SSL Setup: Do This, Not That

John Vandivier

I recently added SSL to this website. I've also set up SSL on commercial sites several times. This article gives my recommendations on small/hobby project SSL, like this website, and on commercial stuff.

tldr; commercially, your cloud vendor should be able to provision an SSL cert quickly, easily, and relatively cheaply. Use an AWS ALB, for example.

For a small project you can get forever free SSL using CloudFlare. I fought the idea of using them, but after some trial and error I now support it. Two worse ideas are described below, and ultimately I compare and contrast the pros and cons of each in a table.

Here's how to implement free forever CloudFlare SSL. For $5 USD per month you can upgrade WordPress speed substantially in addition. Note: I had to use the \"Full (Strict)\" SSL mode to implement CloudFlare and I had to wait a few hours for GoDaddy to update the DNS.

What else did I try?

  1. SSL purchase through GoDaddy.
    1. GoDaddy is my host so I thought it would be nice to purchase SSL through them.
    2. The pitfall is their SSL identity verification process. First, they asked me for a government ID and a utility bill of some sort. While this is comparatively onerous already, I did it. This was also inconvenient because most of my home bills are in my wife's name.
    3. After I did provide GoDaddy with an energy bill they called me on my phone and asked for a phone bill because they need to confirm my phone. This was concerning for multiple reasons:
      1. They called me on my phone. Clearly, they verified my phone.
      2. The phone is already associated with my GoDaddy account.
      3. My phone bill is in my wife's name and that wasn't good enough for them.
    4. This approach is also far from free.
  2. WordPress plugin experiments like SSL Zen.
    1. This actually worked! There's also a free version.
    2. However, you have to either frequently rotate the Let's Encrypt! certs which is a bunch of work or you have to pay for a paid version. It's not much but it's not free.
    3. Maintaining, installing and uninstalling is a pain.
    4. None of the added security, caching, and speed options from the CloudFlare approach.
    5. Substantially less responsive customer service compared to working with CloudFlare.