Install LetsEncrypt SSL Certificate in GoDaddy


15 minute read

LetsEncrypt has really changed the game when it comes to securing certificates for websites. But how can LetsEncrypt offer free certificates when a lot of authorities charge hundreds of dollars?! Is it even crucial to have a certificate?

How do certificates secure your website?

It’s important to understand how certificates, and certificate authorities work to verify that your site is secure to your users. Imagine you’re passing a note around a room; most likely, as the note is passed, its contents are read by every party who comes in contact with the note; which is how web requests work. Now imagine you’re putting the note in a locked box and have only given the key to one specific person at the front of the room; when each person around the room tries to read the note, they are unable to decipher the message – but when the person with the key receives the box they can successfully open it and read its contents. This is a simplification – but that’s how SSL certificates add a layer of security to ensure that anyone coming into contact with the request of the web page cannot decipher the message.

Certificate Authorities

Now lets talk about certificate authorities. Think of the certificates as passports; if you show up to the border with a valid passport – you’ll likely be allowed through, but if you show up with a passport from an unknown country – it’ll be much harder to verify your identify. Certificates work in a similar way; certificates are distributed by trusted certificate authorities so that we don’t end up with a chicken or the egg problem. If a company can create and use their own certificates, so can anyone else – so how can you trust the identity of the company and their certificates? The answer is that you can pay for a certificate validated by a well-known certificate authority trusted by all major browsers, or you can use a free authority which does not validate domains as thoroughly as a big time certificate authority does.

Certificates are distributed by trusted certificate authorities so that we don’t end up with a chicken or the egg problem

Can I trust LetsEncrypt certificates?

When a user comes to your site, the certificate is recognized by your browser – and if it is signed by one of the valid certificate authorities the browser says the site is secure and you’re good to go! LetsEncrypt only validates whether or not you own the domain which the certificate is being installed onto. So while this may be OK for some websites and applications, it won’t work for some websites which need a higher level of security.

With all of that said, I frequently use LetsEncrypt certificates on WordPress websites as it costs nothing and allows us to host our sites for free on HTTPS. The only real downside is you need to renew the certificate every 90 days unless a renewal script is setup, which is pretty straight forward using a cron job.

Just take a look at the growth of LetsEncrypt. There are currently hundreds of millions of websites being secured by it.

Learn more about the details of LetsEncrypt here.

Installing the SSL Certificate on a WordPress site

I’m going to show how I install the certificate on this blog. I use a free SSL certificate wizard, ZeroSSL, to help generate the certificate, and then upload it through the CPanel interface for the VPS.

Enter your email for reminders about expiry, and then enter the domain(s) for the certificate. Accept their TOS & the LetsEncrypt SA.

Click next and download the text file to download the CSR text file, and then next again and download the account key text file.

Next we need to verify that we actually own the domain, so we need to create two files on our server, accessible to the internet, so that the authority can verify that we own the domain.

Under the root folder of your site, create two folders:

/.well-known/acme-challenge/

Which is where the two files will be created. Create two files with the filenames, and contents, as listed in the screenshot.

You can verify that the files are accessible by clicking on the links on the page under the “File” column. You should see the text file, so click next and you will be told that your certificate is ready for install.

Import the Certificate in GoDaddy via CPanel

I manage quite a few of my WordPress sites with CPanel, so if you’re using GoDaddy or another hosting solution – open your CPanel and go to “SSL / TLS” to manage your certificates. Click to install an SSL certificate for one of your websites.

  • Copy the first half of the first certificate and paste it into the CRT Certificate text-field
  • Copy the entire RSA private key and paste it into the private key field
  • Copy the second half of the first certificate and paste it into the Certificate Authority Bundle field (CABUNDLE)

You should be able to install the certificate and then instantly be able to hit your website in HTTPS!

Forcing Requests over HTTPS

The last thing I recommend doing is forcing all requests over HTTPS, so if someone comes to your site using a http:// URL they’ll be instantly redirected to the HTTPS site. You can do this by editing, or creating, the .htsaccess file at the root of your site.

# BEGIN HTTPS redirect
RewriteEngine On 
RewriteCond %{SERVER_PORT} !^443$ 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END HTTPS redirect

If everything’s good, you should see that your browser recognizes your site as being secure.

And that’s it! I hoped this help. Until next time.