Adding a free Let's Encrypt certificate

 

Overview

This article explains how to add a free Let's Encrypt SSL certificate to your domain.

Every domain must have its own separate certificate. This means that if you want an SSL cert for example.com and blog.example.com, you must add them separately.

Before adding the certificate

Only a professionally-signed or 'Let's Encrypt' certificate will work with Cloudflare’s Full SSL (Strict) setup.

Before you begin to add the certificate, make sure the following is configured:

  1. Your domain is Fully Hosted or configured to redirect
  2. The DNS of your domain is already pointing to DreamHost. This means that either your:
    • Nameservers should be pointed to DreamHost
    • or if your Nameservers are pointing to another company, your A records (www and non-www records) and AAAA (IPv6) records should be pointed to your domain's IP addresses.
  3. Your .htaccess file is disabled.

Why does my DNS need to be pointed to DreamHost?

This is because 'Let's Encrypt' adds a .well_known/ directory to your site to authenticate the certificate. If your site's DNS is not resolving to a Fully Hosted domain at DreamHost, the certificate cannot create this folder to authenticate and your panel will show the option unavailable.

CAA records

CAA records can be created by a website owner to specify which Certificate Authorities (CAs) are permitted to issue SSL certificates for a domain.

View the following article if you'd like to add CAA records to your domain before purchasing an SSL certificate.

View the following sections to check your DNS values.

Option 1 — Point your nameservers

View the following link to check where your nameservers are pointed:

If they are already pointed to DreamHost, you do not need to change anything.

If they are NOT pointed to DreamHost, you'll need to either point them at your current host or change your domain's A records as described below.

Option 2 — Point your domain's A records

If your nameservers are not pointed to DreamHost and you do not wish to change them, the other option is to update your domain's A and AAAA records. These must be updated at the company where your nameservers are pointed. View the following article for instructions on how to find the correct IP address to point them to:

Pointing A records

You must update both the A records for the www and the non-www records for your website. For example:

  • example.com
  • www.example.com

If you're pointing to a subdomain such as blog.example.com, you'll still need to create the www record. For example:

  • blog.example.com
  • www.blog.example.com

Pointing an AAAA record 

An AAAA record is an IPv6 record. These are not added by default at DreamHost, but you can add them manually as explained in the following article:

Once added, you'll see the new address in your panel. You can then point to this record from the company where your nameservers are pointed. 

Disable your .htaccess file

Additionally, certain .htaccess rules such as IP blocking, rewrite rules, and password protection may cause the installation to fail. To play it safe, rename your .htaccess file (to something like .htaccess_OFF) in order to turn it off temporarily. Then, install the certificate. Once installed, you can rename the file back to .htaccess.

If disabling your .htaccess breaks your site, then add the following rule which should allow the installation to process:

RewriteRule ^.well-known/(.*)$ - [L]

Adding the certificate

  1. Navigate to the Secure Certificates page. A list of your domains display.
  2. Click the Add button to the right of the domain you wish to add the SSL certificate.
  3. On the next page, click the Select this Certificate button.
    A Success message displays confirming the purchased certificate.

Testing if the SSL certificate is working

The certificate is now installed on your domain. Visit the secure URL of your website at:

      • https://example.com

You can see the browser bar shows a lock icon confirming the connection is secure.

If you just installed the certificate, you may need to wait a few hours for it to update online.

Forcing your site to load HTTPS by default

Even after you have added the SSL certificate to your site, visitors will not be able to use it unless they manually type in https before your domain name. This defeats the purpose of adding it in the first place since the certificate is meant to protect all of your website traffic.

There are several ways to fix this. View the following article for instructions on how to create a configuration file to redirect all visitor traffic to the secure version of your URL (HTTPS):

Redirecting to the HTTPS version of your URL only works for the same domain. This means that you can only redirect from http://example.com to https://example.com.

It is NOT possible to redirect to a different domain. For example: http://example1.com to https://example2.com would not function with a 'Let's Encrypt' certificate.

Troubleshooting

After installing your certificate, you may find that your browser is still showing an insecure warning when visiting the HTTPS version of your URL. There are a few reasons this could occur. Please view the following article for instructions on how to resolve this issue.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?