Mobile app version of vmapp.org
Login or Join
Kaufman445

: Steps to implement Let's Encrypt with cPanel I am implementing to adopt a site from http to https, I am using the Let's Encrypt in cPanel, I am in a shared hosting environment. This is how

@Kaufman445

Posted in: #Https #SecurityCertificate #WebHosting

I am implementing to adopt a site from http to https, I am using the Let's Encrypt in cPanel, I am in a shared hosting environment.

This is how I implement it:


Site in maintenance mode
Issue the SSL Certificate
Adding this code in .htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ www.example.com/ [R=301,L]

Deleting all sessions in session folder to redirect them in login page. Or delete the all the cookies stored in database.
Test it
Maintenance mode is off


Is this the right thing to do? If not, please do tell me how to do it.

Update

I tested this .htaccess code to follow the guidelines of hstspreload.org:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ example.com/ [L,R=301,NC]

RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www.
RewriteRule (.*) www.example.com%{REQUEST_URI} [L,R=301]

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
</IfModule>


This me a medium warning:


Warning: Unnecessary HSTS header over HTTP The HTTP page at
example.com sends an HSTS header. This has no effect over HTTP,
and should be removed.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Kaufman445

2 Comments

Sorted by latest first Latest Oldest Best

 

@Courtney195

I would not do it as you propose. My suggestion gives you more control over the process resulting as as few errors for your visitors as possible:


Implement LetsEncrypt / https but don't set any redirects yet
Now type in your url and check it yourself. Do/fix as much test as you can/like1.
If you're confident you've got most of it, get a group of users which you tell about the https to do the same (or redirect just this group), usage always reveals more problems.
When you feel you've done all you can, implement the redirect to https 1
Keep checking your reports, possible 404's etc. Again, real usage always reveals errors you haven't found, be prepared for this (if you're lucky it a simply typo).
After a sufficient amount of time, implement HSTS, this way your site isn't accessable via http.


1 I suggest you link to external files like this: //www.example without either http: or https: in the URI
2 No need to remove sessions as they either transfer with you to to the https (unlikely) or they simply expire on the spot. Your users will have to login again if they're switched to https (you might want to give them a heads up).

10% popularity Vote Up Vote Down


 

@Pierce454

I run a web hosting business. Hundreds of clients are (or aren't if they are lazy) switching to https via free LetsEncrypt certificates.

To be honest, I think you are overcomplicating things. Install the SSL for the domain, then without changing anything, try using https and see how you go.

You might find a bunch of mixed-content warnings when viewing the developer tools console. This is one of the most important steps as if there is any mixed content i.e. files included using http, you will not see a secure padlock.

There is no need to put a site into maintenance mode. Even if you have the certificate installed, people can still use the legacy http while you are testing.

Then when your are satisfied it is working, add the code to your .htaccess file.

Here's how you test: go to htps://example.com and see if there is a padlock in the address bar. If there is, it is working. If there is still an insecure notification, back to developer tools to look for the problems.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme