Security

Free SSL/TLS Certificates at DreamHost with Let’s Encrypt

Let's Encrypt
Written by Marcus Hildum

Let’s Encrypt is at the forefront of an Internet sea change. Firefox and Chromium are both proposing the deprecation of unencrypted HTTP, which means that any user of your website will see a warning unless you have a TLS certificate. HTTP/2 supports unencrypted connections, but as of yet, no one has implemented them. Then, of course, there is the looming Nation State Actor that happens to be maintaining surveillance over a large portion of online communication. Naturally, in November of 2014, when I heard about Let’s Encrypt trying to change TLS certificate landscape, I was really excited, and I wanted DreamHost to be a part of this development.

Let's Encrypt

We have a bit of a history here at DreamHost with trying to level the TLS playing field for customers. So an opportunity to bring that cost down to zero and have the certificates renew automagically was completely in line with our values. This isn’t just a technical win for customers, it’s a moral win for the Internet at large. We saw not only an opportunity to help customers offer their users a more secure experience, but also an opportunity for DreamHost to help increase TLS adoption on the Internet through a partnership with Let’s Encrypt.

Last year, at DefCon 23, I was embarrassed to see an article in DreamHost’s wiki used as an example of how TLS is still frustratingly difficult to set up. I personally talked to Yan after the talk was over to accelerate collaboration between DreamHost and Let’s Encrypt. After that, we started working on implementing the ACME protocol and tying it all together with our panel to make the process as seamless as possible for customers. Later last year at 32c3, DreamHost was mentioned again at a Let’s Encrypt panel, but this time as one of the partners they were working with, which was a welcome change to say the least. We’d like to thank the Let’s Encrypt team for their assistance in helping us integrate with their services; they’ve been fantastic to work with.

Let’s Encrypt is still in beta, thus our support for them is beta as well, so there may be a snag here or there, but if you find one, just let us know by contacting our support team! You can submit a ticket or request a callback or LiveChat, and our team will be happy to assist you. 

With that said, we’re excited to support Let’s Encrypt and by extension support the increased security of the Internet at large. We hope you’re excited too — log into your panel today and get a free TLS certificate.

Let’s Encrypt!

About the author

Marcus Hildum

Marcus Hildum is the Directory of Security at DreamHost.

44 Comments

    • Asked someone at DreamHost how to get it implemented and they told me to get Really Simple SSL plugin. I activated it and it immediately started showing the ssl lock on my site. Perfect.

  • Everyone has needed this *so* badly. It’s actually amazing that it’s now here. So far it works like a charm, too!

  • All my sites are using incorrect certs, mismatch CN, self-signed cert (I chose let’s encrypt)….. It’s a total disaster….Do not turn it on now….

    DreamHost support is totally clueless….

  • Worked great for all of my domains/sites. Though I did somehow get a Commodo certificate show up (not billed for it, so I’m just noting a bug).

  • If you get browser warnings, it may be for the temporary self-signed certificate that DreamHost installs until the Letsencrypt certificate is ready. Click on the lock or equivalent in your browser address bar to see who issued the certificate. Also there seem to be problems getting Letsencrypt certificates for some domains, namely IDNs and *.dreamhosters.com. On the Secure Hosting panel page, if a domain has “Unknown” in the column “Expires on” this means that the Letsencrypt certificate isn’t ready. Letsencrypt certificates expire after 90 days (but I suppose are auto-renewed by DreamHost).

  • As a DH customer since 2006 I applaud loudly and vigorously. I applaud until my hands hurt and cheer until my throat is sore. This is such a Good Thing.

    PS: Just wanna add, FY to the NSA.

  • This is fantastic. Bravo, DreamHost! Did this yesterday for my domains that are hosted with you, worked like a charm. An hour after enabling / activating this, all sites are served beautifully over HTTPS. Couldn’t have been easier via the Control Panel.

    Sometimes it’s nice to receive an “Attaboy” for a job well done. Consider this an “Attaboy”! (Also kudos for the business side for rolling this out so quickly, I’ve already referred 2 other colleagues to DreamHost based on this.)

  • It works fine on my domains. It doesn’t seem possible to do this for the automatically provided webmail site for domains yet though. That would be great.

  • I set this up on my domain using Control Panel, and it only grabbed and installed a cert for the naked domain, mydomain.com, not the http://www.mydomain.com version. Had to set up redirects and change the domain on my WordPress installation to point to the naked domain. Still, if someone directly goes to https://www.mydomain.com, it throws a security alert. Don’t know why they wouldn’t register and install two certs for the naked domain and www.

    Please fix this, DreamHost!

  • Great stuff, but it was a bit strange to see that it didn’t work for one out of five of my dreamhost domains. After several days, customer service mentioned that a website should be fully hosted for a Let’s Encrypt certificate to work.

    That would be nice to warn about in the panel – why allow users to choose a configuration that is known to not work?

  • Worked excellently, and this is fully hosted on shared hosting. Used the Really Simple SSL plugin mentioned above ( which I agree DreamHost should mention in documentation ); was logged out and so relogged to the new https; checked the General Settings to make sure the two urls were https, since some have problems with images post-SSL; but everything was fine ( one plugin wp-widget cache stopped working, so I just deactivated it ): and it was done. it took less time with clicking at DreamHost and activating the Reaally Simple plugin than writing this post.

    This is very generous and decent of DreamHost. So many thanks.

    PS: I agree never to mix good old www with non-www: I would never run a non-www site anyway.

    • What? Why would you never run a non-www site? It seems ridiculous these days, to force users to type www. when it isn’t necessary in 99% of cases. I also can’t stand people who still say “Go to me website at http://www.abcdef.com.” Why bother?

      • Here’s a little test: enter google.com in your browser’s address bar and press Enter. Wait till the page loads and look at the URL in the address bar. I think Google might be onto something. 😉
        There really is nothing wrong having http://www.example.tld as the primary domain name. You can use a 301 redirect (without negative SEO impact) so users can get to your website using the bare domain name. For best results, be consistent with internal links–preferably use only relative links to ease any future transitions between www and non-www.
        I know at one point we were using the bare domain and we had to change because of a service (Google Pagespeed?) we wanted to use.
        The point is the choice is largely stylistic, and you can still allow users to access your site with the non-www form of a domain.
        By the way, how many of your visitors get to your site by manually entering the domain/URL vs clicking links in search results or social media? Something to ponder…

  • Just got my first certificate:
    This certificate will expire on 2016-05-27 18:54:00

    Does this mean I have to start paying for this in three months time?
    Your newsletter and blog never mentioned that!

  • I think the certs automatically renew since he mentioned automated cert generation. Just keep an eye and if the cert expires, there should be a renewal option somewhere.

  • After the 3 month renewal Firefox gives:

    “This website does not supply ownership information.”

    You have to add a security exception to connect, which doesn’t look good so I’m not sure this is a good idea.

  • does each fully hosted subdomain need a separate free SSL/TLS Certificate, or will the main domain’s free SSL/TLS Certificate suffice ..?

  • Lets Encrypt is not recognized by google. You get what you pay for. Rather than fuss around with it, I disabled it and got a proper certificate. Problem fixed instantly. Lets Encrypt might be OK for sites that don’t rely on top notch SSL certificate or for people who want to waste time with half-baked solutions, but its not adequate for a serious business site who wants a simple solution that works without fail.