Since the early 2010s, there has been a strong push towards security and encryption on the internet. To encourage encryption, Google will prioritize your site higher if it’s encrypted, even if your content is not as good.
In general, setting up an SSL certificate for your site is not that difficult, as long as you’re willing to let your hosting provider do that work for you and pay for their work.
For me, at 1and1, it costs me around $70 per year for multi-subdomain SSL encryption per domain. They have a cheaper, single domain certificate for $30 per year. Now you might think, neither $70 or $30 seem that high to me. And that’s true, if you only have 1 or 2 domains. But what if you have 5 domains and you want encryption for the subdomains therein? Now you are looking at $350 per year for just encryption.
This is the reason I looked into Let’s Encrypt certificates. They are free, though I strongly recommend you donate to their efforts, and while not all hosting providers make it easy for you to use the Let’s Encrypt certificates, you can pretty much use them anywhere.
Important note, these instructions are for setting up an SSL cert on a machine other than the host. Meaning, if you run your own server, either via VPS or cloud, or an actual physical host, you should follow these instructions: https://certbot.eff.org/
However, if you are like me, and you have a shared hosting contract and cannot install certbot on the host and therefore require to get the certificates on a different machine, please follow these instructions:
- Begin the process of getting the certificates by using –manual so the certificates are not installed locally when finished (You may need to do it as sudo as certbot will create a log in /var/log/…).
sudo certbot certonly --manual
- Enter the appropriate email address
- Accept the terms of service
- Decide whether or not to share your email address
- Enter the domains for which you want to create a certificate. You can create as many as you want, they just need to be comma-separated. For example:
domain1.com, sub.domain1.com, sub2.domain1.com, domain2.com, domain3.com, sub.domain3.com
- Enter Yes for the IP being logged
- For each domain you entered in the step above, you will need to validate ownership. For this step certbot will ask you to create a file under
- So if you entered 2 entries (domains or sub-domains) above, you will need to create 2 files under the location above. Below is an example:
Create a file containing just this data:
And make it available on your web server at this URL:
- In the example above you would do the following:
SSH to the host of your application or site
Navigate to /home/<your-username>/www/.well-known/acme-challenge
echo "xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE" > xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
- Do that for all of the entries.
- If the process is successful you should get this:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-05-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- At this point the certificates have been created and ready for use. You will now need to copy them over to your host. The certificate is under the fullchain.pem file and the private key under the privkey.pem file. In my case, I had to copy and paste the contents of both files into my hosting provider SSL manager tool.
- To view the certificate do this (note these are only examples)
sudo cat /etc/letsencrypt/live/domain.com/fullchain.pem
- Not there are “two” certificates, you only need to copy and paste the first one. Also, make sure to copy and paste the “Begin” and “End” certificate parts (copy lines 2 – 19)
- The same will apply to the private key under privkey.pem.
That’s it, you should now have FREE SSL encryption working on your host and you have saved enough money for a well-deserved cup of coffee.
- Don’t forget the certificate is only for 90 days. This means you will need to renew it 4 times per year.
- More information on certbot is here
- More information on Let’s Encrypt is here