Reliable sources for cheap SSL certificates?
February 18, 2025 2:51 AM Subscribe
I need to purchase SSL certificates for websites that I manage. My hosting provider supplies these but they are expensive (€30+). I see basic ones available through other sources for about €5. Does anyone have recommendations for reliable and inexpensive sellers? (If there is a good reason why I should stick with my provider, do let me know as I am somewhat new to this.)
Seconding letsencrypt, been using them for years and can't remember an issue.
posted by deadwax at 3:29 AM on February 18 [3 favorites]
posted by deadwax at 3:29 AM on February 18 [3 favorites]
Thirding LetsEncrypt. I use it on several sites and it works well.
posted by gemmy at 3:56 AM on February 18 [3 favorites]
posted by gemmy at 3:56 AM on February 18 [3 favorites]
LetsEncrypt is good/pretty standard, but you'll need to be able to handled automated certificate renewal. Assuming you can handle that, that's ideal. If you're new at this: hopefully it's a service your provider offers.
If not, you get an SSL certificate under the CloudFlare free plan. Setting up CloudFlare is pretty straightforward (minutes, not hours).
posted by Hartster at 4:27 AM on February 18
If not, you get an SSL certificate under the CloudFlare free plan. Setting up CloudFlare is pretty straightforward (minutes, not hours).
posted by Hartster at 4:27 AM on February 18
Response by poster: I should have specified that my provider supports LetsEncrypt but they have to be manually updated every three months, which is not feasible. I would much prefer a solution that I can put in place and forget about except when it comes to paying for renewal.
posted by Grinder at 4:40 AM on February 18
posted by Grinder at 4:40 AM on February 18
Hi Grinder; would you know why the certificates would need to be manually updated every three months? LetsEncrypt is perfectly happy to do the renewals itself normally, via the 'certbot' systemd timer.
If there's some reason you can't configure that on your servers, then the same restriction might apply to any other CA.
posted by vincebowdren at 4:56 AM on February 18 [2 favorites]
If there's some reason you can't configure that on your servers, then the same restriction might apply to any other CA.
posted by vincebowdren at 4:56 AM on February 18 [2 favorites]
If your hosting provider does not mesh with LetsEncrypt automation, it is time to go to one that does. There are plenty. Do you have any specific server needs?
posted by nickggully at 7:27 AM on February 18 [3 favorites]
posted by nickggully at 7:27 AM on February 18 [3 favorites]
I park all of the websites I manage behind the Cloudflare Free Tier. I can then either toss the Cloudflare provided cert on the actual hosting provider or just use a self-signed cert (Cloudflare will work with an expired one if needed.)
Cloudflare will take care of the SSL certificates, DDOS protection, caching for speed improvements, etc, etc. Cloudflare lets me get away with using the lowest performance tier that my hosting provider offers since I can rely on their content distribution network to make things faster from the end user's perspective.
That said, if the hosting provider does not mesh well with lets encrypt, I'd be inclined to find one that does. It is rather standard nowadays. Even then, I'm still parking my site behind Cloudflare.
posted by SegFaultCoreDump at 7:31 AM on February 18
Cloudflare will take care of the SSL certificates, DDOS protection, caching for speed improvements, etc, etc. Cloudflare lets me get away with using the lowest performance tier that my hosting provider offers since I can rely on their content distribution network to make things faster from the end user's perspective.
That said, if the hosting provider does not mesh well with lets encrypt, I'd be inclined to find one that does. It is rather standard nowadays. Even then, I'm still parking my site behind Cloudflare.
posted by SegFaultCoreDump at 7:31 AM on February 18
Another vote for LetsEncrypt, many web hosts will offer it for free.
Surprised to hear so many people recommending Cloudflare
posted by Lanark at 10:23 AM on February 18
Surprised to hear so many people recommending Cloudflare
posted by Lanark at 10:23 AM on February 18
ACME.SH is an unprivileged shell script equivalent to dehydrated/certbot. It can be used to auto-renew Let's Encrypt certs in a hosting environment where you don't have direct access to the overall webserver config or host root access. You need only Unix shell access to your account's directory tree (including your web root). If you an run recurring shell-script jobs, just set acme.sh to run and you are good-to-go.
ACME.SH can interface with multple Acme-protocol free-cert providers; please note that ACME.SH's preset default is ZeroSSL and you must explicitly config ACME.SH to generate/renew certs from the original Let's Encrypt Acme service.
Here is one of many howto guides. Here is the ZeroSSL-default announcement. I'm not aware of any negatives surrounding using ZeroSSL Acme certs over Let's Encrypt Acme certs, I merely want you to not be surprised (as I was).
posted by zaixfeep at 11:41 AM on February 18
ACME.SH can interface with multple Acme-protocol free-cert providers; please note that ACME.SH's preset default is ZeroSSL and you must explicitly config ACME.SH to generate/renew certs from the original Let's Encrypt Acme service.
Here is one of many howto guides. Here is the ZeroSSL-default announcement. I'm not aware of any negatives surrounding using ZeroSSL Acme certs over Let's Encrypt Acme certs, I merely want you to not be surprised (as I was).
posted by zaixfeep at 11:41 AM on February 18
Here's an ad-hoc example of a Linux bash script to check your site's (eg mywebhost.example) cert expiration. MeFi post formatting swallows less-than signs, so replace '#' in the code below with the less-than sign:
posted by zaixfeep at 11:52 AM on February 18
readarray -t cert # #( openssl s_client -connect mywebhost.example:443 2>/dev/null ### "" )
printf "%s\n" "${cert[@]}" | openssl x509 -noout -dates -subject
printf "%s\n" "${cert[@]}" | openssl x509 -noout -text | grep -e DNS:
posted by zaixfeep at 11:52 AM on February 18
Setting up acme is worthwhile if you are already on a quarterly renewal schedule. SSL certs used to ‘last’ multiple years but the push is to shorten their renewal period now and make sure the renewal is more secure because a hijacked cert is such a disaster. Let’s encrypt is reliable, but if you have to use a paid provider, globalsign and digicert are boringly solid and reasonable.
posted by dorothyisunderwood at 1:44 PM on February 18
posted by dorothyisunderwood at 1:44 PM on February 18
« Older Lyft or Uber with just a dumb phone/no app? | Is it safe to fly into the US this weekend? Newer »
You are not logged in, either login or create an account to post comments
posted by vincebowdren at 3:11 AM on February 18 [16 favorites]