TLS encryption (HTTPS)
We offer free TLS certificates to everyone, provided by Let's Encrypt. HTTPS stands for Hyper Text Transfer Protocol over SSL and is the secure alternative to HTTP. Nowadays we usually talk about SSL's successor: 'TLS', which is more secure and still maintained. TLS has 2 main features:
Authentication: You need be able to trust that the server you are connecting is authentic.
Encryption: The encryption TLS provides makes sure you and the server you are connected to are the only ones to know what you are communicating about.
You can turn on Let's Encrypt TLS for your own domain by login in as a webmaster in our Cosmos Service Centre. Go to Hosting > TLS Settings and turn on TLS for your preferred (sub)domain.
- Enabling TLS for an existing website
- WordPress website compatibility
- From GlobalSign SSL to Let's Encrypt
- HSTS Strict Transport Security
Enabling TLS for an existing website
Via the Cosmos Service Centre you can easily turn on Let's Encrypt TLS certificates for several (sub)domains.
If your sub domains are configured correctly, go within the Cosmos Service Centre to Hosting > TLS Settings. Select 'TLS Enabled' for the desired (sub)domain.
Next, check your website via https:// (for instance https://greenblog.nl) and check if your website is working correctly. Check if you can see a green lock in the address bar: this shows you that the connection with your website is is encrypted and secure.
If not everything is configured correctly, it's is possible that you don't see a lock at all, or an orange lock, or a lock with a warning triangle. This means that part of your website is not transferred via TLS. Images from an external source are not automatically sent through the TLS-connection when there is 'http://' in the link to the image. It is possible that you don't see a green lock because external images are sent over an insecure connection. Click on the icon to the left of the URL in the address bar to see which part of the website is not yet send securely.
If you have a WordPress website and the green lock did not appear, please follow this manual (link) on how to adjust your WordPress website to make it suitable for TLS.
Is everything working fine? Then we can force the https connection.
After thoroughly testing your website with TLS enabled, go back to the Cosmos Service Centre, Hosting > TLS Settings and turn on 'Force TLS' for the (sub)domain you tested. All the visitors of your website will use the TLS connection automatically from now on.
Important: If you have a WordPress site, you should now edit your site settings in wp-admin to change the 'Wordpress address' and the 'Site address' from 'http://…' to 'https://…'
WordPress website compatibility
In this manual we're going to describe how you can change the links of the files of an existing WordPress website automatically to relative ('//') links, to arrange that you'll get a green lock in your address bar. We recommend the WordPress plug-in Better Search Replace.
Follow these steps to change the links of all the documents on your website to work with https:
Log into your WordPress website
Go to 'Plugins' and download the plug-in 'Better Search Replace'
Install and activate the plug-in 'Better Search Replace'
In the menu, click 'Extra', then click 'Better Search Replace'
- Fill in the following details:
- search for:
- replace with:
- select all tables
- select case-sensitive
- check if 'Run as dry run?' has been selected.
- In case it is, it will only give you an overview of the links that are going to be converted.
- In case it's not selected it will convert the links right away.
- search for:
Visit the https:// version of your website (for instance https://greenblog.nl) and check if the website is still working accordingly. Check if you see the green lock icon in the address bar, if so, this means that your connection with your website is authentic and encrypted.
In your WordPress website's wp-admin, go to 'Settings' and change the WordPress address and Site address from 'http://…' to 'https://…', for instance from http://greenblog.nl to https://greenblog.nl.
- Go back to the Cosmos Service Centre, Hosting > TLS settings and enable 'Force TLS' for the (sub)domain that your wordpress runs on. All your visitors will now automatically connect through TLS when they visit your website.
From GlobalSign SSL to Let's Encrypt
Below are the steps you need to take to change from an SSL certificate to a TLS certificate of Let's Encrypt.
Read all steps first so that you know what to do and you are always prepared for the next step. Please note, the website will be offline for some minutes during this process.
Modifying the A record
- Login to the Cosmos Service Centre, select the domain on which you want to setup Let's Encrypt TLS
- Go to Hosting > DNS Records.
- Look at the current TTL (Time To Live) value of the domain, this is the time duration in seconds that the record can be cached in name servers of internet providers. If no value is entered, the default is 3600 (1 hour).
- At the A record of the (sub)domain that we are modifying, edit the TTL to 60.
- Before going to the next step, wait for the time period that the TTL was set at step 3.
Editing the IP address
- Go to the Cosmos Service Centre again, select the particular domain
- Go to Hosting > DNS Records
- Make a note of the current IP address at the A record that we will modify and keep it.
- Change the destination of the particular A record to the IP address of the hosting package. This IP address can be found above the DNS settings table. Your website is now temporarily offline. Execute the following steps as soon as possible after the previous steps.
Enable TLS Let's Encrypt
- In the Cosmos Service Centre go to Hosting > TLS Instellingen.
- Enable TLS for the desired (sub)domain by turning on the 'TLS Enabled' button.
- Check that your website is online via an https:// connection
- If your website is visible again, you can force TLS by clicking on 'Force TLS'. 5. Check that your website is forcing TLS by entering the http:// address which should then change immediately to https://
- Send an email to support from the email address that we know with a request in it to cancel the SSL certificate per the first date possible. If something goes wrong at step 2, 3 or 4 and the site is not (via https) available, modify the A record back to the original IP address configuration. Within a few minutes the old configuration should work again. Notify the helpdesk of the problem.
HSTS Strict Transport Security
HTTP Strict Transport Security (HSTS) is a way for web servers to tell your browser that the website you are visiting will always have TLS enabled, and that if in the future TLS is not enabled, it should not connect to the web server. It is important to note that TLS does two things. One of those is to protect the connection with a layer of encryption. The other less commonly known feature of TLS is that it checks the validity of the server you are connecting to. In other words, it protects you from connecting to a fraudulent server.
With HSTS enabled, after you visit a website for the first time, the browser will remember that the website will support TLS for at least the next 6 months. Note that this means that you need to keep TLS enabled for at least 6 months after you disable HSTS. Please test that all the features of your website work well with TLS enabled, before you enable HSTS.