Finally, everyone is able to enable HTTPS for their website'(s) without having to pay huge sums of money for SSL certificates. Thanks to Let's Encrypt the process is now very easy.
SSL certificates used to cost money, some you could get for just 10$ per year, while others would cost hundreds of dollars. This has luckily started to change.
After installing letsencrypt for your webserver, you may be able to enable HTTPS for individual VHOSTs using by typing sudo letsencrypt in a terminal and following the instructions in the program.
Note. It may be important to keep each Virtual Host in its own .conf file in the sites-available directory, since having multiple hosts in the same file might cause problems.
Enabling HTTPS in Ubuntu
If you have SSH access to your server, all you have to do is to login, and run a couple commands in terminal. If you are running Apache on in Ubuntu, then you can use the following commands:
sudo apt-get install python-letsencrypt-apache letsencrypt --apache
The letsencrypt --apache command will take you through the process, and automatically configure apache with your certificate. It will ask you for an e-mail address for notifications when your certificate is about to expire.
Certificates expire in just 90 days, but since the process of renewal is automatic, this will not matter. You can setup a cron or systemd job to automate renewal. Otherwise simply type sudo letsencrypt when it is time to renew your certificates.
Reasons why you should move to HTTPS
The most obvious reason is the extra security, you can read more in Google's guide, Secure your site with HTTPS. A few reasons listed in the guide:
- Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can "listen" to their conversations, track their activities across multiple pages, or steal their information.
- Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication—proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
In addition to the increased security, Google will also provide a small ranking boost to URLs served over HTTPS.
After July 2018, non-https sites will be labeled as Not Secure in their Google Chrome browser, scheduled for Chrome 68.