Securing website by installing SSL certificatePosted on: April 12, 2018, by : chowyn
A few months back I decided to consolidate the various domain names, web hostings and websites that I have. The key reason for this was economic. I realized that over the last 10 years while learning to “play” with all these web-based “learning toys” of mine I had spent quite a lot.
Consolidation of domains as mini projects
One of the mini projects I had set myself to do was to move my blog (previously on theplantcloner.com which is being hosted till Oct 2018 by WordPress.com) to my web hosting under Mochahosting. WordPress has a simple “Export” function to generate an XML file to carry almost all of the content of the blog. It has also a very simple “reversal” feature for me to “Import” the content into the blog’s new home, where you are reading this now, https://slc4u.org/learning.
My next mini project was to configure, “beautify” and populate my blog’s new home with features etc. which were denied me while the blog was hosted on my package with WordPress.com Then halfway on I realized that it would also be good to consolidate my key business websites (yup I have more than four websites!) into the same domain of slc4u.org. This will surely streamline the work and present a more informative, “one-site-find-all” business website and blog. In addition, I could perhaps generate some business for my consultancy from traffic to my blog.
Blog’s traffic slowed to near standstill post migration!
With the new self-hosted WordPress site done up for my blog, the time had come for me to make the final decision to move. Thus around mid March 2018, I started to “wind down” the previous blog hosting, having sorted out the issue of domain name transferring (that’s another story to come!). Gradually, as I gained more confident of working with the slc4u.org domain and the working of the self-hosted version of WordPress, I started to boost up the traffic to slc4u.org by telling my blog subscribers & visitors of theplantcloner.com and visitors about the new location of my blog.
WordPress.com took away all the pain of self-hosting of your blog using WordPress as the platform but there are two things that bugged me. Firstly, it has very restrictive in the selection of themes and even less so for plugins. These make the blog was very “vanila” in its look and feel. Secondly, although WordPress.com provides the generic hosting free by treating your blog as a subdomain (i.e. yourblog.wordpress.com), to use a dedicated domain, one needs to register this domain with WordPress.com (the US$18 a year package that I was on is no longer available to new registrants, now it is more like US$48 per year).
While under WordPress.com’s hosting, my blog, due to the tweaking, security and good search engine optimization, have a respectable number daily visitors. However, once the switch was done, the flow of visitors, even to my most read piece dwindled down to zero!
Being SSL certified is essential!
I tracked down the key reason for the drastic drop post-migrating to the lack of Secure Socket Layer (SSL) and hence the “https” feature of slc4u.org. I discovered that search engines are not too kind to unsecured sites (i.e, sites without SSL and hence the lack “https” in their URL). People searching for my articles are just not able to find them. So it is a no brainer. I must get a SSL certificate and make sure that my site gets “https” in all the URL.
According to Digicert, “Secure Sockets Layer (SSL) certificates, are used to establish an encrypted connection between a browser or user’s computer and a server or website. The SSL connection protects sensitive data, such as credit card information, exchanged during each visit, from being intercepted from non-authorized parties.”
Thus without SSL certification on my site, traffic to it naturally would grind to a halt. I knew then SSL certification is a “must have” for my site. I must learn how to get my site SSL certified!
Trials and errors in getting SSL certification
I began to Google for “SSL certificate” and found out that most sources on the internet tell you that SSL certificates have to be purchased and nearly all point to some sources of SSL certificate vendors, most being domain name registration and web hosting companies . I was fortunate to find out that Namesilo (where two of my domains were recently transferred and registered) provides information for its customers to obtain free SSL certificates.
While the instructions from Namesilo are very clear: you have two choices, one is Let’s Encrypt (but this must be made available by your web hosting provider, and it should be easily installed with a few clicks); the other was CloudFlare which offers free SSL certificates (but will require you to configure a rather complicated set of settings).
Let’s Encrypt’s confusing instructions & CloudFlare’s complicated configuration
My first reaction was to go with the first choice of Namesilo. So I visited Let’s Encrypt’s website to see what I had to do to get a free SSL certification for my website. Let’s Encrypt gives a lot of information on how to get started. But there is a distinctive lack of clear and step-by-step instructions. You need to learn quickly (and decide quickly) whether your web hosting company grants you “Shell Access” or not. After reading the entire webpage a few times, I was utterly confused (though by then I learned that I should have “shell access”).
Off I went to explore Option 2, CloudFlare which have a very informative and step-by-step instructions for one to get hold of their free SSL certificate. Signing up was easy, I just have to use my Google login as my credential. Getting an account with CloudFlare and starting the ball rolling was easy too.
You put in your website address, select the free plan and you are in. But tweaking with settings to configure CloudFlare to work with your website does require one to have a lot of knowledge of how domain names and internet traffic works. You need to change your domain name server to that of CloudFlare (which means that you need to have access to your domain name registration manager). Then you need to know how and where to configure other settings. As I am a bit adventurous with this sort of challenges, by trial and errors, eventually I managed to get CloudFlare’s free SSL certification for my site. But when, as advised, I started work on putting the free SSL certificate onto my website’s “home” server, things started to get messy. I ended up, after working on this for over four hours, giving up on this part of my configuration which I had to do on the control panel of Mochahosting (not the most friendly to those who are not expert users). One thing I noticed was, when CloudFlare free SSL certification was working well, because of the superb DNS server of CloudFlare compared to Mochohosting, my website was loading a lot faster, almost below 10 seconds. CloudFlare does have a feature for one to “Pause” the working of all functions but the DNS server which could provide a different solution for those without a good DNS server from the “home” web hosting company.
Spotted the “hidden Mickey”
Just as I was getting frustrated over my not able to fully configure CloudFlare on my website’s server, I decided to take a look at Mochahosting’s control panel again. Hidden to the extreme right of the halfway down the home page, under the “Security” section was a small logo of Let’s Encrypt. But there was no instruction on how to configure this to work on my website. I clicked the button to install Let’s Encrypt’s free SSL certificate on my site and did not know I should do next to activate the service! I then decided to put CloudFlare’s SSL certification service on “Pause” and see if I could let Let’s Encrypt provide the much needed “https” feature for my website. While testing “https://slc4u.org/” I faced the problem of “SSL handshake failed” each time. Going back to the installation page of Let’s Encrypt, I spotted a message to say that my attempt to install a SSL certificate failed but without a clue on what I did wrong with Let’s Encrypt SSL certificate installation.
Start all over again
I realized that there must be a conflict in having two SSL certificates for the same site, one provided via CloudFlare and the other via Let’s Encrypt. It was time for me to start afresh and concentrate on only one SSL certification service at a time. I deleted all the SSL certificates from my site and went back to restart CloudFlare’s SSL “engine”. The many different configurations that I had tried could not to solve the “SSL handshake failed” problem. I knew then I had to abandon CloudFlare and try my luck again with Let’s Encrypt, starting with a clean slate again.
But before going back to the control panel of Mochahosting, I Googled “SSL certification WordPress” to see if there are any plugins that I can install on WordPress which will do the job of configuring an SSL certificate on my site without my having to worry about what to do with all those settings (as in CloudFlare’s case). I found a few such plugins exist but the one that appealed to me, I think because of its name, was Really Simple SSL I decided that I should try this plugin after I had a working SSL certificate installed successfully on my website.
Got https://slc4u.org to work, finally!
I went back to Mochahosting’s control panel to re-install Let’s Encrypt’s free SSL certificate, this time only limiting myself to my domain, slc4u.org and ignoring the other variants that popped up (all of which I included in the previous attempt on SSL certification). And viola! At last, I got a working SSL certificate installed on my website.
The next step for me was to install Really Simple SSL on my WordPress installation which runs my website (and this blog). The plugin, true to its name, was very simple to install, activate and configure. After testing with a few different browsers, both on the laptop computer and my Android phone, I was satisfied that I finally had “https” switched on for my website. However, the loading time of my website was over 1 minute long. It must be the DNS server of CloudFlare which I was still using (I only “Paused” its service whereby CloudFlare’s DNS server still worked in directing traffic to my website). A restoration to Mochashost’s DNS settings quickly solved this final problem. I now truly have a functional “https” url for my website!
All I need is to see if there is a resumption of traffic to my website, at least to the average level when my blog was hosted by WordPress.com under the domain name of theplantcloner.com (which is now redirecting all traffic to slc4u.org).