Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Getting a valid TLS / SSL certificate without spending a penny is very simple. To do it, you just need to visit Startssl.com (for non-commercial use only). If you need a commercial-friendly certificate there is a very cheap solution at Namecheap to get a SHA256 cert for $9.

 

Before you do this, however, I’ll show you how to install everything you need, because merely obtaining a valid certificate does not make us safer. I also recommend you to use a non-SHA1 certificate cause Chrome is going to kill the support to it soon. In this tutorial, I will focus on one possible configuration for an Apache environment; and I’ll show you what to do with a WordPress website at the application level.

The first part of this tutorial will also be useful for non-WP-based applications. In addition to showing you how to install a certificate, I will explain how to migrate a website with an eye on SEOavoiding unpleasant incidents of internal duplication and errors that could make the site unusable.

Installing mod_ssl, openSSL, and mod_spdy

The requirements for mod_sslopenSSL and mod_spdy are Apache >= 2.2.4 and a series of GCC libraries greater than 6+ (only for spdy).

On an Ubuntu/Debian environment, it’s not so difficult to install what you need, because usually themod_ssl is pre-installed with the LAMP stack, so you will only need to enable it.

To enable the module, use the following command:

a2enmod ssl

Then you can enable the default virtual host to check that everything works fine.

a2ensite default-ssl

Afterwards, simply restart Apache.

/etc/init.d/apache2 restart

After completing the above three steps, to check if everything works, visit your IP address with a browser like https://yourip.

Now you should check your OS version with uname -m to find if it works on 32-bit or 64-bit because we need it to choose the right version of the spdy installer.

To obtain mod_spdy, you can use this page or a wget command line from shell requesting the package URL.

wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_x86_64.rpm

And then

dpkg -i mod-spdy-*.deb apt-get -f install

After the installation you will find the repos file at the following path

/etc/apt/sources.list.d/mod-spdy.list

and the configuration file

/etc/apache2/mods-available/spdy.conf

Restart Apache

/etc/init.d/apache2 restart

Now open a Chrome Browser and visit chrome://net-internals/#spdy to check if spdy is working on your website.

Getting a free, and valid SSL/TLS certificate

Go to the Startssl.com and signup. The site isn’t exactly user-friendly, but it offers free, valid certificates that can be considered reliable for the vast majority of sites. If you want to get deeper into the subject of TLS, I strongly suggest you read Tim Nash’s post.

After registering, you will receive the following email:

This mail is intended for the person who requested to enroll at StartSSL (http://www.startssl.com).
Your authentication code is XXXXXXXXXXXXXX 
Copy and paste this code now into the form at youropen browser window.  
Thank you! 
StartCom Ltd. StartSSL Certification Authority

Use the code that is blocked out here to verify your account and to receive a confirmation email with information on how to proceed.

To Andrea Pernici,  
Your request for an account at StartSSL™ (http://www.startssl.com) has been approved and is available during the next 24 hours at the following location:  https://www.startssl.com/?app=12&action=release&i....
The verification code in order to continue the process is XXXXXXXXXXXXXX  
Thank you!  StartCom Ltd. StartSSL™ Certification Authority

After these steps, you will be directed to a page where you will be asked to enter your code to start creating your first certificate.

ssl

After clicking the Continue button, you will receive the following email, which instructs you to save your StartSSL certificate for future access to the control panel:

Hi Andrea Pernici,  
Congratulations on your new StartSSL™ account! 
Things you should know before proceeding: During enrollment, a client certificate was installed into your browser for the purpose of authentication. 
This certificate allows you to securely access your account in the future.
Be sure to *backup* this certificate including the private key to an external media!
Failing to do so may result in the loss of your account. 
Also, see https://www.startssl.com/?app=25#4 for more information about how to backup your client certificates.  
Even though StartSSL™ generally provides certificates free of charge, revocations thereof may carry a handling fee. 
Take great care of your private keys; and remember to save
and backup all files at all times!  
Please take a moment of your time to visit the Tool Box section of your control panel, which provides you with many useful tools and utilities that may be of help when validating, creating, and installing your certificates.  
Thank you for choosing StartSSL™!

After this, save your key. (Here the instructions)

Sorry, the image is in italian, but the certificate tab in Chrome looks the same.
esporta certificato

Finally, go to the control panel and start Express Lane to generate the SSL/TLS certificate associated with your domain.

expert lane

You must insert the domain name without “www” and then select one of the proposed emails to confirm the request. During this phase, you will see the following page:

expert lane mail

If you are installing a certificate, you will have access to a SHELL; so, you can open the mail directly with a command line and retrieve the activation code.

mail startssl

After confirming the code, you will see the following message. But it’s a little misleading — the message tells us that the requested task should be concluded in 30 days, not that the certificate itself will be valid for 30 days. The certificate is actually valid for one year.

expert lane ok

If for any reason you can’t close the task immediately, you can restart it at any moment by selecting the Web Server SSL/TLS Certificate.

recupera ssl tls server web

Using the Wizard, we can generate everything we need without going into multiple tools.

key ssl

After you have chosen a password, a code will be generated. You only need to cut and paste it into a text file on your server and then execute the following command:

openssl rsa -in ssl.key -out ssl.key

Then insert the previously chosen password at the prompt and you’re all done.

After this step, we can add the subdomain to target and usually it is the WWW one.

aggiunta sottodominio tls ssl

aggiunta tls

After a few minutes, a confirmation email will be sent to inform you that everything is fine.
approvazione ssl

Here you can see what the email informing you to retrieve the certificate from the control panel looks like.

certificato accettato

Now you can use the “Retrieve Certificate” menu on the control panel.

recupera certificato

After the certificate is retrieved, you should add some lines of code to the virtual host file to make your webiste reachable using “https://.”

<VirtualHost pallamanoitalia.it:443>
DocumentRoot /home/path/public_html
ErrorLog /home/path/logs/pallamanoitalia.it_error_log
TransferLog /home/path/logs/pallamanoitalia.it_transfer_log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM 
SSLCertificateFile /home/path/ssl.crt 
SSLCertificateKeyFile /home/path/ssl.key
SSLCertificateChainFile /home/path/sub.class1.server.ca.pem
CustomLog /home/path/logs/ssl_request_log<br> \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Save the configuration and test it with an apache2ctl configtest to check that every directive is working.

If everything is OK, you can proceed with an apache2ctl graceful.

To check it live, visit https://www.pallamanoitalia.it (for this case study). If your configuration of the SSL/TLS certificate key and chain is error-free, then you won’t see any unreliable certificate errors in your browser, as you can see from the image below. The yellow icon is not a big issue, but only a warning that mixed content is being served from an “http://” connection.

tls certificate ok

To test any issues, you can use the tool at ssllabs.com/ssltest/ (in our casehttps://www.ssllabs.com/ssltest/analyze.html?d=pallamanoitalia.it).

After inserting your website, the tool will start to elaborate;

ssl report

and, when it is finished, you will see your website’s overall rating, as well as detailed information about its TLS configuration. In the following example, after completing the first step, our configuration doesn’t look so good.

ssl report bad

Let’s see what we can do to improve its security.

We can add the following lines (converting the directive we wrote before) to our virtual host file to prevent our system from loading the unsupported SSL versions we have on our server.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

The warning that the tool gives us is, in fact, related to the OpenSSL configuration that is based on the software we run on our Debian installation.

In any case, you can find more details here.

NB: The above configuration is not necessarily valid in every case, but is valid for this case; so, I recommend that you act based on your own server configuration.

After refreshing the test after the edit, we can see that the overall rating is lots better than before; however, we can improve it further by reading all the information provided by the tool.

ssl report good

In our case, we can add the following lines to the virtual host file and

<Directory /home/path/public_html>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</Directory>

obtain an even better result: If you want to get deeper into Strict Transport Security (HSTS), read this post by Eric Law.

You can also use a new option, introduced by Ilya Grigorik, to include your website in the Chrome Preload list for HSTS websites, simply adding the preload header as follows

<Directory /home/path/public_html>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</Directory>

and then submitting your URL at https://hstspreload.appspot.com/.

ssl report good plus

At this point, we have a working TLS configuration with mod_spdy running, which performs better than a classic TLS/Apache configuration. Now we are ready to make changes to our own application so that it serves only on HTTPS.

Redirect 301 and canonicalization

To prevent internal duplication issues, you need to configure your application to run only on HTTPS, instead of HTTP. You may also need to include all the resources (internal and external) from a relative “//” path in order to allow those resources to be served from the best path.

This can help to prevent blocking errors on the browser, which can make your website completely unusable (as with JavaScript files).

errori

In our case, we are pretty lucky, because our website is running on WordPress, and we don’t need to do a lot to make it completely usable on HTTPS.

Go to “Settings > General” and add a nice ‘s’ in the address input box

general settings wordpress

If everything is fine, then you will be logged out from the admin panel. Log in again and if we useYoast plugin, as I recommend on my italian SEO guide, go in “SEO > Permalinks > Canonical configuration” and select “Force transport on HTTPS”.

You should see some issues; so, you should make sure that all the resources are served on HTTPS instead of HTTP. To do so, add two lines of code on your virtual host TLS configuration to let all the HTTP resources being redirected with a 301 to the respective HTTPS one.

Example:
if you write in the browser http://www.pallamanoitalia.it/immagine1.jpg you will be redirected to https://www.pallamanoitalia.it/immagine1.jpg. This is important for search engine and for user to prevent the HTTP resource being blocked by the browser when accessing the page in HTTPS.
RewriteCond %{HTTPS} off
RewriteRule (.*)$ https://www.pallamanoitalia.it$1 [L,R=301]

Then, to force the WordPress admin panel using TLS, add the following directive to the wp-config.php file:

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

Fixing a WordPress theme path

Our website definitely includes some hardcoded paths in “http://”; so, we need to find all occurences of these paths and convert them to ‘//.’ To find them easily with a SHELL command, we will use the following grep

cd /home/percorse/public_html/wp-content/themes/mytheme/
grep -R 'http://' *

to list all occurences of the searched string:

at this stage, we can easily edit all the files that are hardcoding the website path to prevent any kind of usability issue.

Now that we have removed all the mixed content serving, the browser lock become green as you can see below:

green tls lock

Configure Mod_pagespeed per TLS

This is not a mandatory thing, but on my server runs mod_pagespeed so I show you the configuration inside the virtualhost file dedicated to the HTTP.

ModPagespeedRewriteLevel PassThrough
ModPagespeedEnableFilters prioritize_critical_css
ModPagespeedEnableFilters insert_dns_prefetch
ModPagespeedEnableFilters add_head
ModPagespeedEnableFilters combine_javascript
ModPagespeedEnableFilters combine_css
ModPagespeedEnableFilters outline_css
ModPagespeedEnableFilters move_css_above_scripts
ModPagespeedEnableFilters move_css_to_head
ModPagespeedEnableFilters convert_meta_tags
ModPagespeedEnableFilters extend_cache
ModPagespeedEnableFilters inline_import_to_link
ModPagespeedEnableFilters rewrite_css
ModPagespeedEnableFilters rewrite_images
ModPagespeedEnableFilters rewrite_javascript
ModPagespeedEnableFilters rewrite_style_attributes_with_url
ModPagespeedEnableFilters collapse_whitespace
ModPagespeedEnableFilters elide_attributes
ModPagespeedEnableFilters convert_jpeg_to_progressive
ModPagespeedEnableFilters convert_png_to_jpeg
ModPagespeedEnableFilters convert_jpeg_to_webp
ModPagespeedEnableFilters insert_image_dimensions
ModPagespeedEnableFilters inline_images
ModPagespeedEnableFilters recompress_images
ModPagespeedEnableFilters resize_images
ModPagespeedEnableFilters inline_preview_images
ModPagespeedEnableFilters resize_mobile_images
ModPagespeedEnableFilters remove_comments
ModPagespeedEnableFilters lazyload_images
ModPagespeedEnableFilters defer_javascript
ModPagespeedEnableFilters sprite_images
ModPagespeedDomain www.pallamanoitalia.it
ModPagespeedDomain pallamanoitalia.it

After the HTTPS migration we need to adjust the above configuration to be served on HTTPS and working well with mod_spdy. Moreover we can also use mod_pagespeed to force the stripping of the absolute path.

To clarify:
the last part means that with the “ModPagespeedEnableFilters trim_urls” directive we can make mod_pagespeed automatically remove the http://domainname.com making all the resources accessible from the right path.
ModPagespeedFetchHttps enable
ModPagespeedSslCertDirectory /home/path
ModPagespeedSslCertFile sub.class1.server.ca.pem
ModPagespeedMapOriginDomain "http://www.pallamanoitalia.it" "https://www.pallamanoitalia.it"
ModPagespeedFetchFromModSpdy on
ModPagespeedEnableFilters trim_urls

If you want to get deeper into mod_pagespeed, you can find the official documentation here.

Let’s try to test how fast our TLS website is (even if we didn’t optimize it a lot) with WebPageTestand identify any bottlenecks or slowness of our configuration.

webpagetest

As you can see, it looks pretty good, as it started rendering in less than one second. So is this TLS?It seems to be.

Activating Google Webmaster Tools for the TLS version

As you already know, the HTTP and HTTPS versions are considered two different websites, so assuming that you already added the http website to Webmaster Tools, you should also add the HTTPS version inside Webmaster Tools to monitor all the issues and stats after the migration.

webmaster tools ssl

After a few days, you should start to see all your data on the HTTPS version, if everything is fine.

One of the most important things you can do to make sure that Google can see, read, and render your website without any block is to use the Fetch as Googlebot tool inside the Webmaster Tools.

googlebot rendering

If you see any errors on my free certificate, let me know. Anyone can make a mistake.

The day after our update – 13-08-2014

By performing a search for the brand name, we can see the migration in action, without any issues on Google News.

pallamanoitalia

After a few more days

Visiting webmaster tools we can see some encouraging data:

The migration is starting to use the query panel.

search queries https

The crawling stats panel shows a peak.

crawl stats https

And the sitemap is showing some newly indexed pages.

sitemap https

We are on the right path and we aren’t wasting any money.

Will my SSL/TLS slow down? Not at all, if you know what to do.

speed tls

As you can see from these images, a few days after the migration, there is no discernable slowdown or performance degradation for the HTTPS version.

And I’m still tweaking the site a bit, so there is a lot more room for improvement. So if someone tells you that moving HTTPS is not compatible with the speed as a ranking signal, tell them to think twice.

Make it more complex by using SNI to add another SSL site on the same server.

I don’t like to make only the most obvious choices; so, I tested an SNI approach against a single TLS one, creating a new certificate for another domain on the same server to show that you can have more than one website running on the same host with different TLS certificates.

We’re going to do exactly the same as we did for the previous website, making some small changes at the Apache level.

All you need to know is here on the Apache Wiki. Below you can see how I configured the second virtual host to make it work on the same server using NameBasedSSL Virtualhost.

The first step is to add a line of code to the global configuration file (but which one will depend on your preferences). You must open the file with

vim /etc/apache2/apache2.conf

and add

NameVirtualHost YOURIP:443

After this step, you can edit your second virtual host configuration, adding all the directives needed and the path to the new generated certificates as follows:

<VirtualHost YOURIP:443>
ServerName salserocafe.com
ServerAlias www.salserocafe.com
DocumentRoot /home/salseroPATH/public_html
ErrorLog /home/salseroPATH/logs/salserocafe.com_error_log
TransferLog /home/salseroPATH/logs/salserocafe.com_transfer_log
DirectoryIndex index.html index.htm index.php index.php4 index.php5

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

SSLCertificateFile /home/salseroPATH/ssl.crt
SSLCertificateKeyFile /home/salseroPATH/ssl.key
SSLCertificateChainFile /home/salseroPATH/sub.class1.server.ca.pem
CustomLog /home/salseroPATH/logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

<Directory /home/salseroPATH/public_html>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</Directory>
</VirtualHost>
Attention: change “YOURIP” to your real IP Address!

Now the Salsero TLS virtual host is OK; and you need to modify the Pallamanoitalia’s one too changing the virtualhost listening and adding the ServerName as follow

<VirtualHost YOURIP:443>
ServerName pallamanoitalia.it
ServerAlias www.pallamanoitalia.it
</VirtualHost>

Afterwards, you can try an apache2ctl configtest to check that your configuration is error-free. Then, restart Apache.

Now when you visit Salserocafe and Pallamanoitalia, you should see both websites working on HTTPS without any warnings or certificate errors. Look here and here to check them yourself.

You will see a new warning on the tools that reads:

This site works only in browsers with SNI support.

That means on all the modern browsers. Try to guess which browser does not support SNI? I know you know the answer.

One last thing:

Remember to set a default TLS virtual host, for example, on YOURIP address ServerName to prevent a massive duplication of the default TLS website, which will be accessible for any non-configured HTTPS version of all the other virtual hosts on your server.

vim /etc/apache2/sites-enabled/default-ssl
<IfModule mod_ssl.c>
<VirtualHost YOURIP:443>
        ServerName YOURIP
        ...
</VirtualHost>
</IfModule>

Remember to repeat all the steps explained for Pallamanoitalia and monitor the evolution of the migration looping for every website you want to migrate.

Crawl Efficiency

Let’s see what happened in terms of crawl efficiency after a few days.

speed crawl

Don’t believe everything you read about HTTPS and site performance. I was able to find concrete answers in data and tests that took a minimum of time. Sometimes, all it takes is the desire to explore the technology to its full potential.

Conclusion

Although this is not a comprehensive or absolute guide, but only a case study of a job done in less than two hours, I hope that it will be useful to everyone after Google’s controversial announcementabout TLS as a ranking factor. My findings refute the common belief that migrating to TLS is difficult and expensive, AND that it can lead to a performance degradation.

The same kind of debate happened around the Responsive Design movement, and it will continue to happen when people insist on blaming issues on technological shortcomings, when the reality is they haven’t learned to fully use the technology to its potential.

We need to grow up and stop complaining.

Nothing is impossible. All it took was some simple trial and error. Updating security settings to your website should not be considered impossible without making sacrifices to your site’s performance. That said, I would recommend that you strongly consider the needs of your site’s audience when deciding whether or not it’s worth your time to upgrade from HTTP to HTTPS.

In this case, I’ve shown you how to go HTTPS using a free certificate on a WordPress installation. I have also tested Comodo certificate bought on NameCheap for nine dollars a year on a server with a lot of constraints. The cheaper software was still better than having nothing at all.

If you want to migrate to HTTPS, there are alternatives to the more expensive and difficult solutions out there. You just need to be creative and display a full understanding of how the update works, and you need to experiment with those free or low-cost solutions that have a proven history of performance in order to have the best chance of success. (Thanks to Giacomo Pelagatti for the inspiration.)

Please give me feedback if you want me to cover some other aspect of this subject and remember: Don’t believe anything you read, especially if it tells you that something is bad or impossible.


Andrea Pernici is Search Marketing Manager at GT Idea. His duties there include supervising internal development, speaking at conferences, managing their community magazine and forums,and consulting for big brands. His last contribution to the SEMrush blog was entitled: “The Great Debate: Website Speed and SEO Value.

 

original article :  http://www.semrush.com/blog/how-to/seo-friendly-migrate-website-http-https-free/