SSL Everywhere (Again)

It’s almost hard to believe it’s only been 2 years since Let’s Encrypt came out of beta and began providing SSL Certificates to the general public. I wrote a post at the time calling it a turning point for the web, but cPanel support was pretty much non-existent. Since then much has changed. Just 2 months after that post was written we began using a plugin that offered Let’s Encrypt support directly in cPanel for all users on Reclaim Hosting and announced general support for free SSL certificates. In August of 2016 we began employing ways of scripting the ability for domains to get certificates automatically using the plugin and hooks from our billing system and I wrote a post aptly titled SSL Everywhere where I wrote:

After testing over the past 2 weeks I’m pleased to announce that going forward every domain hosted by Reclaim Hosting will automatically be provisioned with a free and renewable SSL certificate by default.

Around that same time cPanel had also made strides to offer their own support for automatic certificate provisioning with a feature announced called AutoSSL. Initially AutoSSL only supported cPanel’s own certificates issued through Comodo but later Let’s Encrypt support was added. Rate Limits employed by both certificate providers made it difficult to truly promise SSL everywhere and one issue we found was that notifications were a real problem.

Normally receiving a notification that your domain was secure would be a good thing, however often we have found this can confuse a customer that thinks they might have been charged for something, or possibly that the email is spam, especially if they didn’t specifically issue a certificate themselves (and remember we were attempting to issue certificates for all users so that would often be the case). Our ideal scenario is one in which all domains have certificates but no one gets needless emails regarding the provisioning of them (success or failure). Our plugin offered such granular notification settings and at the time AutoSSL did not so given the conflict we decided to double down on the Let’s Encrypt plugin and disable the AutoSSL feature across the board to streamline things.

We have more recently found out that there is a key difference between what the AutoSSL feature can accomplish and the plugin we use cannot. AutoSSL can (and has in many cases) replace and renew certificates for expired domains. That is a good thing in that even if you had a self-signed certificate or previously paid for one and it had expired you’d get a new free one. What we didn’t know was that our plugin was not able to do this, so when we disabled cPanel’s AutoSSL feature we suddenly had a large number of domains with cPanel-issued certificates that the Let’s Encrypt plugin could not renew or replace leading to confusion with folks waking up and finding their sites didn’t work over https.

In the past we have pointed folks to our documentation on installing a Let’s Encrypt certificate but remember our goal was that no one was supposed to have to do that. SSL Everywhere was and still is the goal. We needed to fix this. I’ve reached out to the plugin developers who are now aware of the issue and have committed to working on a fix that could be released along with wildcard support in the next 2-3 months. But that’s a long time to continue fielding issues of certificates not renewing which can render a site inaccessible.

We decided this week that a better short term solution was to turn the AutoSSL feature back on and have it issue certificates for any domains that did not have them or were expired. We would continue to have the Let’s Encrypt plugin exist but with the goal being that users would have a certificate from one or the other automatically and either way they would be renewed automatically. Unfortunately an attempt to ensure that users didn’t receive a bunch of notifications of this failed. cPanel provides an API call to change the setting and it returned the correct response so I didn’t think to check and make sure the setting was actually changed and it wasn’t. Long story short there, many users got emails for every certificate provisioned. But we’ve fixed that now so that the emails won’t be sent in the future and meanwhile the good news overall is that I think we’re much closer to the goal of SSL Everywhere, provisioned by default and renewed automatically with no work on the part of users.

We’ll continue to keep an eye on this in case the landscape changes (with technology it always does) and as always reach out if you have any questions or concerns!

Give it Up for Let’s Encrypt

As I awake from my relative blog slumber this Summer, there are a couple of things (actually a lot of things) I’ve been meaning to blog about. (And luckily I even have a new soundtrack to blog by now thanks to CogDog.) Let’s Encrypt passed a pretty big Milestone in June with 100 million SSL certifications issued in less than two years. In a moment where there’s no shortage of nightmare stories around web security, surveillance, and hacking, Let’s Encrypt seems to be one of the few genuine feel-good stories of the web. A joint-effort, non-profit organization designed to make the web safer by providing free and open SSL certificates. A simple and much needed development that has changed the web dramatically. According to Let’s Encrypt:

Percentage of HTTPS Page Loads in Firefox.

When Let’s Encrypt’s service first became available, less than 40% of page loads on the Web used HTTPS. It took the Web 20 years to get to that point. In the 19 months since we launched, encrypted page loads have gone up by 18%, to nearly 58%. That’s an incredible rate of change for the Web. Contributing to this trend is what we’re most proud of.

Continue reading “Give it Up for Let’s Encrypt”

Let’s Encrypt and SSL By Default

Let's Encrypt and SSL By Default

Yesterday marked a turning point for the web. The Let's Encrypt project is now in a public open beta and issuing free SSL certificates to anyone and everyone. Until now running your site over SSL has been a difficult and laborious process that required quite a bit of technical knowledge about how encryption works and also often a real financial cost.

But why is SSL important for your sites? Isn't http good enough? Well the short answer is that if you use software like WordPress to log into your site, you want to be on a secure connection. On a private network like your home there's certainly less risk (though not zero), but what about when you're out and about? You'd be surprised just how easy it is to obtain credentials from websites when connected to the same open wireless network. Years ago the Firesheep browser plugin exposed this in grand fashion, allowing you to run a simple plugin and gain access to the login credentials anyone on that wireless network were entering when the site wasn't secured.

But until now getting a certificate for your site was not a simple process. It requires generating a "Certificate Signing Request" where the site is hosted, purchasing a certificate from a company, then installing and activating that certificate at your host. Private keys are involved and frankly there are many steps in the process where things can go wrong, not to mention the biggest barrier in that certificates are not free.

Let's Encrypt addresses so many of these fundamental issues by attempting to automate that entire process, and with the backing of major corporations and organizations they're doing it completely free with the goal of SSL becoming the defacto standard for the web. And as of yesterday it's now possible for us to take advantage of that.

Sadly cPanel support, which is the primary software that drives our servers at Reclaim Hosting, isn't there yet. However I've kept an eye on this feature request for a long time now and luckily saw today concrete steps we can take as a host to do this for users. Hopefully we can automate this in the future so that we can activate a certificate on every domain a user hosts with us by default automatically.

For cPanel hosts the process is a bit more manual at the moment, you have to clone the Let's Encrypt GitHub Repo to the server, then inside that folder run the following command:

letsencrypt-auto --debug --server https://acme-v01.api.letsencrypt.org/directory --agree-tos -a webroot --webroot-path /home/username/public_html -m USEREMAIL -d USERDOMAIN certonly

You just replace the document root to where the site is hosted and put in the email and domain that should be secured. After a bit of time Let's Encrypt will issue all certificate files necessary to run the site on SSL in the /etc/letsencrypt/live folder. At that point installing the certificate in cPanel requires uploading the certificate at SSL/TLS > Install and Manage SSL for your site (HTTPS) by copying the contents of the cert.pem file into the certificate area there. You'll need to paste the contents of the privkey.pem file into the Private Key area and the chain.pem in the CABUNDLE section. Once that's done it will install and reload and your site is now available over SSL.

Let's Encrypt and SSL By Default

Obviously one has to have root access to the server right now to do this, but it's manageable which makes me think we could handle it by request right now. The downside is that Let's Encrypt is only issuing 90 day certificates at the moment. Renewing is a single command, but with this manual process the new files would have to be reinstalled at the domain. That could turn into a potential support nightmare. Hopefully though cPanel support for allowing end users to run these tools and automate the installation process are right around the corner and we'll see even more sites take advantage of this amazing service to secure their domains.

Update: cPanel has posted instructions for doing this all by command line in the forums. It even has thoughts on adding a cron job to auto-renew. Nice workaround! https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/