You are Here:Home>>Computer Skills>>HTTPS>>Install a Free SSL Certificate and Improve Your Search Engine Ranking

Install a Free SSL Certificate and Improve Your Search Engine Ranking

Carlos Pinho
By | 2017-09-07T12:39:30+00:00 Aug 31, 2017|HTTPS|

Before going straight to the point, this is, explaining how to install a Free SSL Certificate, decided to write the following preamble, in order to frame the context of this article and highlight why is so important for many of the bloggers and companies to move their websites to HTTPS as soon as possible.

Preamble

Google has been looking very closely at internet security since some years ago. In 2014, the Search Engine giant has announced HTTPS as a Ranking Signal, meaning that they would encourage the adoption of pages served under TLS (Transport Layer Security), by boosting search engine rankings. Since then, Google deployed several measures and projects to help webmasters move from HTTP to HTTPS.

chrome secure page warning

In September 2016, Google has decided to give another step forward on improving web security, by announcing a different treatment for HTTP pages when using their internet browser, Chrome. In the 56 version, any page with the purpose to collect passwords or credit cards would be marked as not secure. Besides, Google mentioned as well that they intend to restrict even more the use of HTTP, by including a red triangle with the not secure warning next to the URL.

chrome secure page warning triangle

In April 2017, Google has announced that their intentions would come true, in beginning of October 2017. They will start adding “Not Secure” mark to all pages served under HTTP, when in incognito mode, being expected further steps as Google acknowledges the reduction of 23% in the use of HTTP pages with data collection forms, meaning that stakeholders are accepting widely Google implementations and therefore open to further improvements.

form-and-incognito-http-bad-verbose

 

HTTPS and Search Engine Ranking

The number of pages ranking in #1 Page of Google, has been increasing. According to Moz, 30% of the results shown on the first page one year ago, where pages served by HTTPS. Today, this number has climbed to 50% and is expected to achieve the 65% milestone by the end of 2017.

This doesn’t mean necessarily that a specific HTTP page has lost ground to other results (although is possible), but means for sure that between two version pages, secure and not secure, Google will show the first one.

Half of Google Results are served on HTTPS

Source: MOZ.com

Nevertheless, we should bear in mind that users, especially those not aware of these changes but aware of security risks, most probably will cancel abruptly their visit to a website or page, once they face a “not secure” warning which gets even more evident in a purchasing experience environment.

According to a 2014 survey conducted by Global Sign, visitors don’t look to HTTPS as an option but as a requirement:

  • 75% of users are aware of security risks when visiting a website;
  • 77% are concerned about their data being intercepted;
  • 55% are worried about identity theft on the internet;

And that security indicator enhances trust:

https trust enhancement indicator

Source: globalsign.com

To finalize, about 84% of visitors would abandon a purchase if data will be sent over a not secure connection and about 50% are worried about their credit card information.

These insights, show us the main reason behind the efforts of the big internet players about pushing websites to be served under TLS. Untrusted environment, conduct to fewer purchases, and therefore, less advertisement, less selling, less everything.

But What is HTTPS?

HTTPS is the acronym for HyperText Transfer Protocol Secure. The main difference between HTTPS and HTTP is that the connection is encrypted, avoiding attacks like “Man in the Middle“, in other words, plain text data being intercepted by someone that is not the intended receiver. This is only possible through an SSL certificate which has a public key and private key used to encrypt and decipher the communication between sender and receiver. HTTP traffic is commonly sent through port 80 while Secure HTTP on port 443.

Man In Middle Attack Example

Before moving to HTTPS

Before going for an SSL Certificate is essential you understand that you are going to move your site URL, this means your website/blog might suffer some negative impact on search engines during a certain period. Therefore is important you follow some steps in order to mitigate any ranking problem. Google has published a guideline for site moves with URL changes which can help us in that sense while migrating from HTTP to HTTPS and another article with Best Practices to Secure your site with HTTPS.

Some of these points to be highlighted are:

  • The kind of certificate you need, i.e. single domain, multiple domains ( and subdomains) and wildcard;
  • The certificate must be high-level, this is a 2048-bit-key;
  • Make sure to use server-side 301 redirects;
  • Add the HTTP property to Google Console;
  • Equate the use of HSTS for improved security;

SSL Certificates Differences

It is also important to understand there are different SSL certificates. They are split into three types:

  • Domain Validation (DV);
  • Organization Validated (OV);
  • Extended Validation (EV);

Domain Validation is the most popular among SSL certificates since they share the same browser recognition as the OV, but has the advantage of being issued immediately as there is no need to submit any identity or company paperwork to the Certificate Authority (CA). The DV is the type of certificates issued by Let’s Encrypt.

An example of Domain Validation is what we use at TekTuts.com. You see the Green Locker and the Secure mark on browser URL Bar. If you click in the certificate you will see the details and verify the type of the granted certification.

TekTuts Domain Validation Certificate Browser Locker

TekTuts Domain Validation Certificate

Organization Validated is a higher level of assurance to visitors, most common on shopping websites. In order to obtain this kind of certificates, some CA’s will ask you to check government of databases, besides the usual paperwork and compare it with the supplied information. Another particular of this kind of certificates is the fact that usually it is included a bigger warranty in order to cover possible losses to customers, which gives an additional guarantee to any customer.

By looking only to the browser address bar, DV and OV certificates are identic and is not possible to know which of them is in place, unless we check the certificate itself.

Extended Validation consists in the most comprehensive and strict certification method. The Certificate Authority will check according to the EV Guidelines ratified by CA/Browser forum, all the required steps, like the physical existence of the entity, identity matches, right of domain use, besides others.

The EV certification is commonly used by governments entities, major corporations, businesses. The EV is also quickly noticeable, as is the only type of certification that shows the green address bar for the site.

Comodo EV SSL Certificate Browser Green Bar Comodo EV SSL Certificate Details

 

As mentioned in the Google’s considerations, a certificate can be set for the domain, multi domain or wildcard. Multi-Domain is available on DV, OV, and EV, while wildcard is available only for DV and OV.

A multi-domain SSL certificate also called as SAN certificate, allow you with a single certificate to secure several domains, like:

www.mydomain.com | mydomain2.com | mail.mydomain.com | cdn.mydomain.net

A wildcard SSL certificate, allows you to secure an unlimited number of subdomains with a single certificate. In this case, a certificate issued to *.mydomain.com will work on:

www.mydomain.com | cdn.mydomain.com | mail.mydomain.com | ftp.mydomain.com

A domain SSL certificate, as mentioned is the most common SSL certificate being issued. The disadvantage is that you need to issue an SSL certificate for every single subdomain.

Most of the bloggers, designers, developers and other individual only need a domain validation certificate, as most of them don’t need to be covered with a wider protection. Besides, there is the possibility to get free certification with several CA’s, such as Let’s EncryptSymantec’s FreeSSLComodo (90 days only)StartComWoSign(2Years), CloudFlare and other.

Free SSL Certification

As mentioned above there are already some free but reliable alternatives to get an SSL Certification. I’m going to point a bit about Let’s Encrypt, which we will be covering later in this article, showing how to install and setup the certificate. Besides, a mention to Symantec’s FreeSSL and CloudFlare due to the different offer and setup.

Let’s Encrypt

Let’s Encrypt is a free CA provided by the Internet Security Research Group (ISRG), a project sponsored by big IT players such as CISCO, Google, Facebook, Automattic, Sucuri, and others.

We can get a free Domain Validation based on domain SSL certificate. Nevertheless, according to their announcement, is expected in January 2018 to be possible to get Wildcard Certificates.

No OV or EV SSL Certificates are issued by this CA, which means you will need to find other alternatives. Fortunately, we have some cool information for you about this, using Symantec’s Free SSL.

You can find additional information at the official website on how Let’s Encrypt works.

How It Works Authorization

Source: letsencrypt.org

Another point to be mentioned about Let’s Encrypt is that all certificates have a lifetime of 90 days. Some, consider this as a disadvantage, although should be noted that, in case your SSL key is compromised, the reduced valid time of the certificate, will limit the impact of damage, besides, with an automation trick, there will be no worries either additional work 😉 We will be covering this some steps ahead.

Symantec’s FreeSSL

Symantec has announced in mid 2016 a trial program to get free SSL certification for 30 days. While this is not much help if you are looking for a long term certification plan, Symantec extended their offer to a Free EV Certification for Non-profits and Startups, which is a singular and iconic offer named by Good Karma. The only remark is that this offer is only valid for organizations in the US and Canada! It would be great if we could see this offer extended worldwide.

CloudFlare

CloudFlare is not a CA, but it offers a free SSL certificate alternative with their service. CloudFlare is a service or a group of services, including CDN, DDoS attack protection, Load Balancers, Rate Limit, among many other services. The good thing of using CloudFlare is that the implementation is really fast and easy. Besides, no matter whether you already have an SSL Certificate, CloudFlare is an additional and important piece of security for your website! If you want to learn about it, check our tutorial about How-to setup a secure connection on your blog with SSL and TLS using CloudFlare.

It stills important to mention, in order to secure data transmission between your server and CloudFlare, you should have a certificate installed on your server, even if it is a self-issued certificate. Therefore is recommended you follow the rest of the tutorial, and only after that, going for CloudFlare.

How to Install a free SSL Certificate with Let’s Encrypt

If you don’t have Shel Access, you will need to check if your hosting provider makes part of the list of provider supporting this service and move from there. For further information, check Let’s Encrypt Getting Started article.

We will be going to cover the install of Let’s Encrypt Free SSL Certificate, using Cert Bot, on LAMP and LEMP stacks.

Ubuntu | Apache

Before starting the install of the Certbot client, we will need to add it to the repository using the below command. Then press ENTER to accept. Following the first step, we need to update the package list with the new repo information.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Now we are able to install the Certbot by using the following command.

sudo apt-get install python-certbot-apache

After this step, we have the Cerbot client ready for use. We will now generate the certificate for Apache. You can choose the whether to install only the base domain or add additional sub domains.

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

 

Ubuntu | Nginx

For Nginx we will be following almost the same steps.

As for Apache, before starting the install of the Certbot client, we will need to add it to the repository using the below command. Then press ENTER to accept. Following the first step, we need to update the package list with the new repo information.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Now we are able to install the Certbot by using the following command.

sudo apt-get install python-certbot-nginx

We will need to setting Nginx so certbot can find the correct server block in our config. Let’s edit the default file at /etc/nginx/sites-available/

sudo nano /etc/nginx/sites-available/default

and add after the server_name your domain name. Save and quit from nano editor.

server_name mydomain.com www.mydomain.com;

Now we must check whether the new configuration returns any errors by using the following command:

sudo nginx -t

If you get no errors, then let’s reload Nginx.

sudo systemctl reload nginx

Now it is time to get the SSL Certificate with Certbot by using the following command.

sudo certbot --nginx -d mydomain.com -d www.mydomain.com

You will be asked whether to use both HTTP and HTTPS or only HTTPS access. Personally, I would go for the last, but again, you should attend to the Google’s documentation that we have covered earlier and apply for the option that better fits your needs.

 

Automating renewal for both Apache and Nginx

As mentioned earlier, Let’s Encrypt SSL certificates have a lifetime of 90 days. In order to avoid your site getting the “Not Secure” warning or even not accessible if HSTS is enabled, it is strongly recommended to automate the renewal process. We can do it by running a daily cron job to check validity and renew by using the command certbot renew. In this case, we will use the quiet flag to silence all output except errors. You can learn more about this method at certbot documentation.

So, we will need to open and edit the crontab file by using the following command:

sudo crontab -e

And add the following line to the file. The 10 5 * * * means the cron job will run every day at 5:30. This setting can be changed for other you find more appropriate.

. . .
30 5 * * * /usr/bin/certbot renew --quiet

Redirect all HTTP traffic to HTTPS

As we have mentioned earlier, all redirects should be permanent 301 server level. Below, you will see how to set the rewrite rules for both Apache and Nginx.

Apache

Edit the .htaccess and add the following code to it. Save and close.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Nginx

Edit the nginx.conf file (or other configuration files with the server block) by updating it with the below:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.com www.mydomain.com;;
return 301 https://$host$request_uri;
}

Then restart the nginx server:

sudo systemctl reload nginx

You can find additional info on rewrite rules at Nginx blog.

Testing SSL security level

We should now test the security level of our web server and learn if we need to add additional settings to increase it. We can use Qualys SSL Labs SSL Server Test for that purpose. The aim is to achieve the highest as possible, which is A+.

You can check SSL security level of tektuts.com for instance and you will get the following screen with A+ rating.

tektuts.com ssl security report

After checking your own domain, most probably, you will get a B rating for your SSL. No worries! I’m going to base the following steps on an excellent article by Hynek Schlawack, on increasing the Web Server’s SSL Ciphers. You should keep an eye on this article, as Hynek is updating it with latest improvements. It stills recommended to visit SSL and TLS Deployment Best Practices by SSLLabs for further information.

For Apache 2.4 open /etc/apache2/mods-available/ssl.conf and add the following code:

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

For Nginx open /etc/apache2/mods-available/ssl.conf and add the following code:

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

What Next?

If you still want to increase the level of security, you might want to consider to improve the headers. If using WordPress, you can try the HTTP Headers plugin. You can also visit securityheaders.io for additional information.

Have you enjoyed this tutorial? If so, supports us by sharing this article or Become a Patron!

About the Author:

Carlos Pinho
A father, a husband and a geek... Carlos was the founder of projects like The Tech Labs and Flash Enabled Blog. He is the founder of TekTuts He is passionate about technologies. Their main skills are in analytics, transport & logistics, business administration. He also writes about programming resources, trends, strategy and web development.