Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
In July of 2018, my web host, iPage.com , offered me free SSL via Letās Encrypt. I accepted the āchallengeā and I went through all that process. I succeeded in implementing SSL on my site saliu.com in a couple of hours.
For the most part, Letās Encrypt SSL worked correctly. There were issues, however. Out of the blue, pages on my site were rendered ānot safeā by browsers! The issue was: *āThe saliu.com site tries to steal the SSL certificate of .bizland.comā . What?
Then, the warnings disappeared. Then, they reappeared randomly. In any event, I accepted the infrequent issues. I hoped my web host would resolve the issue permanently. They assured me of that in an email.
The worst happened on September 29, 2018. The browsers informed me that the free Letās Encrypt SSL certificate was valid from 7/1/2018 to 9/29/2018! What? Nobody informed me about an expiration date!
I contacted my web host several times. They always promised me the SSL issues on my site will be timely resolved. Time has passed, and my site looks now much worse in browsers than when it was simple (and still secure) http .
Whatās going on, folks? This is a grave issue with severe legal implications. Iāve lost business and get legal threats from customers. They canāt download my software. They are scared to death to access my Web site!
Thank you for any assistance.
Ion Saliu,
Webmaster At-Large
āA good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!ā
That was probably a problem with your hosting provider: the website presented the wrong certificate to your browser.
If your hosting provider handle the creation of the certificate it should handle the renewal too. All certificates, free or not, expired one day. (The advantage on Let's Encrypt it that the renewal can be automated)
http was and will never be secure. With http you can't be sure that the website you send to your visitor will be the one they will see: sometimes ads are inserted without your knowledge, sometimes tracking cookies. And if your visitors have to fill forms, all data they submit can be read, or modified by anyone on the network! An interesting read: Troy Hunt: Here's Why Your Static Website Needs HTTPS
Could you provide a screenshot of how you ask for https/certificate on your hosting provider?
So you needed to manually implement the challenge? There wasn't just a button to press in your control panel? Because most of the time, a hoster which implements Let's Encrypt does so by providing a plugin in their control panel to take care of everything. Unfortunately, there are a lot of hosters not implementing such an automated system. If your hoster is one of the latter, you should change hosting provider to one which does provide automated implementation.
What is the lifetime for Letās Encrypt certificates? For how long are they valid?
Our certificates are valid for 90 days. You can read about why here.
There is no way to adjust this, there are no exceptions. We recommend automatically renewing your certificates every 60 days.
I guess you chose for a sub-optimal hosting provider. Unfortunately, this could be just the only thing they don't implement implement and you couldn't have known this before.
You might not live in an English-speaking country, but thatās OK. Perhaps I should have made myself clearer.
The free Letās Encrypt SSL certificate for my site was implemented by my web host. The only thing I did manually was the 301 redirect to https I added to my htaccess file.
As I said, the free SSL worked properly for the most part. The infrequent issues were real though. My web host didnāt know how to solve the problem.
Apparently, my web host iPage.com did NOT know about an expiration date. Obviously, they should have taken care of the renewal. Looks like they still donāt know how to renew the free Letās Encrypt SSL certificate. Thatās what causes the severe problems now. The Control Panel still offers the free Letās Encrypt SSL service to their customers!
You sez: āā¦ you should change hosting providerā¦ā
Are you serious? Changing hosting is a gigantic headache leading to serious business losses, visitor frustration, ranking hits, etc. Besides, my current host is pretty good. My site is pretty fast, uptime is great, never hit by malware or hack attacks. My previous host, GoDaddy, was a real technical nightmare!
I want to thank you for your response. I learned useful things from it.
Curiously, after reading your reply, the iPage free SSL worked on my saliu.com site until 9/29/2018 (the expiration date). Again, some errors popped up randomly, but not frequently. There was a reference to a *.bizland.com (or something like that) ā as if my site tried to āstealā the SSL certificate issued to that bizland .
The iPage tech support keeps emailing me that they are working on it. They promised a ātimelyā solution, but would-be visitors to my site still see that terrible warning (Chrome is devilish in this regard)!
I even asked iPage if the āfree SSLā was simply a bait. That is, after you commit effort in changing to https, you donāt want to go back to http. So, they somehow force you to pay for an SSL certificate (they offer Comodo). I told them if it was the case and I would consider buying a so-called āwild SSLā (one domain with multiple subdomains). No response yet.
Is iPage still a supported host by you? I didnāt seem to find that name on your lists. Did Letās Encrypt revoke the free SSL certificate issued to iPage ?
In any event, to ameliorate the damage, I removed the ā301 redirect to httpsā from my htaccess file. But there are still inbound links pointing to https pages on my siteā¦
Ion Saliu,
Webmaster At-Large
āA good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!ā
On the other hand, I sense Google and other browser companies are going to suffer legal trouble. Google Chrome especially is liable with that ānot secureā warning in front of all http URLs. The legally correct message should read: ānot encryptedā. Better still, the browsers should just show an i in front of the page (more like Firefox). The https URLs get a lot of leverage by displaying the lock.
but this is simply informational and intended to help users choose hosting providers who are known to support Let's Encrypt. It's not a list of entities that Let's Encrypt has relationships with.
Let's Encrypt did not revoke certificates for your site. If it had, the error users saw would be totally different. Instead, your certificates expired normally on the expected schedule. Your hosting provider apparently failed to renew them. If the hosting provider obtains certificates for customers, renewing those certificates is also the hosting provider's responsibility.
Sorry for the delay. I finally decided to take a screenshot. This is from my Control Panel. I open the Security tab for my domain. I have the option to Enable or Disable the Letās Encrypt Free SSL. Hopefully, Iāll be able to download or show here the screenshot:
As you can see, I enabled Letās Encrypt Free SSL. The feature worked most of the time until September 29, 2018, when the certificate expired. I also added the ā301 redirect to httpsā to my htaccess file.
With just that one press on a button? Because earlier you said:
Pressing a single button normally doesn't take a couple of hours in my experience.
I'm still trying to get my head around on how your hosting provider actually provides the Let's Encrypt option. Although I agree the screenshot would suggest the hosting provider should be responsible for renewing the certificate.
No offense, axiomatic one. Methinks linguistics brings about some misunderstanding. Also, I should have been clearer, as per my first reply.
Yes, just a press of a buttonā¦ it was that easy! Then, a few more minutes to edit my htaccess file by adding the ā301 redirect to httpsā. It was pretty fast.
Then, I waited a couple of hours for SSL to take effect.
Thatās what I meant. I checked first after about half an hour but https was not in effect.
I thought you was an employee of Letās Encrypt . This is my first day here.
I did what you said a few times. I enabled, then disabledā¦ and againā¦ The problem didnāt go away. The tech support did also the same thing.
*The iPage tech support informed me that the problem I reported affected ALL domains that enabled Letās Encrypt Free SSL.
The curious thing is somebody, or the system, did disable the Letās Encrypt Free SSL. It wasnāt me. I donāt know who did it and why. Iāve had no answer from my host.
Now, I uploaded the old htaccess , the file my site had before this https debacle and headache.
āYou can get a wildcard certificate from Letās Encrypt for free.ā
My webhost is strict about SSL certificates. The host states: āDedicated SSL certificatesā do not work with a domain with multiple subdomains, like my domain. The host accepts only the form of Letās Encrypt that I described here. Dedicated for them means from outside the hosting.
They offer a paid-for Comodo SSL and itās possible they want me to go there. The āfreebieā I was offered was bait! The only option I have with multiple subdomains is the hostās Comodo.
That's a money-making tactic employed by your hosting provider. Let's Encrypt has no such restriction. Multiple domain and wildcard certificates are also free.
āThatās a money-making tactic employed by your hosting provider. Letās Encrypt has no such restriction. Multiple domain and wildcard certificates are also free.ā
Mea culpa again! I wasnāt clear enough. The Letās Encrypt Free SSL for my domain was a āwild cardā type. It worked with ALL my subdomains. Also, the subdomains experienced the same infrequent issues I described before. The free SSL ādiedā on all domains at the same time on 9/29/2018.
The webhost either doesnāt know how to do automatic renewals, OR they used the freebie as bait. Right at this moment, I go in the direction of paying a hundred bucks for a Comodo. This freebie threw me into a deep nightmare!
If any of those statements are true, the answer is that you deserve a better hosting company and it is time to move on. Your certificate expired 2 days ago and you only get from ipage 'it will be solved in a timely manner...' that is unacceptable.
Anyway, I doubt they are using the freebie as bait because of one of the core features they are offering with their hosting is a Free SSL Certificate.
I suppose that you could get a better deal if your hosting company is a Comodo's reseller but a Wilcard Certificate from Comdo costs $199/yr Cheap Wildcard SSL Certificate, Comodo Wildcard SSL, Wildcard Certificate also, keep in mind that usually, a wildcard certificate covers ONLY subdomains, that is, it covers *.saliu.com (www.saliu.com, webmail.saliu.com, whatever.saliu.com, etc.) but it doesn't cover saliu.com nor www.subdomain.saliu.com so before buy a certificate, you should double check whether it covers *.saliu.com AND saliu.com OR only *.saliu.com. Anyway, if your hosting company doesn't know how to renew and apply a free certificate I don't know how they would be able to apply any kind of certificate.
I would say, My hosting company doesn't know how to manage the services they are offering and this is threwing me into a deep nightmare.
You could share this thread with you hosting support and if they are having issues to renew the certificate they could ask here for some help.
I hope your hosting company can resolve this issue as soon as possible.
