Install LetsEncrypt SSL Certificate in GoDaddy

I get asked all the time – why are SSL certificates so expensive? How can LetsEncrypt offer free certificates?! Are they even important? It’s important to understand how certificates, and certificate authorities work to verify that your site is secure to your users. Imagine you’re passing a note around a classroom; most likely, as the note is passed around the room, its contents are read by every party who comes in contact with the note; which is how HTTP works. Now imagine you’re putting the note in a locked box and have only given the key to one specific person at the front of the room; when each person around the room tries to read the note, they are unable to deceiver the message – but when the person with the key receives the box they can successfully open it and read its contents. This is an obvious simplification – but that is how SSL certificates add a layer of security to ensure that anyone coming into contact with the request of the web page cannot deceiver the message.

Now lets talk about certificate authorities. Think of the certificates as passports; if you show up to the border with a valid American passport – you’ll likely be allowed through, but if you show up with a passport from an unknown country – it’ll be much harder to verify your identify. Certificates work in a similar way; certificates are distributed by trusted certificate authorities so that we don’t end up with a chicken or the egg problem. If a company can create and use their own certificates, so can anyone else – so how can you trust the identity of the company and their certificates? The answer is that you can pay for a certificate validated by a well-known certificate authority trusted by all major browsers, or you can use a free authority which does not validate domains as thoroughly as a big time certificate authority surely would.

When a user comes to your site, the certificate is recognized by your browser – and if it is signed by one of the valid certificate authorities the browser says the site is secure and you’re good to go! LetsEncrypt only validates whether or not you own the domain which the certificate is being installed onto. So while this may be OK for some websites and applications, it won’t work for some websites which need a higher level of security.

With all of that said, I frequently use LetsEncrypt certificates on WordPress websites as it costs nothing and allows clients to host their sites on HTTPS. The only real downside is you need to renew the certificate every 90 days unless a renewal script is setup. Just take a look at the tremendous growth of LetsEncrypt certificates. There are currently hundreds of millions of websites being secured by LetsEncrypt.

Borrowed from https://letsencrypt.org/stats/

Learn more about the details of LetsEncrypt here.

Installing the SSL Certificate on a WordPress site

I’m going to show how I install the certificate on this blog. I use a free SSL certificate wizard:

https://zerossl.com

Enter your email for reminders about expiry, and then enter the domain(s) for the certificate. Accept their TOS & the LetsEncrypt SA.

Click next and download the text file to download the CSR text file, and then next again and download the account key text file.

Next we need to verify that we actually own the domain, so we need to create two files on our server, accessible to the internet, so that the authority can verify that we own the domain.

Under the root folder of your site, create two folders (nested):

/.well-known/acme-challenge/

Which is where the two files will be created. Create two files with the filenames, and contents, as listed in the screenshot.

You can verify that the files are accessible by clicking on the links on the page under the “File” column. You should see the text file, so click next and you will be told that your certificate is ready for install.

I manage quite a few of my WordPress sites with CPanel, so if you’re using GoDaddy or another hosting solution – open your CPanel and go to “SSL / TLS” to manage your certificates. Click to install an SSL certificate for one of your websites.

  • Copy the first half of the first certificate and paste it into the CRT Certificate text-field
  • Copy the entire RSA private key and paste it into the private key field
  • Copy the second half of the first certificate and paste it into the Certificate Authority Bundle field (CABUNDLE)

You should be able to install the certificate and then instantly be able to hit your website in HTTPS!

The last thing I recommend doing is forcing all requests over HTTPS, so if someone comes to your site using a http:// URL they’ll be instantly redirected to the HTTPS site. You can do this by editing, or creating, the .htsaccess file at the root of your site.

# BEGIN HTTPS redirect
RewriteEngine On 
RewriteCond %{SERVER_PORT} !^443$ 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END HTTPS redirect

If everything’s good, you should see that your browser recognizes your site as being secure.

And that’s it! I hoped this help. Until next time.