Video Request: Setting up SSL

Hi Craig,
How about a video on setting up SSL/TLS on a new Magento store? I had a quick look and there doesn’t seem to be any articles/videos on your site about it already; but I’m open to correction!!

It’s not all that difficult but it strikes me as something everyone setting up Magento will need to do/should do at least once. It’s almost a no-brainer these days with Let’s Encrypt offering free certs.

Personally, I’ve used this tutorial before. There’s a ton of Wordpress guides but not all that many specific to Magento (basically just setting up the secure base URL options in addition to base Let’s Encrypt or Certbot setup steps).

Also, having done it a few times now on different servers and with different tutorials/guides, I’ve noticed a significant number of them leave out setting up a monthly cron job to renew the cert. Or they just tell you how to manually renew which is just a silly way to do it. :face_with_raised_eyebrow:

Looking forward to seeing the results of your new camera setup :grinning:

1 Like

Hey @damianduffy.

You’re right. I’ve tried to avoid SSL/TLS so far as I think it’s going to open up a can of worms. Consider:

  • Where you purchase a certificate (it’s different with every supplier and I only ever buy mine from RapidSSL because I’m used to it)
  • How to install a certificate on your server (this is kind of easy, but will vary on the type of certificate you purchase)
  • I only get to show me purchasing a certificate once (will cost a fortune to keep demonstrating this)

I’ve only ever used Let’s Encrypt twice. I think it was for a Wordpress site that ended up being migrated to SiteGround who ended up setting it up. And I’ve also used it on this forum, but that was installed as part of a complex script via Docker that is completely automated by this app. The other 20+ times have been with RapidSSL. I’m no wiser today what the catch is for a free certificate. If you know of a side-by-side table, please let me know. I don’t imagine it would be something I use on an Enterprise level project - Which is what I primarily work with.

This is one of the reasons why you only ever hear me talk about DigitalOcean, Nexcess, Ubuntu and Apache. As these are big variables that I can kind of control. And that way the entire community are working from the same sheet (so to speak). So when someone runs into an issue, there’s a strong chance that someone else can relate to the issue and help out.

Also, topics like these kind of overreach my target content/audience. Having said that… Let me do some research and consider what you’ve suggested. Afterall, it is a real-world problem that would need addressing. For this to work, I’d have to lay down some strict variables including making it only applicable to anyone who’s followed one of my Magento install videos and has the same setup. In my head, the only people that deviate from that tutorial sort-of know what they’re doing anyway and are able to adapt.

My camera arrives tomorrow - Hopefully, you’ll see a difference after what it cost… :slight_smile:

I’m no wiser today what the catch is for a free certificate

Ordinarily I’d 100% agree - if you’re not paying for the product, you are the product. Especially with something like a trusted cert it can seem a bit suspect. But it’s well worth looking into. The project started following the Snowden revelations, when it became clear how important encryption is (not just for e-commerce). They seem to be genuine in their goal of making secure web connections ubiquitous. Also, rightly or wrongly, I trust the some of the founding members (EFF, Mozilla).

1 Like

So, in the 5 minutes that I’ve spent looking into this a bit further…

There are several types of SSL Certificates:

  • Domain Validated (DV): are the most common type of SSL certificate. They are verified using only the domain name. Typically, the CA exchanges confirmation email with an address listed in the domain’s WHOIS record. Alternatively, the CA provides a verification file which the owner places on the website to be protected. Either method confirms that the domain is controlled by the party requesting the certificate.
  • Organisation Validated (OV): require more validation than DV certificates, but provide more trust. For this type, the CA will verify the actual business that is attempting to get the certificate (the information required for OV certificates). The organization’s name is also listed in the certificate, giving added trust that both the website and the company are reputable. OVs are usually used by corporations, governments and other entities that want to provide an extra layer of confidence to their visitors.
  • Extended Validation (EV): certificates provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate (as described in EV SSL Requirements ). As in the OV, the EV lists the company name in the certificate itself, However, a fully validated EV certificate will also show the name of the company or organization in the address bar itself, and the address bar is displayed in green. This is an immediate, visual way that viewers can know that extra steps were taken to confirm the site they’re visiting – which is why most large companies and organizations choose EV certificates.

From what I’ve read, Let’s Encrypt only covers Domain Validated Certificates. So, if you’re only after a certificate of this type then it actually makes sense to use Let’s Encrypt. To back this up, I found a page on the Comodo website that offered a comparison of the 2 services - And the only thing you get with Comodo is 24/7 support, site seal and a $10,000 (starting at) warranty.

Obviously, there is more research to be done here - But I already see a strong argument for using Let’s Encrypt if you’re only after a Domain Validated Certificate and do not require:

  • 24/7 Technical Support
  • Site Seal
  • Warranty (in case of data breach)

This makes a lot of sense for a non-transactional website. But for me personally, I would rather pay a few quid every year for warranty protection when you consider the types of data submitted on an eCommerce site.


@damianduffy, just to let you know I went ahead and recorded a “How to setup Let’s Encrypt Free SSL Certificate with Magento 2” video tutorial. I expect it to be edited and done ready for this time next week. It took a while to get round to, but I got there eventually :slight_smile:


@digitalstartup Looking forward to it!!