@CookingWithGas every small web page I have ever set up, HTTP gets 301’d to HTTPS so you never ever have to worry about what you are describing; certificates are available from Let’s Encrypt for free if necessary, all you have to pay for is a domain and the hosting. Hosting should be like $5/month at most, don’t get ripped off.
Happy to help out regardless.
First step is to establish which hosting plan you have. I use Linux hosting, and this will be easiest, but I believe it’s possible to do it with any plan (though I might have to look up a few things).
The overall process is relatively straightforward. You request a cert from Let’s Encrypt, which requires putting a special file in a particular location on your server. This is to prove that you in particular are in control of the server. Once you have the cert, you use the CPanel tool to input the information. Then, every 90 days you’ll have to refresh things. You don’t need the “special file” step; just run the script and go into CPanel again. Takes about 5 minutes.
Looking around, there may actually be a way to automate this now (by scripting the CPanel step)… I’m going to look into this for my own sake if nothing else.
But first I need to know if you use Linux hosting or not since that alters the instructions. The tool I’m using is getssl, which needs Linux, but there are alternatives. Also, if you don’t have any special hosting plan, what local OS are you running (Windows or Mac)?
Ugh, GoDaddy sure likes making things confusing. I was hoping to tell you how to figure out which plan you have, but the names aren’t super obvious.
The question actually is this: if you go into your hosting dashboard, do you see a button on the upper right that says “cPanel Admin”? You’ll need that if anything else I say is going to be useful.
Ok, I have to laugh. I was playing around with a spare domain of mine to refresh myself on some of the details. Got it up and running again after changing the DNS.
And GoDaddy is doing the same damn thing to me! If I go to the http version of the site, it’s fine. If I use https, it gives me a security warning… and then redirects to “toplinguists dot com”, which is not my site, and looks to be some scammy garbage. Idiots.
I have Linux hosting with cPanel, so I do manage through cPanel Admin.
Now there’s a funny thing. If I explicitly type in http:// then my site resolves correctly. It’s only if I add the “s” that it has problems. I suspect Chrome may be inserting that for me for some reason.
Yep. That’s how it works. http is fine, but the browser tries https first. That fails since SSL isn’t set up, so they engage the redirect. But stupidly, they redirect to a completely random site!
Ok, good to hear about the Linux hosting. The first step is to get getssh installed. That’s the script that will interact with Let’s Encrypt and generate that special file to verify things.
The script is available here:
You need to use the “manual installation” since it’s a shared account and you aren’t allowed to install packages.
You can also start going through the “Getting Started” steps, but if you get stuck–or if you aren’t familiar with running command in Linux at all–let me know and I can step you through that.
Ok, actually scratch all that! Use acme.sh, not getssl. It actually has a deployment mechanism for cPanel, and I just verified that it works.
It’s just a short process now. First, run:
curl https://get.acme.sh | sh -s email=my@example.com
You’ll have to log out and in again after going this. Then, run:
acme.sh --issue -d mydomain.com -w /home/my/path/to/public_html
Finally, this will deploy it:
export DEPLOY_CPANEL_USER=my_cpanel_username
export DEPLOY_CPANEL_PASSWORD=my_cpanel_password
acme.sh --deploy -d mydomain.com --deploy-hook cpanel
Perform all the suitable replacements, of course.
This will use ZeroSSL, not Let’s Encrypt, but they’re both fine.
Let me know if these steps work and I can show you how to automate it.
Well dang, acme.sh actually sets up the crontab entry for you as well. So it should “just work” automatically. Now to port all my other domains to use this. It’s a much nicer tool than getssl; I wish I’d found it sooner!
Correction. This:
acme.sh --deploy -d mydomain.com --deploy-hook cpanel
Should be this:
acme.sh --deploy -d mydomain.com --deploy-hook cpanel_uapi
It’s actually a bug in their documentation. I figured out the problem, but when I wrote the post, I pasted the wrong version 
.
Thanks so much for all that. I have a SW development background and used to do some work on Unix so am comfortable with Linux but a little rusty. I’ll figure it out, and let you know if I get stuck.
Cool. This stuff is not that difficult, but I ran down so many dead ends with non-functional tools, out-of-date documentation, terrible configuration UIs, and just flat-out broken nonsense that I spent many hours figuring out how to get it running. I took a few notes on the process.
Allegedly my account is supposed to support some “AutoSSL” thing but it never worked, and all of their instructions are broken (like they refer to non-existent options). But getssl and now acme.sh do the trick.
Yes, Chrome does that. Here’s an article from last year:
How to Stop Chrome from Automatically Redirecting to https – Howchoo
–but it changes in every recent version of Chrome, and it’s different now from what it was then. Win7 users won’t see the same behaviour, because Chrome no longer updates on Win7.
To be clear, it only inserts https if I omit the protocol prefix. If I type out “http” then it uses that.
It’s been a couple of months and all my domains are working fine. They renew automatically even with the crappy GoDaddy shared hosting account. Highly recommend acme.sh+ZeroSSL with this configuration.