All sites can have an SSL certificate generated for them. The solution leverages the Let's Encrypt project, which is an open source Certificate Authority that provides free certificates. The solution does require that you have a domain pointed at your site successfully. For more information, see Go Live, Publish, and Set Up Your Domain.
Do I need HTTPS?
Using a secure connection ensures prevents data from being modified or corrupted during transfer. With a secure site, visitors can trust your site is displaying the content that you intended.
In addition, using a secure HTTPS connection is a minor ranking indicator, benefiting your site's overall SEO.
Once your site is published and configured with a custom domain, to set up SSL:
- In the left panel, click SEO & Settings, and then click the Site SSL tab.
- Click Generate certificate to create an SSL certificate.
The process, which includes provisioning the request to Let’s Encrypt and configuring the newly generated SSL certificate, is fully automated and may take up to an hour. During the provisioning process, an “In progress” status indicates that the request is being handled. Once completed, the provisioning status is changed to “Complete”, and an approval email is sent to the account owner.
- To ensure your site is always accessed through SSL, click the Force visitors to use secure connection (HTTPS) toggle. Any visitor will be redirected to the secure connection once this is enabled.
- Republish your site.
An SSL certificate is never deleted unless you click Remove certificate.
Recreate SSL Certificate
To recreate your SSL Certificate you need to remove the old one and generate a new one.
There can be multiple reasons you might need to recreate your SSL certificate. For example, if you have previously set up your domain using a method involving using a CNAME and 301 Redirect and have changed your DNS settings to reflect a CNAME and two A Records, you will need to recreate your SSL Certificate.
Or, depending on how the DNS records propagated at the moment you were generating your initial SSL certificate, the SSL certificate might have been only generated for www.domain.com and not domain.com in addition. This causes the site to only be secure on https://www.domain.com and not on https://domain.com. In this case you will also have to recreate your SSL certificate.
To recreate the SSL certificate:
- In the left panel, click SEO & Settings, and then click the Site SSL tab.
- Click Remove certificate.
- Click Generate certificate.
The process of regenerating a SSL certificate is fully automated and may take up to an hour. During the process, an “In progress” status indicates that the request is being handled. Once completed, the status is changed to “Complete”, and an approval email is sent to the account owner.
Details About Secure Connections
- You will need to recreate your SSL certificate if you switched your DNS settings from using the CNAME and 301 Redirect method to the CNAME and two A Record method.
- Certificates for sites are valid for three months. Two weeks prior to the end of the certificate, the site will renew the certificate to ensure that the site remains secure and valid.
- Once your site has been set up with a certificate you will see a small lock icon in your Dashboard to indicate that the site is a secure site.
- Website Builder uses HSTS Policy (HTTP Strict Transport Security). This feature helps protect against protocol downgrade attacks and cookie hi-jacking.
- The site's secure connection uses the DV (Domain Validated) certificate.
- Our SSL implementation is not compatible with any version of Internet Explorer on Windows XP (but will work on Chrome or Firefox).
- Not compatible with Android 2.3 and earlier.
- We've added logic to the platform that makes sure we don't redirect traffic to HTTPS for these devices. If a user on an incompatible browser attempts to load the HTTPS version of the site, a security error/warning will appear. However, if the user visits the HTTP version of the site, the site will simply not load the HTTPS version.
- Currently, our SSL solution does not support internationalized domain names (names with non-Latin characters, i.e www.bücher.de)
Using Custom or Third Party Code in SSL Sites
Due to HTML standards, HTTP or non-secured content cannot be displayed in HTTPS or secure sites. This means that any custom code which relies on loading content from an HTTP server will not work in an SSL Site. If you need to use code which normally loads from an HTTP server, we recommend either:
- Requesting HTTPS-friendly code from your code provider
- Disabling HTTPS for your Responsive Site
As our editor displays by default on an HTTPS connection, one good way to test whether or not code will work in the final site is to see if it works in the editor. If it does not, it is equally unlikely to work in a live HTTPS site.