Simple and Clear Directions


#1

I’m an old man who operates and manages a dozen websites. I am persuaded that HTTPS is important. My guess is that of the millions of website managers, a majority are like me. We don’t know how to install HTTPS. You guys and gals are geniuses. May I request that you publish simple and clear, step-by-step directions on how to install HTTPS. If you are kind enough to grant this request, please use short words that aren’t industry-specific.

Thank you very much.

~George


#2

Hi George,

There are many different webservers ( apache, nginx etc) and many different operating systems (linux, windows, mac … ) , so not knowing anything about your system, it’s tricky to give the simple, clear, step-by-step directions.

I’d suggest starting at https://letsencrypt.org/getting-started/

which will also link you to the official client ( https://certbot.eff.org/ ) where if you select your webserver and operating system it will provide instructions.

If you are uncertain after looking at those, please provide as much information as possible about your current setup, and we’l try our best to help out :slight_smile: And if things are unclear in the those links, please let us know where you think more detailed instructions are needed so they can be added / updated.


#3

Just for clarification, do you manage the server or do you simply upload HTML files to a directory?


#4

Hi TCM,

Rganks!

I use FileZilla Client with Ubuntu 16.04 on a GUI to upload files to several servers for the various websites.

BTW, I followed the step-by-step to use Cerbot, and got rejected [for a whole host of reasons, and the explanations of the reasons didn’t give clear instructions on how to fix the errors] on attempts to install certificates on GoDaddy. Called GoDaddy and the tech said GoDaddy does not allow third-party SSLs.


#5

I meant “Thanks!” Sorry need 20 characters, so ignore this sentence.


#6

I’m assuming this is a shared hosting plan. In that case, this section of the FAQs applies:

It seems like GoDaddy does not allow you to upload a certificate and does not offer a one-click integration with Let’s Encrypt, so your options are basically:

  • Switch to a hosting provider that supports Let’s Encrypt natively (see list linked above)
  • Upgrade to a hosting plan that offers paid SSL (or one that supports uploading third-party certificates, if available, and then use the manual plugin as described above)

I would recommend the first option.


#7

@geomcd1949 not to be pedantic, but let’s establish a certain distinction: a website operator is someone who maintains the backend server, runs the database, reads the logfiles and so on. A content creator/content manager is someone who uploads files to a pre-existing system.

Your argument is symantically incorrect in the sense that elderly operators will be just fine setting up Let’s Encrypt certs.

Further to what @pfg has said, you can still issue LE certs for servers (even those which you cannot install certbot on) through various clients and “manual mode”. This, of course, relies on the server accepting user-uploaded SSL certs, which GoDaddy does not like to let you do, their business model being aimed generally at the less-geeky side of website owners, counting on their lack of knowledge to squeese more dough out of you.

My advice would likewise be to switch to a different hosting provider, and spend some time familiarising yourself with their FAQ/Support pages to see if Let’s Encrypt will work for you.


#8

Thanks for the responses. My point here is that the EFF, if it aspires to be something more than an obscure and quaint do-gooder organization, must make the means of accomplishing its vitally important goals accessible to me and the rest of the masses. As it stands now, an average user cannot install HTTPS without a ton of work – work that only a tiny percentage will undertake, and in which only a small percentage of them will succeed.

If the Let’s Encrypt process is for website operators, then I’m apparently out of my league and don’t belong here. One of my web hosts is GoDaddy, on which I have 14 sites. They don’t allow third-party SSLs, and will be kind enough to make my sites secure for only $379 a year.

Thus the course I and millions like me will take is to do nothing. We’d like to be good citizens of the Internet – it just isn’t currently feasible.


#9

With respect, you come here in search of support, only to berate us for not being to your liking, not bending over for you, and for your lack of understanding.

Web hosting is serious business. Most of it isn’t point-n-click. If you want point-n-click for the “masses”, then seek out a hosting platform that suits your needs, like I once did (having since taken the time to learn about the tecnology with which I am messing about).

It is not the EFF’s job to make point-n-click integrations for the thousands of web hosts out there—inded such would be impossible—they have, however, made an extremely easy-to-use and easy-to-code-for system which already has more than a score of clients, is integrated into platforms like wordpress.com, et cetera.

Speaking on behalf of the cyber-community, it is not our job to do everything for you. It is our job to give you the tools, and point you in the direction of how to use them. It is then up to you to read the documentation, understand the documentation, study if you don’t know the documentation, and implement what you want to work with.

Don’t blame us for your lack of understanding.


#10

I assure you, I meant no offense of any kind. I just give you my opinion on what needs to be done. Take it or leave it.


#11

Unfortunately, there is nothing that Let’s Encrypt or anyone else can do about web hosts who refuse to offer SSL for free. That’s simply a technical reality. It’s their infrastructure and no one (except for the government, I suppose) can force them to change it. What Let’s Encrypt can do is provide documentation for site owners that makes it easy to find hosts that do provide SSL, and that’s what we (hopefully, feedback appreciated!) have. In theory, the market should take care of the rest eventually.


#12

The problem is that a choice you’ve made (i.e., to use GoDaddy hosting) has made it impossible for you to use Let’s Encrypt certificates. This isn’t an issue with documentation, where LE’s instructions aren’t clear enough. It has nothing to do with your technical abilities or knowledge. It has to do with a business decision that GoDaddy has made. You may reasonably be frustrated with the state of affairs, but your frustration is misdirected at Let’s Encrypt.

GoDaddy has the ability to provide SSL to all its customers at minimal up-front cost, and no marginal cost, to itself. It could easily do so at no cost to its customers. It chooses not to, in the apparent belief that its customers will instead pay extra for it. Only you know if this is true in your regard. You could instead move your hosting to one of the other many hosting providers who provide SSL for free. This would cost you some effort in the transition, but would likely save you money compared to $379/year for SSL with GoDaddy.

It’s perfectly feasible–just not as a GoDaddy customer.


#13

Persuaded, and more truthfully, shamed, by posts in response to mine, I’ve switched from GoDaddy to GreenGeeks for hosting 14 websites. I’m going to make the sites HTTPS as soon as the changeover is complete. The changeover cost me almost $400. I’m not complaining about that, but bring it up so that those managing this campaign understand the cost of doing what they suggest.


#14

wow - $400 for 14 websites. I’m not sure you chose optimally there. Switching from GoDaddy to an equivalent provider that supports Let’s Encrypt shouldn’t cost you more than a couple of hours of time in transferring the sites / dns over.


#15

I think you’re still misdirecting your concern here. The limitation is only, and entirely, with your (former) web host.

Let’s Encrypt provides a Certificate Authority that issues certificates for free. That CA uses an open protocol which allows lots of people to develop software to automatically obtain and implement certificates. If you’re running your own server, especially on a Unix-like operating system, the odds are very high that you can use any of a dozen different pieces of software to obtain, implement, and renew certificates from Let’s Encrypt, and once you have it set up, it will renew automatically, pretty much forever.

The problem is that you aren’t running your own server. Instead, you have your websites hosted elsewhere. That means that your web host has control over a lot of issues, and you have much less control than if you were running your own server. A “good” (in this regard) web host will have a nice, pretty control panel, with a switch, knob, or checkbox to obtain a Let’s Encrypt cert–and there are many who do this at no additional cost. An “OK” web host will at least allow you to upload the appropriate certificate files–this can be a hassle, but it can still provide you with SSL for your site at no cost. But then there are “bad” web hosts, which charge a significant extra sum to do SSL at all. GoDaddy is one of these, it seems. There is literally nothing Let’s Encrypt can do to change this situation. You, and other (former) customers like you, are in the best position to effect change here, by leaving them for another host. If enough customers do this, hopefully they’ll realize that charging extra for baseline-level privacy and security is a bad business decision.


#16

serverco please tell me the names of a couple that host for free.


#17

Have a look at Web Hosting who support Lets Encrypt - there are a number there that also provide free hosting. It depends what your complete requirements are as to which is best for you. Are you comparing with a specific godaddy hosting plan ? ( I didn’t think they had free plans ) .


#18

Please suggest a host that has this. It would be ideal for me.


#19

See the following thread for a list of web hosts that support Let’s Encrypt:


#20

hi geomcd1949

i understand that this can be confusing

not to confuse the issue more but there are options outside of letsencrypt to achieve what you want

services like CloudFlare https://www.cloudflare.com/ will provide you with HTTPs encryption to a point and there is no need for the backend (godaddy) to support SSL.

It’s also free and has a bunch of other great features (such as bot blocking etc)

the service is free and there are paid plans as well.

in terms of making things easy - well encryption is not easy. and there are plenty of people who get it wrong. It’s about horses for courses and if you do not have the acumen or skillset then it’s good to explore options (cloudflare being one)