AutoSSL is going to change how webmasters secure data transferred to and from their sites. For the longest time SSL was an additional expense that many webmasters chose to forego as it wasn’t required for the operation of their websites. The time when not having SSL is the norm for most sites is coming to an end. Generally SSL has been reserved for usage by those that send or receive private information such as your name, address, email address, and phone number or even your credit card information.
Google and other search engines are already giving preferable ranking to sites with SSL. For quite some time we’ve offered Let’s Encrypt to our customers so that everybody has access to freely accessible SSL for any site they wish. cPanel has taken this a step further and created what they refer to as AutoSSL. AutoSSL generates and installs a domain validated SSL certificate on all active domains on a server that are not already protected with SSL.
There are several benefits to AutoSSL:
- Installation is automatic with no forms to fill out.
- No more validation emails to wait for and no more links to click to approve the certificate.
- No more certificates to copy and paste into place.
- Coverage will not lapse because the SSL is automatically renewed and installed.
- The SSL is completely free and the encryption is just as strong as a paid certificate.
You may or may not be familiar with the process of issuing an SSL Certificate but generally most certificates are domain validated. This means that when you request the certificate from a Certificate Authority, or CA, they generally will validate the request by sending email to a specific email address at the domain or by verifying the existence of a very specifically named file.
AutoSSL is entirely automatic and requires no human input and, as such, uses the file method for domain validation. AutoSSL will create files within the document root of the appropriate domain, pass those file names on to the CA, and the CA validates the SSL request by loading the file.
You might see CA Validation files and the files used for validation generally look like this:
AutoSSL does not force you to use SSL.
AutoSSL is a fantastic feature and we’re excited to make it available; however, it does not automatically mean that your site will use SSL. Similar to how installing a fire extinguisher in your kitchen means it’s available but not that you are currently using it. AutoSSL installs a certificate and key pair in the web server so that SSL will function properly should you desire to use it. This results in no changes to your sites or how they currently operate without your intervention.
AutoSSL is a fantastic step forward in security for our customers for no additional cost and we are excited to enable this feature. Should you have any generalized questions about AutoSSL you an comment on this post or reach out to support. Should you have any questions specific to your account do please reach out to our support department.
In the event that you do not want free SSL on your site you can opt-out of AutoSSL by reaching out to support.
Great Job and good direction.
The *only* thing that has held me back from AUTOSSL is my poor skill at rewriting .htaccess. I already have my .htaccess file nicely written (through instructions found elsewhere, of course) so that my website is properly redirected or addressed as “mydomain.com” instead of “www.mydomain.com” (note “www.” dropped). I wish to retain this. I’m doofus enough not to be able to poke “https” into my .htaccess file. (N.b., my .htaccess also contains WordPress records.)
AutoSSL installs the certificates automatically – whether or not you use them is ultimately up to you. There is no obligation for you to use SSL but it’s there if you want to :).
That said if you’re running something like WordPress it’s usually as simple as modifying the ‘Site URL’ option in the wp-admin to reflect “https://” instead of “http://” – be aware this won’t modify any hard links coded into content.
Thanks for your very prompt reply! Is there a place where I may find hints as to how I may change the “hard links” correcly when I enfgage https? In .htaccess I have:
RewriteEngine On
RewriteCond %{HTTP_HOST} i^www\.(.+) [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*) http://%1/$1 [R=301,NE,L]
FWIW I fought with it all afternoon and evening and changed my .htaccess to say, simply:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^(.*) https://%1/$1 [R=301,NE,L]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
http://www.mddhosting.com/support/knowledgebase/1029/How-do-I-force-SSL-using-htaccess.html
:).
Nice… MDD is the best! Thanks Michael
Sure thing :).
Michael,
I’m curious about how this affects static ips. Will we be able to drop that cost if we use AutoSSL?
Thanks,
Russ
A dedicated IP address hasn’t been required for SSL for a few years now. SNI has been available for a while – since we moved from CentOS5 to CentOS6 as our core operating system.
Install a plugin called Velvet Blues Update URLs. https://wordpress.org/plugins/velvet-blues-update-urls/ it will search all your posts, links, etc and change the old domain to the new domain.
OLD url: http://domain.com
NEW url: https://domain.com
Hope it helps
Hey, Dan, many thanks for the pointer to that plugin. We manage about fifteen sites using WordPress — we will make heavy use of this one.
Best,
Norma
This is good news. Thanks for this feature Michael.
Absolutely!
Thank you Michael.
Good move. If we’re already on Let’s Encrypt, do we need to change anything?
They’re extremely similar. We considered using Let’s Encrypt for AutoSSL but decided to stick with Comodo so that you have the choice. AutoSSL will only install on domains that are not already secured with a certificate so if you’re already using Let’s Encrypt you need not do anything :).
Glad to see this!
I’m assuming that this is not the same as an Extended Validation Cert, without which you get only a gray padlock in Edge and Safari, not the full green padlock (Chrome, Firefox, and Opera don’t appear to make any distinction).
SSL appears to be working just fine on my domains, but I’m not seeing the three validation files in the document root, either in cPanel’s File Manager or in FileZilla. Are they hidden?
The validation files may or may not show up in your account/stay. I simply wanted to outline that they could exist as we’ve had a few people go “SOMEBODY HACKED ME AND ADDED TEXT FILES!!!!!”
Extended Validation does require extended validation where as these are domain validated certificates. If you already have an EV Certificate it will not be overwritten or modified by this. If you want an EV Certificate you do have to order one and go through the validation process.
OK, I think I understand. So the validation files are there only long enough for validation to occur, right? I know that if I saw them sitting in my public_html, for example, I would delete them – “Hey, I didn’t upload these!” 😉
Instead, I appear to have a new SSL directory, with certs and keys subdirectories.
I understand the push to SSL, but forcing webmasters that don’t want to MIGRATE to opt-out is pretty poor form. Especially given the considerations with code, SEO, etc. Not cool.
Nobody is being forced into anything. If you don’t want to use SSL – don’t :).
Simply installing the certificate file in the server does nothing but make it possible to use it if you wish.
MDD is the best!
Michael,
That’s SOOOO easy to update in WordPress.
Thank you for running the best web hosting outfit.
David
Thanks Michael! Even though I haven’t had time to really work on my wordpress site, I’m still very please with MDDhosting. I’ve told many people and I highly recommend it.
Hope you have a great Christmas.
I tried just putting https:// in front of my site’s URL in the browser. And get this …
Attackers might be trying to steal your information from http://www.MYWEBSITE.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHIDE ADVANCED
This server could not prove that it is http://www.MYWEBSITE.com; its security certificate is from http://www.abilityday.org. This may be caused by a misconfiguration or an attacker intercepting your connection. Learn more.
Proceed to http://www.MYWEBSITE.com (unsafe)
In a few cases this isn’t working properly and we have an open support request with cPanel for them to investigate. They’re actually looking into it now and once we know the cause we will resolve it.
It is taking some time to get some certificates issued. You’ll want to make sure you test your site over https:// before making any changes. If it’s still not working for you at this point please open a ticket so I can take a closer look.
https is working now – thanks! This is great.
Glad to hear it :).
FYI, still having the problem with my domains on P1 (other than the one you guys fixed manually). Not a big deal, just thought you’d like to know…
This will be a really nice addition.
You’ll need to update your outstanding ticket. While I’m happy to help here – it’s hard to be specific in a public venue when discussing your account.
Does this conflict with folks using CloudFlare in any way? I know SSL’s did in the past.
It only installs the certificates in our server – it has no impact on CloudFlare. That said if you are using CloudFlare and want to use this SSL – you’ll need to change a couple of settings at CloudFlare [to enable SSL].
Hi Michael,
A few questions:
1. How do I turn it on?
2. Will this change the web address to HTTPS:// ?
3. Can I use it for a single page on a website, say where a form is to be submitted?
4. Does this slow down the page loading?
Thanks.
1. It’s on already.
2. No – you have to make that change.
3. It’s by-domain and would apply to all domains – so yes – you can use it for any form you like.
4. I suppose it could in theory by a few milliseconds.
I have an existing PAID SSL cert, which I got before let’s encrypt was available. I’ve been sent a reminder yesterday to pay again and I see little point. I assume I’ll have to contact support to get this transitioned?
Thanks.
You can simply install Let’s Encrypt to replace your paid certificate – it will behave exactly the same. That said if you really want to use AutoSSL instead of Let’s Encrypt – yes you’d need to reach out to support to avoid a short period without SSL.
It’s worth noting that most paid certificates come with some sort of insurance against the certificate being compromised. It is my understanding that the free certificates do not include any such insurance.
This blog is using SSL by cPanel AutoSSL as well :).
http://www.screen-shot.net/2016-12-17_17-26-28.png
How come AutoSSL is not available for CloudLinux Servers doesnt seem to be an option. Is this only for Centos?
We run CloudLinux and we’re running AutoSSL without an issue so I’m unsure where your question comes from. If you’re having issues do please open a support ticket so we can take a look :).
If AutoSSL is enabled by default, then I should be able to go into WordPress and start changing the site address from http to https with no other action? I just ask because in the past when I have tried to change this, if it doesn’t work then I am unable to access the admin panel again because of the changes.
You’ll want to try loading the site with “https://” via your browser before making any changes. If you get an SSL error – then it would be ill advised to make the change in your wp-admin and I’d suggest opening a ticket.
I’m a little confused on how this works. I can see that when I physically type in https://mydomain.com into a browser that it works and shows the little green lock. How do I make it so that when a random person searches and types in mydomain.com that it automatically comes up as https://mydomain.com ? Is there something I need to change in the index.html file? Thanks.
You can do it via mod_rewrite in the .htaccess if you desire. It’s just one of the few ways to do it depending on your content.
Even easier to do it from within cPanel, on the Domains/Redirects page. For a simple site, choose the domain (like example.com), redirect to https://example.com (your domain, of course), redirect both with and without www, and choose the wildcard redirect. No messy .htaccess syntax to worry about.
[[ Redacted ]]
Please open a support ticket.
What’s interesting is that I have multiple site I host from my main site. Some of them still open without problems, such as designcubedart.com or web1006.d3clientsite.com, but designcubedphotography.com and web.1004.d3clientsite.com do not.
Any suggestions?
Yes, please respond to the support ticket I opened with you.
Changed in WordPress settings to https://
Installed Velvet Blues plugin and changed all links etc.
Google Chrome still shows a little ‘info’ icon in address bar which shows that site is not secure because of ‘Non Secure Origins’ as the original http:// site
What else can be done to get it working???
Delighted that it has been added, by the way!
You’ll need to follow the advice already given by Big Dan in a comment here on this post.
In short – it’s a content issue and not a server issue. You’re loading some of your files via a hard-coded “http://”
Seems to be working now after closing and reopening browser.
Could somebody write simple steps how to do that in WordPress? If it’s that easy to do in WordPress, could someone post anything?
Would appreciate a lot.
The simple steps are to update the “Site URL” to use HTTPS in the wp-admin.
The reason it’s not really that simple is because of themes, plugins, widgets, and hard-coded content. Simply updating the Site URL is all that’s needed on some sites – while others it’s quite a bit more complicated to get it changed over. There really is no simple answer unless you’re running a vanilla installation of WordPress.
Michael, MANY thanks for this perk (also a relief to know what those strange text files were)! Thomas, I think these are the steps for a WordPress site. It has worked fine so far on a couple of sites I don’t care about, but you may want to wait for Michael to give the thumbs up before proceeding.
1). Log in to your Dashboard and go to Settings/General
2). Add an s after http to your website URL in the WordPress Address (URL) and Site Address (URL) boxes
3). Click the Save Changes button at the bottom of the Settings page
4). Go to Plugins/Add New
5). In the Search Plugin box, type velvet, then hit enter
6). Velvet Blues Update URLs will come up up near the top of the list
7). Click on the plugin name
8). In the window that pops up, click the Install Now button
9). Th window will close and show you the Add Plugins page again. Click the Activate button next to Velvet Blues Update URLs
9). We’re almost done! Go to Tools/Update URLs
10). Under Step 1, put your old http:// URL in the first box and your new https:// URL in the second box
11). Under Step 2, check all of the checkboxes except the last one (IMPORTANT – do NOT check Update ALL GUIDs)
12). Click the Update URLs Now button
13). A little box will come up telling you how many changes were made
14). Return to Plugins/Installed Plugins and deactivate Velvet Blues Update URLs. Once it is deactivated, you can delete it.
15). This is optional, but you may want to go the plugin’s page on WordPress.org and either leave them a nice review or donate a dollar or two (or both), since they just saved you from having to search all over your website for links that needed to be updated.
https://wordpress.org/plugins/velvet-blues-update-urls/
This is terrific – followed the instructions and, bingo, all done.
Only one thing that I would add and that is to deactivate any Cache plugin you may have before running Velvet Blues
Can I use Comodo SSL logo on the bottom of the protected web page (web form)?
Honestly I do not believe that any sort of site seal is available when using AutoSSL or Let’s Encrypt. More than likely to use a site seal that’s not simply an image – you’ll need to actually purchase a certificate.
There is a Free Trust Logo at Comodo website.
https://ssl.comodo.com/free-trust-logo.php
and you can also install the free SSL certificate.
https://ssl.comodo.com/free-ssl-certificate.php
Cheers!
Thank you so much Michael, this is awesome. I really wanted to convert my site to SSL for the search engine advantage, but found Let’s Encrypt very cumbersome for a little guy with little time to run a little website. This couldn’t be easier – followed the instructions above to modify the WP site URL, copied and pasted the text from your KB article into my .htaccess file and bingo, I’ve got a beautiful green lock on every one of my pages. Thanks for such great hosting and support!
If I already have Let’s Encrypt, are there any benefits to switching to AutoSSL?
No. ?
what if I have a regular ssl certificate for my domain and its a shared cert… and I have auto ssl turned on that domain too? Will that cause any interferences?
AutoSSL will not replace an active/valid SSL Certificate.
Will I be asked to renew auto ssl?
It renews automatically.
This is excellent. I did notice that my new sites were automatically encrypted. Again, this is great – will have to login to chanel to enable the feature for the rest of my websites.
You guys are just awesome! I’m so glad I came across your hosting but not much people are aware of your service. So, I would recommend you to carry out some promotion bcuz you deserve to be the Leader in the Industry.
Does it take a little while once a domain is added (Add-On Domain) to my cPanel for AutoSSL to start working? I just added an add-on domain and uploaded some static html files for the website. Tried visiting through https:// and am getting a self signed certificate trust error. Didn’t have to do anything special to get it working on other domains I have on the account with a similar setup. So should I just wait a while and try again?
It can take some time. We advise using cPanel -> Let’s Encrypt if you need ssl immediately.