Free SSL Can Lead to HUGE Headaches


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: saliu.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: ipage.com

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes


#2

Free SSL Can Lead to HUGE Headaches

In July of 2018, my web host, iPage.com , offered me free SSL via Let’s Encrypt. I accepted the “challenge” and I went through all that process. I succeeded in implementing SSL on my site saliu.com in a couple of hours.

For the most part, Let’s Encrypt SSL worked correctly. There were issues, however. Out of the blue, pages on my site were rendered “not safe” by browsers! The issue was: *“The saliu.com site tries to steal the SSL certificate of .bizland.com” . What?

Then, the warnings disappeared. Then, they reappeared randomly. In any event, I accepted the infrequent issues. I hoped my web host would resolve the issue permanently. They assured me of that in an email.

The worst happened on September 29, 2018. The browsers informed me that the free Let’s Encrypt SSL certificate was valid from 7/1/2018 to 9/29/2018! What? Nobody informed me about an expiration date!

I contacted my web host several times. They always promised me the SSL issues on my site will be timely resolved. Time has passed, and my site looks now much worse in browsers than when it was simple (and still secure) http .

What’s going on, folks? This is a grave issue with severe legal implications. I’ve lost business and get legal threats from customers. They can’t download my software. They are scared to death to access my Web site!

Thank you for any assistance.

Ion Saliu,

Webmaster At-Large

“A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”


#3

That was probably a problem with your hosting provider: the website presented the wrong certificate to your browser.

If your hosting provider handle the creation of the certificate it should handle the renewal too. All certificates, free or not, expired one day. (The advantage on Let’s Encrypt it that the renewal can be automated)

http was and will never be secure. With http you can’t be sure that the website you send to your visitor will be the one they will see: sometimes ads are inserted without your knowledge, sometimes tracking cookies. And if your visitors have to fill forms, all data they submit can be read, or modified by anyone on the network! An interesting read: https://www.troyhunt.com/heres-why-your-static-website-needs-https/

Could you provide a screenshot of how you ask for https/certificate on your hosting provider?


#4

So you needed to manually implement the challenge? There wasn’t just a button to press in your control panel? Because most of the time, a hoster which implements Let’s Encrypt does so by providing a plugin in their control panel to take care of everything. Unfortunately, there are a lot of hosters not implementing such an automated system. If your hoster is one of the latter, you should change hosting provider to one which does provide automated implementation.

See the Web Hosting who support Let’s Encrypt thread for more info.

That’s not something Let’s Encrypt can prevent nor does Let’s Encrypts certificate itself cause such a thing. Only your hoster can is to blame.

See https://letsencrypt.org/docs/faq/#what-is-the-lifetime-for-let-s-encrypt-certificates-for-how-long-are-they-valid

What is the lifetime for Let’s Encrypt certificates? For how long are they valid?
Our certificates are valid for 90 days. You can read about why here.

There is no way to adjust this, there are no exceptions. We recommend automatically renewing your certificates every 60 days.

I guess you chose for a sub-optimal hosting provider. Unfortunately, this could be just the only thing they don’t implement implement and you couldn’t have known this before.


#5

Osiris, Brother and Husband of Isis –

Axiomatic One:

You might not live in an English-speaking country, but that’s OK. Perhaps I should have made myself clearer.

  1. The free Let’s Encrypt SSL certificate for my site was implemented by my web host. The only thing I did manually was the 301 redirect to https I added to my htaccess file.

  2. As I said, the free SSL worked properly for the most part. The infrequent issues were real though. My web host didn’t know how to solve the problem.

  3. Apparently, my web host iPage.com did NOT know about an expiration date. Obviously, they should have taken care of the renewal. Looks like they still don’t know how to renew the free Let’s Encrypt SSL certificate. That’s what causes the severe problems now. The Control Panel still offers the free Let’s Encrypt SSL service to their customers!

  4. You sez: “… you should change hosting provider…”
    Are you serious? Changing hosting is a gigantic headache leading to serious business losses, visitor frustration, ranking hits, etc. Besides, my current host is pretty good. My site is pretty fast, uptime is great, never hit by malware or hack attacks. My previous host, GoDaddy, was a real technical nightmare!

I want to thank you for your response. I learned useful things from it.


#6

Hi @Ion_Saliu

using Google

letsencrypt site:ipage.com

is curious. There

https://www.ipage.com/ssl-certificate

is no free Letsencrypt certificate offered. Free is *.ipage.com, but if you want to encrypt your own domain, you have to pay a Comodo-certificate.

A blog entry (Jan 17, 2018)

is “very low”. Something like

If you want to take payments through your site, you must buy an SSL certificate.

is wrong. And the blog doesn’t use https - October 2018.

So it looks that iPage doesn’t really want to offer Letsencrypt certificates with shared hosting.

The features page

https://www.ipage.com/web-hosting

There is the same.

Free SSL Certificate

completely unclear. Perhaps you should ask the support if this works only with *.ipage.com.


#7

JuergenAuer

Axiomatic One:

Thank you for your insightful response.

Curiously, after reading your reply, the iPage free SSL worked on my saliu.com site until 9/29/2018 (the expiration date). Again, some errors popped up randomly, but not frequently. There was a reference to a *.bizland.com (or something like that) — as if my site tried to “steal” the SSL certificate issued to that bizland .

The iPage tech support keeps emailing me that they are working on it. They promised a “timely” solution, but would-be visitors to my site still see that terrible warning (Chrome is devilish in this regard)!

I even asked iPage if the “free SSL” was simply a bait. That is, after you commit effort in changing to https, you don’t want to go back to http. So, they somehow force you to pay for an SSL certificate (they offer Comodo). I told them if it was the case and I would consider buying a so-called “wild SSL” (one domain with multiple subdomains). No response yet.

Is iPage still a supported host by you? I didn’t seem to find that name on your lists. Did Let’s Encrypt revoke the free SSL certificate issued to iPage ?

In any event, to ameliorate the damage, I removed the ‘301 redirect to https’ from my htaccess file. But there are still inbound links pointing to https pages on my site…

Ion Saliu,

Webmaster At-Large

“A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”


#8

On the other hand, I sense Google and other browser companies are going to suffer legal trouble. Google Chrome especially is liable with that ‘not secure’ warning in front of all http URLs. The legally correct message should read: ‘not encrypted’. Better still, the browsers should just show an i in front of the page (more like Firefox). The https URLs get a lot of leverage by displaying the lock.


#9

Every certificate has an expiration day. Letsencrypt certificates are 90 days valide.

So if a company installs a Letsencrypt certificate without a renew job, this is completely bad and terrible. There is no excuse.

What do you mean? I am a freelancer from Berlin, I have my own service.


#10

Hosting providers don’t need a contract or agreement with Let’s Encrypt in order to obtain and use Let’s Encrypt certificates.

There is a list at

but this is simply informational and intended to help users choose hosting providers who are known to support Let’s Encrypt. It’s not a list of entities that Let’s Encrypt has relationships with.

Let’s Encrypt did not revoke certificates for your site. If it had, the error users saw would be totally different. Instead, your certificates expired normally on the expected schedule. Your hosting provider apparently failed to renew them. If the hosting provider obtains certificates for customers, renewing those certificates is also the hosting provider’s responsibility.


#11

You can get a wildcard certificate from Let’s Encrypt for free.


#12

tdelmas

Axiomatic One:

Sorry for the delay. I finally decided to take a screenshot. This is from my Control Panel. I open the Security tab for my domain. I have the option to Enable or Disable the Let’s Encrypt Free SSL. Hopefully, I’ll be able to download or show here the screenshot:

As you can see, I enabled Let’s Encrypt Free SSL. The feature worked most of the time until September 29, 2018, when the certificate expired. I also added the ‘301 redirect to https’ to my htaccess file.


#13

With just that one press on a button? Because earlier you said:

Pressing a single button normally doesn’t take a couple of hours in my experience.

I’m still trying to get my head around on how your hosting provider actually provides the Let’s Encrypt option. Although I agree the screenshot would suggest the hosting provider should be responsible for renewing the certificate.


#14

Disable it. Wait one minute.

Enable it again.

Are there other things you’ve changed? Or did you delete some files?


#15

Osiris

No offense, axiomatic one. Methinks linguistics brings about some misunderstanding. Also, I should have been clearer, as per my first reply.

Yes, just a press of a button… it was that easy! Then, a few more minutes to edit my htaccess file by adding the ‘301 redirect to https’. It was pretty fast.

Then, I waited a couple of hours for SSL to take effect.

That’s what I meant. I checked first after about half an hour but https was not in effect.


#16

JuergenAuer

Axiomatic One:

I thought you was an employee of Let’s Encrypt . This is my first day here.

I did what you said a few times. I enabled, then disabled… and again… The problem didn’t go away. The tech support did also the same thing.

*The iPage tech support informed me that the problem I reported affected ALL domains that enabled Let’s Encrypt Free SSL.

The curious thing is somebody, or the system, did disable the Let’s Encrypt Free SSL. It wasn’t me. I don’t know who did it and why. I’ve had no answer from my host.

Now, I uploaded the old htaccess , the file my site had before this https debacle and headache.


#17

Osiris

Axiomatic One:

“You can get a wildcard certificate from Let’s Encrypt for free.”

My webhost is strict about SSL certificates. The host states: “Dedicated SSL certificates” do not work with a domain with multiple subdomains, like my domain. The host accepts only the form of Let’s Encrypt that I described here. Dedicated for them means from outside the hosting.

They offer a paid-for Comodo SSL and it’s possible they want me to go there. The “freebie” I was offered was bait! The only option I have with multiple subdomains is the host’s Comodo.


#18

That’s a money-making tactic employed by your hosting provider. Let’s Encrypt has no such restriction. Multiple domain and wildcard certificates are also free.


#19

jared.m

Axiomatic One:

“That’s a money-making tactic employed by your hosting provider. Let’s Encrypt has no such restriction. Multiple domain and wildcard certificates are also free.”

Mea culpa again! I wasn’t clear enough. The Let’s Encrypt Free SSL for my domain was a “wild card” type. It worked with ALL my subdomains. Also, the subdomains experienced the same infrequent issues I described before. The free SSL “died” on all domains at the same time on 9/29/2018.

The webhost either doesn’t know how to do automatic renewals, OR they used the freebie as bait. Right at this moment, I go in the direction of paying a hundred bucks for a Comodo. This freebie threw me into a deep nightmare!


#20

Hi @Ion_Saliu,

If any of those statements are true, the answer is that you deserve a better hosting company and it is time to move on. Your certificate expired 2 days ago and you only get from ipage ‘it will be solved in a timely manner…’ that is unacceptable.

Anyway, I doubt they are using the freebie as bait because of one of the core features they are offering with their hosting is a Free SSL Certificate.

I suppose that you could get a better deal if your hosting company is a Comodo’s reseller but a Wilcard Certificate from Comdo costs $199/yr https://comodosslstore.com/comodo-wildcard-ssl.aspx also, keep in mind that usually, a wildcard certificate covers ONLY subdomains, that is, it covers *.saliu.com (www.saliu.com, webmail.saliu.com, whatever.saliu.com, etc.) but it doesn’t cover saliu.com nor www.subdomain.saliu.com so before buy a certificate, you should double check whether it covers *.saliu.com AND saliu.com OR only *.saliu.com. Anyway, if your hosting company doesn’t know how to renew and apply a free certificate I don’t know how they would be able to apply any kind of certificate.

I would say, My hosting company doesn’t know how to manage the services they are offering and this is threwing me into a deep nightmare.

You could share this thread with you hosting support and if they are having issues to renew the certificate they could ask here for some help.

I hope your hosting company can resolve this issue as soon as possible.

Good luck,
sahsanu