How long will it last

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help.

My domain is: pixyland.org
My hosting provider, if applicable, is: A2Hosting, shared

Maybe I'm in the wrong area? I have not gotten started with 'Lets Encrypt' yet, so I don't have answers to most of the questions this help form asked me to fill in. But I need to do some fact finding before committing a LOT of time to all this.

My web sites are mostly a labor of love. I've run them for some 25 years, the most well known of which is "peter Pan's Home Page" at pixyland.org. (When I started the biggest headache was writing scrips that worked with both IE 4 and Netscape 4 )

Anyway, over time I've become reasonably proficient in coding, at least when it comes to the things I've needed (Javascript, PHP, HTML, CSS, tweaks to my .htaccess file, etc). My site had a lot of attention and support in the past. These days much less, and I certainly could not justify the $40 (USD) / year per site that A2 hosting wanted when i asked about SSL around 6 years ago. I never needed it anyway. There are no logins or monetary transactions on my sites, with the exception of donations which I did via Paypal 'donate" buttons.

But new visitors get frightened when their browser says my site9s) are unsafe! So I recently I asked ChatGpt what I could say on a website popup to assure visitors my "non-secure" site was safe. Among the suggestions were to look into Let's Encrypt! (Well thanks AI !). So I've been reading and wow! It looks like there actually is a way to get free SSL certs! Then I noticed many people in the help messages that also use my hosting company, A2Hosting, and some said A2 has been supporting it since 2017!). Really? why did they tell me when I asked 6 years ago?. I thought maybe it didn't apply to me because I have the cheapest kind of hosting that allows multiple "add on" domains, which is "shared hosting".

So I wrote to A2Hosting to find out if it was true... that I could add security to my sites at no cost via Lets Encrypt. They said yes, and that my account already includes it!

Anyway, they said "LetsEncrypt certificates are managed through AutoSSL in your cPanel ". Awesome! I asked about my 'add on domains", and they said "Sometimes domains can be excluded in AutoSSL, in which case you will need to include them.". Sounds all do-able! Finally, they said "Otherwise, the AutoSSL service completely manages what is necessary to generate an SSL certificate, so you don't have to do anything other than run the service from your cPanel account."

OK this sounds great. And yes I know I need to go through all my code and libraries, but I've been preparing for this for years. Every site reference between pages and in code and scripts are done relative to the root "". In the few cases this isn't practical, I have javascript in place to create needed URL strings rather than hard coding. Funny, but up until now I've had to re-direct any incoming "https" requests to my sites back to "http", via the .htaccess files. Now I'll have to do the opposite! (LOL!) But still, being a 24 year old ever evolving website, I'm sure I'll have some hitches. But for now, here are my questions...

1. I asked "how long will it last" in my subject. I'm long retired, and these sites are just 'labor of love" projects. I can and certainly will donate to Lets Encrypt, but am I likely to find in just a few years that having SSL certs at no cost is unlikely to last?

2. I asked A2 if doing this would change my urls (like, instead of "mysite.org" its always going to have to be "someCompany.mysite.org". They said NO... my site urls will remain the same, except with https instead of http. Can someone here confirm this?

3. I know A2 said the feature is included in my account, but I have shared hosting! I'm sure nobody would want every person running any site on my same server to be able to feign security. Is it really on a per site basis?

4. A2 seemed to be telling me I might have to manually include my add-on sites. Has anyone found this to be a problem (I have two add on sites besides pixyland.org).

5. A2Hosting has done great by me (actually, they are the best hosting company I've ever used). But in my history I've had to change hosting companies a few times. In the past that just meant letting a new company migrate my sites, and then cleaning up after their mistakes, and customizing a few things. But once my sites are "https", and I have SSL certs, will they be portable if someday I have to change hosting companies?

6. I mentioned that I expect there to me some errors on my part, and things I'll have to fix in my own code and libraries. But beyond my browser's console mode, and my php error logs, will there be any kind of tools that will offer a log to identify all the locations of all problems I'm sure to have the first time I try all this? ( I don't have an appache server box at home. )

That's enough for now. Thanks for any help, I'm sorry for rambling.

Welcome to the Let's Encrypt Community!

Maybe check out using CertSage instead of AutoSSL? Given your setup it might be more conducive.

The tutorial linked below is from the page I just linked above. You might find it edifying regardless of what you decide to do since it explains in detail how domains and SSL certificates are handled in cPanel.

Thanks. I do know that all my domains at A2 have folders (which they put there long ago) called .well-known, and each of those folders had two more folders within, one called pki-validation and another called acme-challenge. The first of those has at least one file inside, the second (acme-challenge) is empty.

But honestly, considering how new all this is to me, I think I'd better stick with whatever A2hosting is telling me for the way they handle letsencrypt there. I'm happy enough they support it, but if I start off going my own way how can I expect their support, right?

Anyway, thanks for the links. I'll take a look. But I'm hoping to get some answers to my concerns and questions before going much further.

Well, it's hard to predict the future, but since Let's Encrypt was made 10 years ago, it's pushed the standard cost for domain-validation certs to zero. There are several CAs that offer free automated certificates now. I suppose if Let's Encrypt runs out of funding and there's less "competitive pressure" to keep certs free then charges might start coming back, but for now it's looking to me like free is the standard cost for the foreseeable future.

Enabling HTTPS should just allow for users to get to the same domain over HTTPS instead of HTTP, with the rest of the URL the same, yes.

I'm not quite following your question. Yes, whether a domain works for HTTPS is site-by-site, even if there are multiple sites hosted on the same set of servers like a shared hosting plan does.

Well, you'd probably have to follow whatever instructions they're giving you to turn them on in your control panels, and it may be different for each site, but yes you should be able to configure them all if it's something your hoster is providing.

Shouldn't really be any different than with non-HTTPS, though you'd want to make sure that it's a feature your new hoster also supports (like any other features you use), but it should be fairly standard nowadays for hosting to include. (Though some hosters will charge extra or only include it in higher-tier plans.) You can get a new certificate on a new hoster completely separately from any existing certificate on an existing hoster.

Generally, all you would need to do is make sure that references from an https site are also https. I've heard others here using Why No Padlock as a tool to scan for such things, though I haven't used it myself.

No trouble at all; you're asking good & intelligent questions!

Welcome @PeterPan
Full disclosure: These are my personal opinions. Most of the helpers here are volunteers just like me.

The industry has strongly moved from costly, manual certs to free, automated certs. It isn't just a LE issue. There are a number of other Certificate Authorities offering free automated certs. I fully expect this trend to continue.

Well, none of us can speak for A2. What they do in the future is up to them. You could always move to different hosting company if you no longer like their offering

Your certs could possibly be moved. But, normally you just get new ones at your new location.

You shouldn't have many problems using AutoSSL provided by A2. They should readily walk you through that.

But, this forum can guide you for any LE specific issues you have. We often also help with routine setup problems (wrong DNS, firewalls, ...).

You might find these LE stats comforting: Let's Encrypt Stats - Let's Encrypt

Thank you Thank you Thank you! I'd write "thank you" 10 more times, but it's 2:10AM here. But I really appreciate this!!

Thanks Mike. Just to know there are answers here is hugely comforting. I'm still in shock that something that 10 years ago was an expensive and complex change to consider has become as relatively easy as it seems now, all while i was quietly just ignoring the whole issue. I had even redirected any "https" requests to "http" in my .htaccess files, because getting google to list me "correctly" was impossible. Now when I'm ready, I'll have to reverse that re-direction

Anyway, thanks again!

I have good news. You are ready today!

All certs appear in public logs. You have been getting certs for pixyland.org for a long time. In fact, if you didn't have valid certs the HTTPS -> HTTP redirect would fail. You must have a valid cert for the HTTPS connection to work in order for you to redirect it.

So, just stop redirecting. Or, at least change it to HTTP redirecting to HTTPS.

As a quick test just stop redirecting HTTPS->HTTP. It's possible the HTTPS is working fine but you have some other issue like "Mixed Content". That's when you have links on your pages for HTTP:// but the main page was loaded using HTTPS:// This isn't a cert problem but one of your website configuration.

Below is just a recent history of certs that include pixyland or a subdomain of it. Requests for https://pixyland.org are using the cert issued on Mar16 which looks like a cert from cPanel AutoSSL.

image1521×3486 335 KB

Very interesting. Well quite a few years ago, google and other search engines were listing my site as https. They were NOT, which I only knew because nothing worked properly if those links were followed! Site pages would come up, but none of the data from any of my style sheets or javascript files were being applied or loaded. Strange because for a long time, I've never specified "http" in any pages, to link or include any of those resources. I always thought doing so was a bad idea, even though other people do (apparently wordpress). But all my resources are mine, and are on site, so I would always reference them to the root , like (you won't see them on my page source as I usually put all those strings into arrays and "document.write()" them in, along with appended version strings, which is a way of forcing browsers to reload these resources instead of cache them, maddening when you're trying to develop. But even plainly spelled out these seemed to be problems".

But anyway, I am SURE that at the time, all https browser requests would result in an obviously broken site. That's why I added the redirects. So maybe it's already "done" but was never completed properly. I'll have to check what A2 told me to look for in my cpanel first. And it's possible I missed some off site http: requests because I've not used them in years. (services like old now defunct 'guest books', or maybe 'flash' objects from before browsers had their own video and audio support). But hopefully I'll find them all.

Each of my domains (main and add ons) do have their own .htaccess file, with my current https->http redirect. If what you are saying is true (like its already set up) at least that means I'll have an easy way back to letting visitors see pages as intended, until I figure out the issues.

Also, I THINK if things get crazy (like a million mysterious errors) I might have to register a sandbox domain, with a cheap TLD like .xyz, or .online. That will allow me to make some simple test pages to narrow down what https is complaining about. Since each add on domain will get its own .htaccess file, at least that will let me work at leisure, without visitors losing all access during the work. But hopfully I won't have to do all that.

Thanks for all the help. This will all take me a while to do (amazing how becoming retired seldom means life get's less busy! )

Your browser developer console should identify any problem if it is something like mixed content or CORS issues or something.

Also the link Peter provided earlier is sometimes useful: https://www.whynopadlock.com/

Thanks! That's good and leaves me hopeful!

Oh and yes... I love my Chrome browser! It lets me keep drive partitions as duplicates of my websites, and will treat root "/" references as "file:" references. Chrome even has a way to set up a second "no cors" version, which is super helpful! If I'm running my site from a home disk partition, and it needs to 'fetch' files of text from my hosted site (usually to fill in text in cute modal boxes and such), I have to both allow cross origin access in my .htaccess files, AND use a browser that can be configured to allow it. So far CHROME's featurs have been super helpful!

Well this is disappointing. I took one of my simplest sites, which is a ministry site called "throughthecracks.org", and carefully removed any http: inclusions. After making sure I didn't break anything, I removed the redirect from https back to http in my .htaccess file, since some of you said all my sites looked good to go for https. I expected maybe I'd find a few "mixed content" errors I'd forgotten. but it was much worse than that. After plugging "https://throughthecracks.org into my browser, there was nothing but a blank screen with my usual green background. Do I turned on my browser console, and saw that my page was infinitely reloading. What was troubling were console messages like the below. This is very distressing. Simple declarations like...

Are failing, because I guess under https, "text/css" is no longer an allowed "MIME" type? Absolutely no references to images, stylesheets, or anything were working. If things like this are true, I may have to live with old "http" until they shut me down. I guess I wasn't prepared to fiund out that everything I learned about simple web coding is no longer valid.

errors622×608 83.1 KB

Yes, text/css is valid. Although, you used text/html for a .css object

Keep in mind millions of websites are using HTTPS just fine. Might be worth stepping back and reviewing your practices.

Replying again, because it seems when I use the "block quote" here, it removes the text when I post the reply. In actuality the CSS links on the page look like the below. So the console is rejecting things that aren't even on the page. Bear in mind this all worked fine until I tried viewing the site in Chrome, specifying https.

<link rel="stylesheet" type="text/css" href="/styles/fonts/fonts.css">
<link rel="stylesheet" type="text/css" href="/styles/spcPageTTC1.css?v1" >
<link rel="stylesheet" type="text/css" href="/styles/modalStyles.css?v1" >
<link rel="stylesheet" type="text/css" href="/styles/musicSupport.css" >

These are website coding issues best handled at such support sites. There are many google reports of exactly the problem you describe. There is nothing wrong with the certificate or your server's use of it based on that report.

I have no idea why your browser console would report it that way. The mime type for css for HTTP and HTTPS is the same.

You must have resorted back to HTTP as I don't see an HTTPS connection for that domain.

Have you checked your VirtualHosts in Apache to make sure both port 80 (HTTP) and port 443 (HTTPS) use the same website sources? Perhaps their DocumentRoot's aren't the same.

A good place to start debugging Apache is by looking at this for your current VHost layout

sudo apachectl -t -D DUMP_VHOSTS

You may need apache2ctl or httpd instead of apachectl. Different distros use different ones. I don't recall which one you use off-hand.

And, your certificate is just fine. The underlying HTTPS (TLS) connection works fine. It is the website coding that needs work. See this SSL Checker:

A few messages ago, some folks here posted some kind of scans showing that all my sites were already configured for https, and suggest I try to at least remove the additions I made to my .htaccess file, redirecting https requests back to http, so I did that. For now I probably WILL restore my redirects, so that the site will at least be usable, until I calrify with my hosting company (A2) whether or not I am really configured for https.

May I ask what you mean when you say you DON'T see ah https connection for the domain? Because you must be using a different tool than the folks who showed me those scans.

I honestly don't know how to do any of that. I don't have my own apache server. I purchase hosting from A2Hosting.com. I just write the web code, check it in browsers, and make sure everything looks and functions as I intended. And yes, if I don't specify https: in chrome, it just brings up the site fine. But it also warns "not secure". Firefox does the same. So for whatever reason, despite SSL checker saying there are no problems, the site doesn't show up as secure, and anyone following an https:// link to my site is going to have issues. Something is wrong, and I don't think my actual web code could be that wrong. There's no "mixed content", and my sites have worked fine as http: for a very long time.

I'll have to ask A2 Hosting for some help

There are other reasons besides the Certificate and TLS (SSL) functioning properly to get errors like those, take a look at tools like https://www.whynopadlock.com/ as Mike has suggested.

Tried the "whynopadlock". It also said everything was OK. It did suggest I force everything to https in my .htaccess file, which I had already done. For now I'm putting things back (forcing http) so I'll have a working site. When I force https, every line where I pulled in one of my javascript files resulted in a 301 (forbidden) error, and the site was continually reloading. So until I can figure out what the problem is, its best I hold off on forcing https and leaving it like that. The hosting company might complain I'm hosing up their shared server. But all my JS files are on my site in a "scripts' directory, and they all have always worked perfectly.

<script src="/scripts/siteScripts2.js?v2"> </script> 
<script src="/scripts/modalsupport.js?v1"> </script> 
<script src="/scripts/swfobject.js"></script>  
<script src="/scripts/slider.js"></script> 
<script src="/scripts/musicSupport.js?v3"></script> 
<script src="/scripts/myAudioPlayer.js"></script>