Effective July 2018, Google’s Chrome browser will mark non-HTTPS sites as ‘not secure’


(Doug Bennett) #1

If you’re not using SSL on your site(s) yet you’re running out of time.
It looks like with the release of chrome 68 scheduled for July release sites accessed as HTTP, not HTTPS will be marked as not secure right in the address bar. Now you get that message only if you’re accepting users input.
This message will affect your bounce rate.


Https - noddy's guide required
(Rob D) #2

I can’t imagine why would anybody not switch to HTTPS. Especially, when SSL/TLS certificates are free and they renew automatically. One-time effort that anybody can accomplish will give peace of mind forever (or until next improvement in Internet security)…


(Bruce Kieffer) #3

Please help and explain how we make our sites HTTPS. Thanks.


(Rob D) #4

Many hosts provide a free SSL/TLS certificate obtained from Let’s Encrypt. So, first go to your cPanel and look for Let’s Encrypt SSL:

This will lead you through the whole process.

If that is not an option in your case, click the link I provided in my previous post. That will also explain the whole process. Additionally, they have a very good forum where all intricacies are addressed by professionals from Let’s Encrypt, if necessary.


(Bruce Kieffer) #5

Looks like my host has WordPress FREE SSL. I will test that and see how it goes. Thanks.


(Barrie McDermid) #6

Are you with Bluehost by any chance Bruce?


(Bruce Kieffer) #7

Yes. Do you have any suggestions?


(Bruce Kieffer) #8

I ordered the free SSL. It says it’s installing. Is there something I need to do to my RW project file, like change the web address?


(Richard Nicholls) #9

Cloudfare, https://www.cloudflare.com, offer free SSL certs.
I set 2 sites up yesterday in 2 minutes, all I needed to do was change the DNS address with my hosting provider and job’s-a-good-un.
Their free level is perfectly adequate for most sites I’d say.
Richard


(mark hunter) #10

Hi Richard

Have you experienced any publishing issues when using Cloudflare SSL?

After turning on Cloudflare SSL I can’t publish and I get the error “Operation was aborted by an application callback.”

As yet I’m not sure if its related, I’ve turned off SSL and, as yet, I still can’t publish.

Changing the names servers to Cloudflare appeared to work OK, I could still publish, but when I switched on SSL publishing immediately failed and turning off SSL hasn’t fixed it yet.

Regards

Mark


(Gary) #11

Unfortunately some hosts don’t support Lets Encrypt unless you have a dedicated IP address - Clook for example. I have inherited 2 sites with Lets Encrypt SSL domain names, and both did not auto renew this year causing the customers to panic and blame me. I found it impossible to resolve using the available Lets Encrypt support and my host kindly resolved the auto renew even though t was nothing to do with them. They later explained that that is one of the reasons they don’t offer Lets Encrypt.


(Richard Nicholls) #12

Just tested it and it’s fine.
I am using SFTP rather than FTP though, not sure if that makes a difference.
Richard


(Doug Bennett) #13

You don’t have to have a static (dedicated) IP address to use Lets Encrypt or use the auto renew process. Very very few shared hosted websites have a static IP address, in fact, most of the shared hosting companies don’t even offer that as an option until you upgrade to a VPS plan.
I’ve had auto-renewal of Let’s Encrypt certificates lots of times on different host companies without a static IP and have had no problems.
Now I wouldn’t set up the let’s Encrypt myself as your client appears to have done, as they probably don’t have and shouldn’t have the level of admin access needed to setup correctly, but there are thousands of hosting companies that have set it up as a simple cPannel option. From what I’ve been told by a friend who has been working as a Unix admin since the mid 80’s is it shouldn’t take more than an hour to set up.
Most of the hosting companies that don’t offer this service are doing this to increase sales of private certificates or upgrades in hosting plans. The reality is the service from lets Encrypt doesn’t cost them a penny.
It’s up to everyone who chooses a hosting company to accept these excuses or choose a different company to host with.


(Doug Bennett) #14

Did you try connecting with an IP address (for ftp) or are you using a server name?

Might want to have a look at this article:


(Gary) #15

For sure you don’t need a fixed IP, but in Clooks case, they only offer Lets Encrypt setup IF you have a fixed IP. Or maybe they don’t because their blurb is a bit vague on it now.

No doubt this is all a marketing thing to drive you to their paid for SSL.

However, I would never use Lets Encrypt because of the renew issues I had with them which far outweighed the small cost of a 36 monthsSSL basic certificate with someone like Comodo.


(Barrie McDermid) #16

HI Bruce, I went with Veerotech and so far so good!

Regards

Barrie


(Doug Bennett) #17

If you want, to pay for them there are lots of options, many come with an insurance bond covering losses if the encryption fails.
Most RapidWeaver users don’t want to pay for things like this.
Let’s Encrypt certificates only have a 90-day expiry date, so they do have to be renewed more often than the paid plans. However, most good hosting companies now have that setup for automatic renewal and don’t have any issues with it. DreamHost auto renew process takes place with 30 days left on the certificate.
Just to let folks know, I’ve had issues with paid certificates getting renewed as well. It might only happen every one to three years, but they still expire.
My main point here is there’s no reason for a hosting company not to offer free certificates other than trying to sell you something that should be free.
For most small websites a free certificate from Let’s Encrypt is more than what you’ll need, and implemented correctly by the host company should be trouble free. I’ve had a few of them for years and never had a problem with renewal.


(mark hunter) #18

Thanks Richard, I left it for a while and came back to it and it’s working fine now, and I’m using standard FTP. I still don’t know if it’s something with Cloudflare or just a ‘glitch’ in Rapidweaver publishing.

Regards
Mark


(mark hunter) #19

Thanks Doug, I’ll take a look. I’m just ftp-ing using the server name.
Regards
Mark


(Bruce Kieffer) #20

I have the free SSL from Bluehost installed, now I need to know is there any change I need to make to my RW project (site) and then publish it again? I can see the padlock, but I can also get to my site using http:// without the “s.”