We've started doing some SEO work on a long time client's site and one of the quick easy wins was to shift it to SSL. It was an opportunity to try out Let's Encrypt to keep the price down in both cert cost ( which is pretty low these days anyway ) and developer time ( always expensive! ). Let's Encrypt is still in public beta at the moment but the process for Apache on Ubuntu is well documented on their site and very easy to follow.

We had to add pyOpenSSL to the server to resolve the "InsecurePlatformWarning: A true SSLContext object is not available" error and after installing the client from git we were set.

Install of the certificate is very easy, just fire up the client from the command line as described and it will provide a retro-gui ( think MySQL install ) to guide you through the process. The only pain point in the initial set up was unchecking all of the sites we didn't want to install SSL on, by default every site on the server is detected and offered. Even those that already have SSL certs on them.

Once you've selected your sites and gone through the client it will install the certificate(s), set up apache config files and reload* the server. That's it, the site should be ready to go - and in our case it was and it got an A from the automated testing link provided.

When selecting make sure:

  1. You select all variants of the domain name ( if appropriate ), eg both www. and plain
  2. Make sure nothing is unchecked that should be checked
  3. When we generated more than one domain cert at a time it seems as though the client put them in the right location but linked all the config files to just one of the domains instead of each individual domain. Quick and simple to fix, but unexpected.

Potential issues:

  • Certs are only valid for 90 days and must then be renewed - there's a guide for this on the site and it looks very quick and easy to do.
  • If you have a specific module enabled on the non-https site through a global non-ssl config it will not be enabled on the https site and will need to be added. This briefly caught us as we tested the site speed after the shift and found that pagespeed was no longer processing the site.

We will definitely be using LetsEncrypt again.

*This could actually be restart, I haven't checked the docs or log files to see.