TLS encryption (HTTPS)
It is time for the Web to take a big step forward in terms of security and privacy. HTTPS needs to become the default.
We offer free TLS certificates to everyone, provided by Let’s Encrypt. HTTPS stands for HyperText Transfer Protocol over SSL and is the secure alternative to HTTP. Nowadays we usually talk about SSL’s successor: ‘TLS’, which is more secure and still maintained. TLS has 2 main features:
1. Authentication: You need be able to trust that the server you are connecting is authentic.
2. Encryption: The encryption TLS provides makes sure you and the server you are connected to are the only ones to know what you are communicating about.
You can turn on Let’s Encrypt TLS for your own domain by login in as a webmaster in our Cosmos Service Center. Go to Hosting > TLS Settings and turn on TLS for your preferred (sub)domain.
1. Enable TLS
If your sub domains are configured correctly, go within the Cosmos Service Center to Hosting > TLS Settings. Select ‘TLS Enabled’ for the desired (sub)domain.
Next, check your website via https:// (for instance https://greenblog.nl) and check if your website is working correctly. Check if you can see a green lock in the address bar: this shows you that the connection with your website is is encrypted and secure.
If not everything is configured correctly, it’s is possible that you don’t see a lock at all, or an orange lock, or a lock with a warning triangle. This means that part of your website is not transferred via TLS. Images from an external source are not automatically sent through the TLS-connection when there is ‘http://’ in the link to the image. It is possible that you don’t see a green lock because external images are sent over an insecure connection. Click on the icon to the left of the URL in the address bar to see which part of the website is not yet send securely.
If you have a WordPress website and the green lock did not appear, please follow this manual (link) on how to adjust your WordPress website to make it suitable for TLS.
Is everything working fine? Then we can force the https connection.
2. Force TLS
Go back to the Cosmos Service Center, Hosting > TLS Settings and turn on ‘Force TLS’ for the (sub)domain you tested. All the visitors of your website will use the TLS connection automatically from now on.
Important: If you have a WordPress site, you should now edit your site settings in wp-admin to change the ‘WordPress address’ and the ‘Site address’ from ‘http://…’ to ‘https://…’
In this manual we’re going to describe how you can change the links of the files of an existing WordPress website automatically to relative (‘//’) links, to arrange that you’ll get a green lock in your address bar. We recommend the WordPress plugin Better Search Replace.
Follow these steps to change the links of all te documents on your website to work with https:
1. Make a backup of your database
2. Log into your WordPress website
3. Go to ‘Plugins’ and download the plugin ‘Better Search Replace’
4. Install and activate the plugin ‘Better Search Replace’
5. In the menu, click ‘Extra’, then click ‘Better Search Replace’
6. Fill in the following details:
search for: http:\/\/JOUWDOMEIN.NL (for example ‘http:\/\/greenblog.nl’)
replace with: \/\/JOUWDOMEIN.NL (for example ‘\/\/greenblog.nl’)
select all tables
check if ‘Run as dry run?’ has been selected. In case it is, it will only give you an overview of the links that are going to be converted. In case it’s not selected it will convert the links right away.
7. Visit the https:// version of your website (for instance https://greenblog.nl) and check if the website is still working accordingly. Check if you see the green lock icon in the address bar, if so, this means that your connection with your website is authentic and encrypted.
8. In your WordPress website’s wp-admin, go to ‘Settings’ and change the WordPress address and Site address from ‘http://…’ to ‘https://…’, for instance from http://greenblog.nl to https://greenblog.nl.
9. Go back to the Cosmos Service Centre, Hosting > TLS settings and enable ‘Force TLS’ for the (sub)domain that your wordpress runs on. All your visitors will now automatically connect through TLS when they visit your website.
Read all steps first so that you know what to do and you are always prepared for the next step.
Please note, the website will be offline for some minutes during this process.
Modifying the A record
1. Login to the Cosmos Service Centre, select the domain on which you want to setup Let’s Encrypt TLS
2. Go to Hosting > DNS Records.
3. Look at the current TTL (Time To Live) value of the domain, this is the time duration in seconds that the record can be cached in name servers of internet providers. If no value is entered, the default is 3600 (1 hour).
4. At the A record of the (sub)domain that we are modifying, edit the TTL to 60.
5. Before going to the next step, wait for the time period that the TTL was set at step 3.
Editing the IP address
1. Go to the Cosmos Service Centre again, select the particular domain
2. Go to Hosting > DNS Records
3. Make a note of the current IP address at the A record that we will modify and keep it.
4. Change the destination of the particular A record to the IP address of the hosting package. This IP address can be found above the DNS settings table.
Your website is now temporarily offline. Execute the following steps as soon as possible after the previous steps.
Enable TLS Let’s Encrypt
1. In the Cosmos Service Centre go to Hosting > TLS Instellingen.
2. Enable TLS for the desired (sub)domain by turning on the ‘TLS Enabled’ button.
3. Check that your website is online via an https:// connection
4. If your website is visible again, you can force TLS by clicking on ‘Force TLS’. 5. Check that your website is forcing TLS by entering the http:// address which should then change immediately to https://
6. Send an email to support from the email address that we know with a request in it to cancel the SSL certificate per the first date possible.
If something goes wrong at step 2, 3 or 4 and the site is not (via https) available, modify the A record back to the original IP address configuration. Within a few minutes the old configuration should work again. Notify the helpdesk of the problem.