Setting up encrypted (HTTPS) access with Let’s Encrypt

1.Why encrypt?

As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it. Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace. Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services. … By using private connections by default, changed expectations make everyone safer.

CIO.GOV

Though the content of your website is public, not every visitor wants everyone knowing what they’ve been reading. Perhaps even more relevant for Domain of One’s Own users, the content of your website is not the only information that is transmitted when someone visits your site. And it is easier to eavesdrop on those transmissions than many people realize.

Establishing an encrypted connection on your website is easy, and it protects your visitors from a variety of privacy invasions.

2.Setting up your security certificate with Let's Encrypt

In your umw.domains dashboard, find and click on “Let’s Encrypt for cPanel” (under Security).

Lets Encrypt SSL icon

 

Under “Issue a new certificate,” check the boxes for the domains and subdomains you want to encrypt. (Be sure to include the main (sub)domain and the www alias.)

domains selected in cPanel for encryption certificates

Click “Issue Multiple.”

On the “Let’s Encrypt SSL” page that loads, keep the default boxes checked, and click “Issue.”

Default selections for Let's Encrypt SSL

You should get a confirmation message when complete (it could take a few minutes) saying that Apache (your web server software) is restarting. If so, you’ve got your security certificate set up! Click “Go Back” to view the details, if you like.

3.Making your website default to a secure connection

Adding a security certificate doesn’t mean all connections to your website will be secure. You need to tell your website(s) to default to secure HTTPS connections, rather than the standard and unencrypted HTTP connections. This is important for two reasons.

  1. When people type your URL into their browser, they rarely type out https:// beforehand, relying on their browser to add that. Browsers, however, still tend to add http:// automatically instead of the more secure https://. (If you’d like to make your browser default to HTTPS when available, install the HTTPS Everywhere plugin from the Electronic Frontier Foundation.)
  2. Links to your website from elsewhere on the internet will include the http:// that your website used to use, and you can’t update everyone’s links for them!

The easy way

When installing a new site in Installatron, simply choose https://yoursite.com instead of http://yoursite.com as the domain to install it into. That’s it! You’re ready to go!

If you already have a WordPress site, login to your dashboard, go to Settings >> General, and change the WordPress Address and Site Address from http to https.

The hard way

If you don’t use WordPress and can’t find an automated way to update your site’s default from http to https, you can do it manually with a text editor and a little elbow grease.

To make browsers default to a secure connection with your website, create a new text file on your computer using a text editor (not a word processor!) like TextEdit, TextMate, NotePad, etc. Put the following text and nothing else in that file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then save the file with the name htaccess (not htaccess.txt).

Then in your dashboard, go to the File Manager. Make sure you are in your “public_html” folder. (If not, navigate to it.)

File Manager window showing public_html

Then click upload and drag your new file into the upload box that appears.

Upload box in cPanel file manager

Go back to the File Manager and right-click (ctrl-click on a Mac) on the newly uploaded file, and in the menu that comes up, click “Rename.”

Change the file name from “htaccess” to “.htaccess”. (This will make the file hidden. You will no longer see it in the File Manager.)

If you don’t get an error message, you’re good! Now when you visit your domain, you should see the “https://” and the little padlock icon (varies by browser) automatically. Connections to your website are now secure and encrypted by default.

If .htaccess already exists…

However, you may get an error message saying that .htaccess already exists.

If so, click on “Settings” in File Manager (upper right corner), and in the menu that pops up, check the box for “Show Hidden Files (dotfiles)”.

Show hidden files

Back in the File Manager, right-click on the .htaccess file that appears, and select “Code Edit”.
Code Editor

 

At the end of the file that appears, paste the following code into the file (same as above):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then click “Save Changes” and close the editor.

Now when you visit your domain, you should see the “https://” and the little padlock icon (varies by browser) automatically. Connections to your website are now secure and encrypted by default.

Suggest Edit