SSL - Going from HTTP to HTTPS by Robert Lauer - Distant Web

Welcome Guest: Log In Register Resend Validation Lost Password
Distant Web on Twitter RSS Feed For Distant Web Search Distant Web

All Blogs-21 Books-1 Electronics-2 Internet-4 Movies-7 Music-1 Reviews-9 Site News-4 Video Games-7 Web Coding-5

SSL - Going from HTTP to HTTPS
SSL - Going from HTTP to HTTPS by Robert Lauer - Distant Web
(Before I get into this, I just want to ask that you please don’t let the length of this post put you off. There are two things I cannot stress enough: One, this subject is FAR too important to dismiss simply because my post is too long. And two, the fact is that I am just trying to be as thorough as possible; the actual process for this is way more simple than it’s going to look due to the length. Thank you.)

If you own or run a website today, and you have not installed SSL Certificates for your site to go from a HTTP URL to HTTPS, now really is the time to do it. Most (if not all) modern web browsers will make sure its users are clearly aware when they are on an unsecured website. Some will even make sure the user has to manually allow an unsecured website to even load, pointing out the security risks.

(And ‘Self Signed’ certificates are not helpful in any way. Some (if not most or all) web hosts will auto-install ‘Self Signed’ certs, but most (if not all) modern web browsers will basically ignore these and treat that site as unsecured.)

This display of your site being unsecured, especially if there is a user login system in place, can turn away some of your visitors, if not most. And there really is no reason to not install SSL Certificates in your webhost, unless you have zero control of your webhost. There is even a site that will do most of the work for you, so long as you have access to FTP and/or your web hosts ‘Control Panel’ section.

That site:

SSL For Free

This site basically uses the tools available at Let’s Encrypt in a way that allows them to even further simplify the process at no cost to you. And for the record right now, I am in no way, shape or form being compensated by either site for this posting; this is simply a form of Public Service Announcement on my part, because I feel this is just that important.

So the first thing I will do is go through some basic steps here, and outline what I know (there are multiple paths to take, and I did not experience them all, so I can only give partial first hand experience). Then, I will go through some things that you should think about, or steps you will need to take, to finalize securing your site.

Checking out the site “Let’s Encrypt” it seems like there is an even simpler way to get your site setup for SSL, but your webhost has to be setup for this process, and mine is not. Therefore, I could not give this a try. However, if you would like to give this a try, they do provide a list of hosts that are already configured for whatever this simpler method is:

Web Hosting who Support Let’s Encrypt

At the top of the site SSL For Free, there will be a text input where you add the main domain and all subdomains you want certified with one certificate. You need to be aware that www.yourdomain.com and yourdomain.com are in fact two different values that both need to be entered; www is technically a subdomain.

The site will tell you to use an asterisk (*) as a wildcard value to signify all subdomains to your main domain, but I do not recommend this, and I will explain that in time.

user posted picture

Once you have your domain and all subdomains for that specific domain (including www.), click the button “Create Free SSL Certificate”. The next page, as long as you do not use a wildcard, should look like this:

user posted picture

So as you can see, there are three basic options:

Automatic FTP Verification – this appears to be something where you enter your FTP information (login/password/etc) and the site does everything for you. I do NOT recommend this as I just cannot see a justification to giving out any kind of account information to a 3rd party.

Manual Verification – this is the best option in my opinion. You will basically be told to download some verification files (I believe it’s one per domain/subdomain) and upload them to a very specific location on your site. This is where you need FTP access. Just be sure to pay close attention to WHERE you need to upload these files. More on this soon.

Manual Verification (DNS) – this is the only option you will be given if you use any wildcards, as in *.yourdomain.com, in an attempt to secure ALL subdomains in one entry. This option will require you to go into your DNS Zone, typically found through your hosts ‘Control Panel’, and manually add some TXT entries. This did not work for me, with my host, which is why I do not recommend this method, and why I do not recommend using wildcards. My site said it could take up to 30 minutes for changes to go through, but even after an hour it was not working, so I had to forgo wildcards.

At this point, unless you were able to do the ‘simpler’ version through Let’s Encrypt, you probably went with the first “Manual Verification” method. After clicking on the main option to manually verify, a button will be added that says “Manually Verify Domain”. Click that.

user posted picture

For each domain and subdomain (with the exception of www, as www should just be a shortcut for your main FTP directory, like public_html), you will need to create a folder in the main directory called “.well-known” (yes, there is a period there). Then you create another folder inside of that one called “acme-challenge”.

As an example, let’s pretend your domain is “yourdomain.com” and you have a subdomain called “testing”. You will probably be given three files in total to download and then upload to your site. Two will go together, because one is for your domain, and the other is for www. The third will be for your subdomain. The end result will look something like this:

public_html/.well-known/acme-challenge/[downloadedFile1]
public_html/.well-known/acme-challenge/[downloadedFile2] 
testing/.well-known/acme-challenge/[downloadedFile3]


Of course this is just one possible file structure. Yours could be very different, depending on how your host works.

user posted picture

Now, this is VERY IMPORTANT. Make ABSOLUTE SURE you have these files upload to your server properly BEFORE moving on. If you fail to upload even one file, or upload one file to the wrong directory, you will have to start all over with the downloading/uploading process. Once ALL files are properly downloaded, and then uploaded, and then verified by you (they will provide links for you to verify you uploaded correctly), THEN you should move on to the next setup.

Once you are sure that all files have been uploaded, click the button “Download SSL Certificate”.

This will, once the site verifies the files itself (assuming all went well), take you to a page with 3 text boxes. I do not have a screenshot here, but they are something along the lines of “CRT/Certificate”, “Key/Private Key” and “CABUNDLE”. More on these in a few…

From here you should go to your web hosts “Control Panel”. This is going to be potentially drastically different depending on your web host. Just look for something like this:

user posted picture

Go to that link, something about managing SSL? Again, this will change significantly depending on your host, so you will just have to do your best. It really shouldn’t be that hard, I can’t think of a web host that I’ve ever seen that would make this difficult. For me it looks like this:

user posted picture

That should take you to a page with all of your main domains, and their subdomains. Find the one you are managing and you will either need to Install or Update, depending on your currently configuration:

user posted picture

In my example above, you will see some blacked out subdomains that are unsecured. These are not actually subdomains, but aliases that I cannot seem to secure, OR delete. Do what you can, and you MAY want to contact your host if you have a similar issue; I would myself, but I’m not planning on staying at my current host for long anyway.

Moving on, with the text boxes ready in a different browser window (from SSL For Free), and your “Control Panel” in another window, you should see something similar to this at your “Control Panel”:

user posted picture

At this point it’s just a matter of matching one box up with the other. Take the values that were given by SSL For Free and paste those values into the corresponding box at your web hosts “Control Panel”.

Once all the boxes have been filled or replaced (in case you had existing values, such as Self Signed garbage), click whatever button says something along the lines of “Install”, “Update” of “Finish” (again, this could be anything depending on your host). As long as all goes well, you should be ready to go!

Or should I say, mostly ready. Yes, sadly there are still some finishing touches you may want to look into. First and foremost, you’ll want to add some lines to your existing .htaccess file (or create one if you do not have one already):

 #First rewrite any request to the wrong domain to use the correct one (here www.)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#Now, rewrite to HTTPS:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


I’m going to assume you either know enough about .htaccess to get this done, or you can figure it out on your own as this was not meant to be a tutorial on .htaccess. But here is a quick link just in case you need it: Apache HTTP Server Tutorial: .htaccess

Anyway, that code, when added to .htaccess, will make sure that all incoming traffic is going to the HTTPS version, even if the user clicked (or typed in) a HTTP link.

Unfortunately, this will not update your actual hard coded (or even dynamically generated from a database) pages. Any previous links, or image tags, that contain http instead of https will be labeled as “Unsecured” by most (if not all) browsers. This is mostly (if not only) and issue when it comes to images, but even that can be a pain. ANY previous links/image tags should be updated (primarily the image tags).

If your site is mostly generated from a database, you can write scripts the look for “http://yourdomain.com” or “http://www.yourdomain.com” and then replace the “http://” with “https://”, but that is a whole can of worms I will not be opening here.

Also, if you ARE using scripts of any kind, custom or 3rd party, make sure you update any and all configuration files where your site URL is entered; change the “http://” to “https://” wherever it appears.

Now for a kind of down side; these SSL certificates only last for 90 days. Yes, every 90 days you have to re-certify your site(s). However, the site I am using here, 'SSL For Free', does have an option to register an account while you apply for your SSL Certs. They will keep track of your certs for you, and email you a week or so before they expire to remind you to renew...

Over all, I do believe that that is about everything, at least the most important aspects. Any old links outside of your domain won’t matter; incoming traffic will auto change to HTTPS due to the .htaccess code, and any other sites that are embedding your URLS like image files or videos or something, well, that’s kind of their problem now.

If you have any questions or thoughts, please feel free to leave a comment bellow. I cannot guarantee that I will have the answers, but I can sure try.

Also, if you find this helpful, if you are able to successfully install SSL Certificates on your site, all I ask is that you pass along the knowledge to someone else you know (assuming you do know someone) that runs a website that has not been secured. You can send them to this page, or help them directly. Just help whomever you can in getting their sites secured. Once again, I just cannot stress enough how important this is.

P.S. If you are reading this, and have an older site that is not very 'mobile friendly', I encourage you to check out a post of mine, Quick Mobile Code

All Blogs-21 Books-1 Electronics-2 Internet-4 Movies-7 Music-1 Reviews-9 Site News-4 Video Games-7 Web Coding-5

Blog Comments
Post Comment

CAPTCHA Image
Bellow is an image of uppercase letters (A-Z) and numbers (2-9) only. Please type them into the box bellow the image for validation.
Type these UPPERCASE letters (A-Z) and numbers (1-9) into the box bellow

DistantWords
DistantWords
*Report Abuse - Posted On: 8/2/2018 1:29 PM

This is just some additional anecdotal information, which is why I am leaving it as a comment. This blog thing was already too long.

So I started out trying to secure my son's website. I knew this was a big thing that was going to really be important soon but I wasn't confident I would be able to do it. I had tried before to setup SSL certs before and it never went well. My son doesn't really use his site at all, so I figured his was the best to mess with.

Within 20 minutes of starting out I had his site secured with SSL certs, which included time I wasted because I had uploaded the required files improperly. Because I had to go back a step, the files had changed as they are simply text files with randomly generated values that only serve to prove you 'own' the site (or at least have the proper access). This blunder really did add some time.

Once his site was done, and I was sure it was done (as sure as I could be anyway), I started on my own site. Having had the experience with his site, now knowing what I was doing, the entire process start to finish only took about 5 minutes. When doing his, not only did my mistake take some time, but learning in the first place made it take longer.

Several days later I wanted to try securing the 'subdomains' that aren't really subdomains, but aliases hoping to use those wildcards (*). However, that turned out to be a mess; I followed the instructions exactly, or at the very least I am pretty sure I did, but all I ever got were errors. I don't think my current host was very good with that method.
Jump To Forum:
Active Users:
5 active user(s) in the past 15 minutes.
0 guest(s), 0 member(s), 0 anonymous member(s) and 5 bot(s).
Web SpiderCCBot, Web Spiderbingbot, Web SpiderAhrefsBot, Web SpiderSemrushBot, Web SpiderFacebook
Past 24 Hours Logins:
Admin | Members | Banned | Moderators (Viewing Via Mobile = Mobile, Bot/Web Crawler = Bot)