I don't know about most of the questions and info asked here as I'm not very knowledgeable I'm a novice.
I'm using a control panel to manage my site which somebody here will probably recognize from the name of the hosting company. The company hosting my website "Easily.uk".
I thought when I read about how easy it was to get a free certificate with let's encrypt I would find it easy but then I read, I have to download a program and start entering things into a command line, which all sounds so complicated.
So I contacted Easily and they sent me the following set of instructions but I'm not sure if they can work with lets encrypt. Here is what they sent me, any help / advice would be much appreciated.
"1. Log in to the Portal https://portal.easily.uk/, get into SSL manager, click on "Install". For your convenience
2. Complete fields, make sure the provided information matches whois.com;
3. On this step, the SSL manager will generate CSR. You need to provide the CSR copy to a Certificate SSL Issuer Authority and purchase the SSL certificate.
4. Once the SSL certificate is purchased, go back to SSL Manager and paste it to the certificate field (make sure to copy starting with the BEGIN Certificate request and END including dashes)
5. After all those steps would be done, you need to:
6. Update the DNS common name (vanity SSL certificate name) to point to the provided secure IP address;
7. Move all your website content from /public folder to the /secure (or create a symlink instead);
8. Once the update to the common name is complete (it could take 24 hours for DNS propagation), the SSL should then be active.
"
Hi @Rickybecker ! Welcome to the forum. The simplest way for you to get free SSL is for your hosting provider (easily.uk in your case) to set it up for you automatically for free. Let's Encrypt encourages hosting providers to do this, but many of them (including, evidently, Easily), don't do it yet.
So you have a couple of options:
You can follow the instructions from your hosting provider, and copy the resulting CSR into software that uses Let's Encrypt (an "ACME Client"). This will work, but it's time consuming and error prone, and you'll need to do it every 60 days.
You can pay for your hosting provider's paid SSL service, which should automate everything for you. This rankles when there are free options out there, but may save you a lot of headache in the long run.
You can switch to another hosting provider that includes free SSL as part of their plan. There are lots of hosting providers out there that do so. You can visit Certbot - Does My Hosting Provider Offer HTTPS? for more info.
Thank you for the welcome and the quick response. I think my hosting provider sees SSL as a money making opportunity so I don't think they will consider integrating lets encrypt. Although I will email them again and suggest I may have to look for another hosting company that can provide free SSL.
I was hoping with lets encrypt, it would just be a case of getting the CSR from the SSL manager then pass it to lets encrypt for verification, so they can return a certificate to me which I could then paste back into the SSL manager.
If it could be made that simple I'm sure more websites would use lets encrypt. Is it not possible for lets encrypt to simplify the process as I have described.
Thanks but I'm not sure what type of control panel it is, although I know it does not have the cpanel logo so I'm pretty sure it's not cpanel but may be similar.
It's close, but there are a few more steps than that. You need an ACME client. It sounds like you probably want a web-based ACME client, of which there is some discussion at Web browser based ACME clients.
If you do go that route (and again, I suspect your time is better spent switching hosting providers), you'll need to not only paste the CSR, you'll also have to upload a one-time file to your site to prove that the site is yours. Then your ACME client will be able to finish the certificate request and give you a certificate to upload to your hosting provider.
Which is why you should consider changing to a less user-hostile hosting provider--because there are a number of providers who do provide SSL for free, as the list linked above indicates.
I do have access to be able to upload files to the server, I use an FTP program or I think they call it a client. So I can upload a file without any problems.
Although you said it is error prone and also I would have to keep repeating the process every 60 days. I have noticed on the SSL manager of my control panel that there is a switch which is for auto renew. Would that work when in needs to be renewed every 60 days or would be more likely designed for annual renewal.
One way I just thought of putting it: Let's Encrypt provides a service aimed at machines, not one aimed at humans.
This service can be useful to humans, but normally because machines they use are programmed to make use of it. If not, it may not be especially easy or convenient for the humans unless they change what computing environment or tools they're using.
This might not sound that appealing in some ways, but it's been a good strategy for getting HTTPS available for free and widely adopted on the web. And indeed, Let's Encrypt really did start its planning from a completely different perspective from other prior certificate authorities—not "how will human beings interact with this service?" but rather "how will machines interact with this service in an automated fashion?".
I'm not sure what that switch does, but given the instructions you shared above, I'm pretty sure that would not automatically renew with Let's Encrypt in 60 days. Perhaps it is intended for the hosting provider's paid SSL plan?
Yes you are probably right, I think will have a look at the list of hosting providers before I do anything else. Then contact my current host to suggest lets encrypt, if they don't say they are considering it very soon then I will look for another hosting company. Is changing the hosting provider usually a simple process. I will not ask for any recommendations in case that is against forum rules.
Changing hosting providers can be easy or hard - it depends on how complex your web site is, and what software you use to manage it. If you do wind up picking a new provider, they should be able to give you advice on the process.
It's not against the rules to ask for or provide recommendations. Let's Encrypt representatives (like myself) don't provide recommendations though.
My website is an e-commerce site selling security products but we do not store pass words or any customer details and we do not take online payments ourselves. So I don't think it is as complex as many out there. Anyway thanks, you have all been so helpful and I am very grateful, I was not really expecting anyone to get back to me till tomorrow.
That's a really interesting thought and I am now wondering if it's easy to translate the "machine directions" into a way that humans understand at differing expertise levels.
Update
I emailed my hosting provider to ask if they provided a simple solution to provide a free security certificate that auto renews, I mentioned Lets Encrypt. Here is their response.
"Thank you for contacting Easily support.
If the certificate expires in less than one year, then there is no possibility to install it on our platform. However, the "Let's encrypt" implementation is being discussed and possibly may be supported in the future (but there is no ETA yet). Thank you for your understanding.
Please let us know if we can be of further assistance."
This brings me to another question, why do these free security certificates have to expire after only 60 days?
There are certificate that have a longer life, but the purpose of Let's Encrypt is to automate certificate issuance (hence certificate life is not that important)