Browser Security Warnings

Submitted by Roy Wagner on October 23, 2020 - 2:44 pm

If you run into browser warnings, please update your bookmark from https:/ to http:/

What's going on?

CTHS had been using to obtain free 90 day domain verified SSL certificates. When you buy an SSL from a provider, they are often good for an entire year or more. A Domain Verified (DV) certificate generally costs about $100 per year. For about 15 minutes work every 90 days, we effectively eliminated this cost and it has worked fine since we started doing it in 2018 when Google launched the SSL scare.

About 9 months ago, SSL for Free was acquired by Zero SSL and it initially worked the same way. By the time our second 90 SSL had elapsed, this policy changed, such that after you issue 3 certificates for free per account, you need to pay for all future certificates. Zero SSL detects if you just create a new account and start over with a domain you have used before, so that is not an option.

Both SSL for Free and Zero SSL use free certificates from Let's Encrypt free, so the next step was to try to get certificates straight from the horses mouth so to speak. Let's Encrypt prefers an SSH installation method that can be configured to do the 90 day updates automatically, so that would be nice. Unfortunately, this method does not run on all hosting platforms, including Go Daddy, in our case.

Let's Encrypt also has a complicated manual installation method that will be explored this weekend. In the meantime, the http to https redirect has been removed, however if you try to access the site via https from your own bookmark, you will get the bad SSL certificate security warning. Simply change your bookmark to http. When the SSL issue is resolved, the http to https redirect will be re-applied and your now updated http link will forward to https automatically. Also, the embedded Ecwid store and PayPal checkout use https and are secure as is.

UPDATE - 10/24/2020: Another method of generating the free Let's Encrypt DV SSL certificates has been sourced and the site is now operating as usual under https. If you try to access via http, you will be automatically redirected to https.