The hour for SSL is nigh. Several customers have contacted us, worried about the new security warnings displaying in Chrome when they pull up their website with its URL that starts out with an http. This warning doesn’t mean your site has been hacked; it just means that you don’t have an SSL certificate set up for your website and your URL does not display as https. If you’re running a blog or other website for fun, you may not want to pay the approximately $60 per year that most hosting providers charge for an SSL certificate. Well, we have got some good news for you! You can, in fact, get a free SSL certificate… and it’s not that hard.
Please note: if you’re running an e-commerce website or another website that transmits sensitive data, we recommend that you purchase an SSL certificate commensurate with your needs. A free SSL certificate is not for you.
If you google “free SSL certificate,” a number of contenders come up. Letsencrypt.org was the top result in our search, and it sounds great! But when we looked at the implementation instructions, the eye-glazing began. “If you have shell access…” Oh no. We’d prefer not to run command lines on a UNIX server, thanks. Moving on.
Cloudflare Shared SSL
Instead, we turn to a topic we covered a few weeks ago: Cloudflare! As you can see, Cloudflare’s free plan offers a shared SSL certificate. A shared SSL certificate is simply one that’s used by multiple sites on the same IP address. By signing up for their free plan, you also get to enjoy all the other benefits of using Cloudflare like protection from DDoS attacks, so what do you have to lose?
It’s incredibly easy to set up a Cloudflare account; all you need to implement it on your domain is to create an account and copy out the two nameservers they give you. Simply log in to your domain registration account, and change your nameservers, and wait for them to propagate—a process that can take up to 48 hours, but generally happens in just a few. If you have custom DNS records set up to control your mail or something else, don’t worry. They’ll all be copied over to your new Cloudflare account. And from now on, you’ll manage your DNS records at Cloudflare instead of your domain registrar.
After that, you’ll need to get your site configured to work with the SSL certificate, i.e., changing your website’s URLs to https. If you’re running WordPress, you can go to Settings > General and change your site URL from http://yoursite.com to https://yoursite.com. Then, we recommend using a simple plugin we like called “Force HTTPS” to manage all the other assets on your website (images, for example). One weird thing we learned is that a very popular hosting provider that rhymes with “Slow Saddy” supposedly doesn’t let you use shared SSL certificates on its Managed WordPress packages. But this Cloudflare setup still works. Go figure.
If all of this reads like Greek, don’t hesitate to give us a call for help. Otherwise, enjoy your free SSL certificate and say goodbye to that insecure site warning!