Nothing should surprise me. Yet surprised I am. The Let’s Encrypt certificate authority started issuing free SSL certificates for domain validation on April 12, 2016. No websites should have the plain “http://” in their web addresses anymore.
I’ve used Let’s Encrypt certificates since at least August of 2016. It was a smart move even if I didn’t know it at the time.
I could go through the list at the upcoming features page for Let’s Encrypt and say something about each item, but I won’t.
The important item on the list is wildcard certificates, available by the end of February, 2018. Since its beginning, Let’s Encrypt has given me the ability to get certificates for subdomain names other than www (included with the naked domain name). It’s a silly process and tedious when doing it for more than one subdomain name at a time.
What happens when a subdomain name is no longer needed? I have to manually remove the certificates (and references) at the server and block those subdomain names. With a wildcard certificate, I only have to block the subdomain names I no longer need. I have to block them because bots don’t know how to let go.
Before August of 2016 (or July, I really don’t remember) I used the free SSL certificates from StartSSL. I had no way of knowing that Apple, Mozilla and Google would “untrust” them starting a month or so later.
StartSSL was part of StartCom, a company in Israel. Apparently, they sold everything to a Chinese firm shortly after I gave up on them.
I’m not going to get into the details. Just about every web host out there has instructions on how to get it all set up. When I switched from droplet to droplet at DigitalOcean, I followed their instructions for Nginx and Ubuntu 16.04.
The instructions today are a lot better than the convoluted routine I had use in 2016. Now, the instructions don’t tell anyone how to configure the Nginx web server to use the certificates. A Google search will show sources for it if the Nginx documentation isn’t clear enough.
The free SSL certificates are automatically renewed between 60 and 90 days. The Let’s Encrypt certificates expire in 90 days. I check every week or so for log file updates and reissued certificates. I haven’t seen an error yet, so I’m confident I won’t have to worry about it if I don’t check for a week or more.
I don’t know about you, but if I see “not secure” in the address bar of my web browser, it’s going to make me stop and think about it. Even if the website in question doesn’t need security, it’s still a good idea. The HTTP/2 server protocol will not work on plain HTTP websites and it has the advantage of being faster. HTTPS used to slow things down but it’s not longer the case.
Every website on the net will eventually use SSL certificates, with the least being the free SSL certificates to confirm domain names. The websites that fail to play along will be silently ignored by search engines.