I am very familiar with SSL certification. I have used several FREE SSL providers out there (e.g. StartSSL, SSLForFree, LetsEncrypt). In these forums there are already many existing questions from people struggling to set up or install their ‘free’ SSL certificates, the conclusion of which I will summarise below.
Put simply, most SSL certification authorities will want to verify that your domain is owned by you. They can use a number of methods, such as:
Checking custom records that you have added to your DNS
Securely connecting to your server via SSL
Checking files that you have uploaded to your public ‘acme-challenge’ folder
Method 1, used by ‘StartSSL’, used to work well, but recently is not considered secure enough by likes of Google. Certificates provided by StartSSL (which I have seen recommended by Administrators in these forums) WILL NOT WORK IN MANY BROWSERS. Indeed, StartSSL post this disclaimer on their site.
Method 2, used by ‘SSLforFree’ requires the ability to set TXT records, which is not supported by inifinityfree.
Method 3 is simply not an option with inifinityfree.
Method 4, used by ‘LetsEncrypt’ requires unrestricted access to a given file on your server. However, infinityfree blocks access to ‘bots’. E.g. try running “curl -i www.yourdomain.com”, and you will see a 403-forbidden result - even though the site is perfectly accessible in your browser.
I’m sure many people have got this working, so can someone please suggest either a workaround to the issues above, or suggest a FREE SSL certificate provider that is accepted by all major browsers does not need to authenticate in the above ways.
A great post! You’re right for the most part. StartSSL is the only free SSL provider I know which can be used with InfinityFree, but their certificates were blacklisted. Let’s Encrypt supports both web and TXT record validation, sslforfree.com is simply one of many implementations of the Let’s Encrypt system.
I have not seen any providers who use method 3, considering that it would be impossible to get an SSL certificate if you would need to have a valid SSL certificate to get the certificate in the first place.
One possible workaround is to use Cloudflare, who provide free SSL as well. However, that’s only possible if you have your own domain name and you can change the nameservers, using Cloudflare with free subdomains is not possible.
@Jnteamed said:
I tried that before but One of those needs the piblic key and i only have the private key.
The public key is provided by the SSL certificate provider. You generate the private key and CSR yourself, the certificate provider uses the CSR to create the public key. You can then use the private key and public key to do SSL.
@MrHasBean said:
Comodo’s Free certs work. Obviously, you have to manually update them every 90 days.
I’ve looked at Comodo’s free certificates as well. However, those certificates seem to be trials which cannot be renewed after the 90 day period. Were you able to renew the certificates after the initial period?
Also, these certificates only work on custom domains, not subdomains.