Blog
SecurityHosting

How We Automate Let's Encrypt SSL for Every Site

Free SSL, renewed automatically before it expires. Here's how our certificate lifecycle works and why you'll never see a 'certificate expired' warning on our platform.

SSL certificates used to cost money and require manual renewal every year or two. Let's Encrypt changed that in 2016 by providing free, automated certificates. Most hosts now offer it. How it's implemented, however, varies significantly.

Here's exactly how we handle SSL and why the automation matters.

What Let's Encrypt Is

Let's Encrypt is a certificate authority run by the Internet Security Research Group. It issues domain-validated SSL certificates at no cost, valid for 90 days, with an ACME protocol for automated issuance and renewal.

The 90-day validity is intentional — it forces automation. Any host that automates properly should renew certificates long before expiry. Any host that doesn't automate will eventually have customers with expired certificates.

How Our Renewal Works

We renew certificates at 60 days — 30 days before expiry. This gives us a 30-day window where if the renewal fails for any reason (DNS propagation delay, rate limit, network issue), we have time to retry and fix it without your site going down.

The renewal process:

  1. Our certificate manager checks all active certificates daily
  2. Any certificate within 30 days of expiry triggers a renewal request
  3. The ACME challenge is placed at /.well-known/acme-challenge/ on your site
  4. Let's Encrypt verifies the challenge and issues a new certificate
  5. nginx is reloaded with the new certificate — zero downtime
  6. The old certificate is archived

What You Need to Do

Nothing. The renewal is fully automated. You don't need to configure anything, click anything, or monitor anything.

If a renewal fails (which is rare), our monitoring alerts us and we investigate before the certificate expires.

HTTPS by Default

Every site we provision gets HTTPS from day one. We configure nginx to redirect all HTTP traffic to HTTPS automatically. There's no opt-in step, no "click to enable SSL" button.

HTTP Strict Transport Security (HSTS) headers are sent on all HTTPS responses, telling browsers to remember that your domain always uses HTTPS. This protects against downgrade attacks.

Mixed Content: The One Thing You Might Need to Fix

If your WordPress site loads resources (images, scripts, stylesheets) over http:// rather than https://, browsers will block them even if your site itself is on HTTPS. This is called mixed content.

The fix is to update your WordPress Address and Site Address to https:// in Settings → General, then run a search-and-replace on your database to update any hardcoded http:// URLs. We cover this in our migration guide.

Wildcard Certificates

We provision individual domain certificates, not wildcards. Each domain and subdomain you add gets its own certificate. This is standard practice for Let's Encrypt on shared hosting.

Ready for hosting that doesn't oversell?

Get started from £10/mo More articles
Stay in the loop New posts, platform updates, and open chat — join the community.
Join Discord