you are implementing an SSL certificate through your host, you may want to skip ahead to Step 3: Important Final Steps.
The following guide works best if you have a dedicated IP for your site (through a VPS or dedicated server). If you’re on a shared host, talk to your host about deploying Let’s Encrypt; a number of hosts have automated the process of deploying a Free SSL for shared hosting accounts. It is possible to use Server Name Indication (SNI) with one server IP address and generate certificates for all sites on the server.
The rest of this guide will assume you have full access and control of your web server.
You will need the following information about your server:
SSH Access Through cPanel
You can contact your host to obtain any missing information.
Now that you have all the required information, you can connect to your server and install a tool that will generate an SSL certificate.
From your computer, you need a way to log into your server and send SSH commands. If you are on a Mac, you can use Terminal (built-in application) and Windows can download PuTTY. Some hosts also offer a web interface for running commands on your server.
The instructions will vary depending on your server software and system. Some systems do not support Certbot, but you can find a list of other reputable clients that should work with your server environment.
Here is a quick overview of how you can get a free SSL certificate from Let’s Encrypt using the Certbot tool.
Overview of steps to use Certbot:
The following images and animations illustrate the entire process for a server using Apache on Ubuntu 16.04.
Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.
Using the instructions provided for your server, install any dependencies and the Certbot tool. The following images are an example of what you can expect.
If you are getting permission errors, check with your host to ensure your user has permissions to run administrative commands (i.e. sudo).
Continuing with the same set of instructions, the Get Started section will provide the commands needed to create the SSL certificate for your website. The following images are an example of what you can expect.
Make a Secure Backup
After generating the certificate, you’ll want to note the Important Notes shows the location of your Certbot configuration directory. This contains your account credentials, certificate, and private keys.
You should navigate to this location on your server and download a backup. If you aren’t sure how to do this, you can follow our post on how to make backups over the command line.
Now you have an active SSL certificate on your site! Your certificate will expire, however. Let’s Encrypt certificates are only valid for 90 days. You can automate this process so you don’t have to remember to manually renew the certificate.
It’s recommended to set the cron or systemd job to renew the certificate twice a day. Before you begin, note the location of your Certbot configuration directory from the previous step.
To schedule the cron job that renews the SSL certificate:
52 0,12 * * * root /var/log/letsencrypt/certbot-auto renew --quiet
Some server configurations may need to run additional commands to load the new certs.
You can view the full documentation on Certbot renewals for more information.
These charitable organizations are working to help make the internet a safer place for everyone. While these tools are free, you can donate to help support both Let’s Encrypt and Certbot.
While HTTPS is now an option on your site, the HTTP version of your site can still be accessed. Ideally, you should force all visitors (including search engines) to see the HTTPS version of your site. You should also take steps to fix mixed content warnings and update any proxy-based cloud services (such as firewalls and CDNs) to work with your new SSL certificate.
To force visitors to access your site only over HTTPS, you can edit your .htaccess file. You can find this in the root of your site, and you may need to show hidden files to find it.
There are other methods for Apache, such as using your virtual host file. If you use an IIS server you can follow instructions to use the URL Rewrite Module and nginx servers can use the nginx configuration file.
Copy this directive into the .htaccess file to redirect HTTP visitors to the HTTPS version of your site:
Code Snippet – Add into .htaccess file
Editing the .htaccess file can cause issues with more sites with complex structures. The rewrite below works best for websites on a dedicated server or VPS running Apache.
While your site is now available on HTTPS, you might still have resources linked to your website that load over HTTP. This includes things like images, videos, and external resources.
Browsers will block this content as “unsafe”, which can also cause broken functionality of your site and security warnings in browsers.
You can use the same SSH access that you used to generate the certificate to run a command and find any files that reference http:// directly.
To find resources loading over HTTP, run the following command:
grep -r "http://"
This will list all files to investigate in your server or CMS. Simply change all resource URLs from http:// to https:// or to a relative path.
You should also query your database or manually look through posts and pages for HTTP content. There are plugins and extensions available that can automate the process of rewriting URLS using HTTP to HTTPS (i.e. Really Simple SSL for WordPress).
If the HTTP resource is stored on your own website, we recommend using the relative directory and filename as follows.
The last thing to prepare for is the potential negative impacts of using HTTPS.Following the steps below should help to minimize them.
Once configured, add and verify the new HTTPS site in Google Search Console. This will allow you to recrawl your site and submit a new XML sitemap with your HTTPS URLs.
For many SEO elements like “rel=canonical” and Open Graph tags, it is advisable to use an absolute URL, as these are read externally by social media sites and search engine crawlers.
It’s important to note that there will be a period of normalization after applying SSL, but in the end, it is a confirmed ranking signal according to Google.
Similarly, social sharing counters for older content will likely become invalid. This is because now there is a new URL starting with HTTPS rather than HTTP, and many tools count each as a separate URL with its own engagement metrics.
HTTPS is a great thing for the internet as a whole, it helps keep communication secret between users and the websites they visit. SSL secures data in transit but does not secure the website itself.
Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. Think of HTTPS/SSL as one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.
We encourage website owners to think about website security holistically and consider leveraging a Website Security Platform that offers a complete suite of security controls: protection, detection, monitoring, and incident response. If you have more questions on how platforms work or questions about this article please direct them to our team at firstname.lastname@example.org.