Activate HTTPS on your website

Reading time: 7m

Getting Started

Nowadays, search engines expect you to have an SSL Certificate (a green lock beside the address bar) to promote user safety.  There are 4 ways to get SSL installed on your site, including:

  1. LetsEncrypt
  2. AutoSSL
  3. Buying an SSL Certificate
  4. Signing up for CloudFlare

LetsEncrypt

The great thing about LetsEncrypt is that it’s near-instant.  So long as your web server is running CentOS 6 or better, then SNI is supported, so you can activate SSL in bulk if you’d like.  The drawback is that clients using Windows XP SP3 or older will get an Untrusted Issuer certificate warning upon visiting LetsEncrypt signed websites.  Do you really want those kind of people on your website anyway? 🙂

AutoSSL

AutoSSL is cPanel’s solution, powered by their partnership with Comodo. This is the same thing as LetsEncrypt, only it’s signed by Comodo, so you get the legacy support, as you would by either getting CloudFlare Pro for $20/month or by purchasing an SSL certificate.

Buying an SSL Certificate

Depending on where you get your SSL certificate from, the costs can vary.  The result is basically the same, except for the type of certificate you buy.  Here’s the basic types:

DV Certificates

DV stands for Domain Validated.  This is the minimum level of validation and assurance, and as such is usually the cheapest.  Gets you a green lock.

OV Certificate

OV stands for Organization Validated.  This is an Organization/Company registered certificate, usually for bigger businesses that require site seals and such.  Gets you a green lock.  Takes a few days depending on the vendor.

EV Certificate

EV stands for Extended Validation.  This is the standard for Banking and Security institutions, as it “extends” the lock into a bar with the Company name and Country in the address bar of most browsers.  This requires the most validation and takes a good bit of time to get, but you get a shiny green bar that inspires user confidence when making a purchase.

Post-Install

After you’ve established Free or Paid SSL for your site, now comes the next problem.  There are 2 main things that most people get hung up on:

Mixed Content

If you’re loading your site over HTTPS, then your resources should also be loaded over HTTPS.  Often times SSL will be installed correctly, but browsing to the site reveals a broken lock.  You can use a free tool like WhyNoPadlock to find out which resources are loading via HTTP.  So far so good, but how do you fix it? Easy!

Converting to Relative URLs

A lot of times, upon viewing the source of your website, you might see snippets like:

src="http://www.mywebsite.com/assets/img/image.png"

You want to change this to either one of the following:

src="https://www.mywebsite.com/assets/img/image.png"
src="//www.mywebsite.com/assets/img/image.png"
src="/assets/img/image.png"

 

Default Redirect to HTTPS

There’s a few ways to do this, depending on your website’s software.  The first method is by editing the .htaccess file in your site’s folder, most often public_html or html

The idea with the following rewrite is that if the server’s port isn’t 443 or HTTPS isn’t on, then redirect to the desired domain with the same URL that was requested:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SERVER_PORT} !^443$ [OR]
  RewriteCond %{HTTPS} !=on
  RewriteRule ^(.*)$ https://www.mywebsite.com/$1 [R=301,L]
</IfModule>

 

Leave a Reply

Your email address will not be published. Required fields are marked *