Introduction: Free SSL/TLS Certificates for Every Domain
This Tutorial will show Drupal 8 website owners how to install Let’s Encrypt SSL/TLS certificates with cPanel on domains for HTTPS security and data packet encryption.
Let’s Encrypt SSL/TLS Certificates have the advantages of being free, able to be produced programmatically, & auto-installed for every domain name on cPanel web hosting plans.
When setting up Let’s Encrypt on a website, Drupal 8 administrators need to choose whether to allow HTTP connections or force all transfers to have HTTPS Encryption.
Step One: Activate the Let’s Encrypt Certificate in cPanel
To begin, navigate to cPanel on a Shared Linux web server & click on the “Let’s Encrypt” icon. Domains registered to the user are listed with menus for select actions.
Configuration: Activate the “Let’s Encrypt” certificate for the Drupal 8 domain if required & save the settings in cPanel. Then click the “Manage HTTPS Settings” link.
Note: It is possible to use either cPanel, the .htaccess file, or Drupal 8’s settings.php file to force HTTPS Encryption on all web pages & connections to the web server.
Choose to leave this setting on or off depending on whether or not your website will be permitting both HTTP & HTTPS connections. This is the Drupal 8 default value.
Click on “SSL Details” to view the Encoded Certificate, Private Key, & Intermediate Certificates (CA) information. Leave this as is unless required by another application.
Step Two: Edit the Base URL Value in settings.php
After activating the Let’s Encrypt certificate, test the installation on a Drupal 8 website by loading the homepage with a HTTPS URL. The website should display as normal with the URL listed in the web browser as secure.
Next: Log any errors & continue by signing in as the Drupal 8 administrator. If you decide to force all Drupal 8 pages to load by HTTPS (recommended), continue by:
//Use HTTPS for Drupal $_SERVER['HTTPS'] = 'on'; $conf['https'] = TRUE; $base_url = 'https://example.com';
adding the code above to your Drupal 8 website’s settings.php file. This can be found in the /sites/default folder of the installation. Download & edit code in Notepad++ or similar.
If you require to load HTTPS by default but still allow HTTP connections on demand:
$base_url = 'https://example.com';
Add the code above to the settings.php file. This will preserve the default Drupal 8 configuration, which is to allow both HTTPS & HTTP connections as required on CMS.
Combined with the cPanel settings for Let’s Encrypt, these configuration values will allow you to force HTTPS Encryption on all Drupal 8 web pages in production.
Step Three: Edit the .htaccess file to Force HTTPS on URLs
To add another level of security for your Drupal 8 website, use the Apache.htaccess file found in the root of the installation to force all page loads with HTTPS Encryption.
Locate the .htaccess file in the root folder or file directory, then uncomment the code:
RewriteEngineon
Additionally, these lines need to be added or uncommented:
# Redirect to HTTPS RewriteCond%{HTTPS}off RewriteCond%{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Save the .htaccess file & upload it to the server. All of the web pages in the Drupal 8 site should now be loading under HTTPS URLs by default. Log any errors by testing.
Step Four: (Optional) Install the Secure Login Module
For an additional layer of security on Drupal 8 user logins, install the Secure Login module. This module enforces HTTPS encrypted connections on all Drupal 8 forms.
Required Files – Download:
- Secure Login: (module files)
Configuration: Download & install the files at admin/modules/install or use FTP, Git, Drush, etc. as required by the project. Navigate to admin/config/people/securelogin & set the default Secure Base URL for the website as well as enabling form protection.
Choose which forms to protect by guaranteed HTTPS Encryption on transfers & save the Secure Login module settings. Otherwise check “Submit all forms to secure URL.”
Conclusion: Use HTTPS on All Connections & Drupal Pages
Let’s Encrypt SSL/TLS Certificates are 100% free and can save hundreds of dollars per domain on more expensive plans. Let’s Encrypt certificates install automatically on cPanel. Drupal 8 webmasters can force HTTPS Encryption on all CMS connections.
Best practice is multi-layer HTTPS security with cPanel configuration using Let’s Encrypt, .htaccess edits, settings.php file, & the Secure Login module for Drupal 8. Some websites may need to permit both HTTP & HTTPS connections on scripts.
Check out these top 3 Drupal hosting services:
- Want info about best web hosting? Clicking this link can be of great help.